Earlier this week it was discovered that many Lenovo PCs released between September 2014 and January 2015 shipped with an adware application called Superfish.
This application, while annoying, was almost harmless on its own, except for one big problem: it installed a root certificate authority on the computer allowing the software to man-in-the-middle secure traffic to sites like your bank or Facebook.
Why exactly the company would need to do that was perplexing, but we finally got the answer straight from the company behind Superfish. It wanted to show you its visual search ads on any website.
The Next Web spoke indirectly to Superfish CEO, Adi Pinhas via a communications person through email. Pinhas explained that it intentionally installed the root certificate authority to “enable a search from any site.” Basically, Superfish undermined SSL to show you ads.
It likely it did this because Google enabled SSL by default last year, meaning the company wouldn’t otherwise be able to show its ads within Google search results.
When asked if the software itself installs the certificate, Pinhas dodged the question, saying that it “has an opt-in screen” and was “not installed without the users opting in.”
What’s alarming is that neither Pinhas or Superfish the company seems to realize what their actions meant to the security of end-user’s computers. Pinhas told TNW, “what happened yesterday is that the certificate potential threat was discovered.” It’s hard to imagine the company that created this root-level piece of software wasn’t aware of the security implications until it was recently discovered by users.
Just how widespread is Superfish? Pinhas says it’s being used by a whopping 40 million users right now, but didn’t break down if that was just Lenovo computers or included other bundling deals. We were also told by another source that the company has rarely received complaints about the software in the past.
Pinhas also said that Lenovo and Superfish were “excited about the partnership” and it “intended to provide users with an enhanced online shopping experience.”
Lenovo said to Recode today that it “did not appreciate the giant problem it was going to create” and admitted it “messed up.”
According to Pinhas, Superfish was founded in 2006 and spent four years of research developing its product comparison search API before it released the Visual Browser that we know today. Over the last year, the company has moved to a different phase, working on first-party mobile apps.
The technology behind Superfish itself is actually somewhat impressive — it develops algorithms that can recognize real-world objects based on an image — but it doesn’t matter how impressive the technology is when it leaves users vulnerable to attacks.
What’s unbelievable is that not only did the company create a huge security hole on user’s computers, it also thought this action was ok. Lenovo and Superfish have said that the software was to improve user’s lives, but there’s no excuse for undermining security’s fundamental point to sell ads no matter how much a company believes they will improve your life.