We need your help now
Support from readers like you keeps The Journal open.
You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.
If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.
Sign in. It’s quick, free and it’s up to you.
An account is an optional way to support the work we do. Find out more.
By continuing, you are indicating that you accept our Terms of Service and Privacy Policy.
IF YOU’VE BOUGHT a Levono device in recent times, then it may have come with adware known as Visual Discovery by Superfish, and it’s a major problem.
Effectively, Superfish is a software add-on which serves to bring up extra ads while you’re browsing a site, even if it’s a secure HTTPS site.
However, the flaws in its security would allow any hacker to carry out man-in-the-middle attacks, which allows them to both intercept messages as well as alter them or include their own messages. This means that private and secure information like passwords, financial details and personal information could be intercepted.
Superfish wasn’t intended as malware. Lenovo has said it was designed to show targeted ads by analyzing images of products that a user might see on the web and then presenting “identical and similar product offers that may have lower prices.” Lenovo said the software doesn’t track users or collect any identifying information.
But some users initially complained the software shows unwanted “pop-up” ads. And this week, several independent experts reported that Superfish works by substituting its own security key for the encryption certificates that many websites use to protect users’ information. “This means that anyone affected by this adware cannot trust any secure connections they make,” researcher Marc Rogers wrote on his blog.
What’s worse, experts said, is that Superfish appears to re-use the same encryption certificate for every computer, which means a hacker who cracked the Superfish key could have broad access to a variety of online transactions.
The CEO of Errata Security, Robert Graham discovered that it allowed him to intercept encrypted communications of anyone using Superfish by being near them at a cafe WiFi hotspot.
In a statement, Lenovo said it stopped the preloads back in January models and listed the models Superfish would have appeared on.
We thought the product would enhance the shopping experience, as intended by Superfish. It did not meet our expectations or those of our customers. In reality, we had customer complaints about the software. We acted swiftly and decisively once these concerns began to be raised. We apologize for causing any concern to any users for any reason – and we are always trying to learn from experience and improve what we do and how we do it.
How to remove it
If you do own a Lenovo computer and want to remove it, there are a few methods to use. The easiest way to check is to use a web service from password manager LastPass, which will tell you if your computer is safe or not.
If you do have it installed, then it details how exactly you can uninstall both the programme and the certificates it uses. Even if it comes up as safe, it’s worth delving into control panel just to be on the safe side.
Once that’s done, it’s recommended that you change your passwords to any online services that you use. You could use a password manager like LastPass to create more complex passwords or other services like 1Password or KeePass.
(Additional reporting by AP)
To embed this post, copy the code below on your site
I’m never buying Lenovo again, nor is my company.
I’l never buy a Lenova again.Total rubbish and poor quality compared to Dell. Dell laptops are way better build quality and last longer and don’t come loaded with malware like Lenova do. Lenova depends on this adware/malware to make the unit profitable.
It’s a Chinese company. Shock, horror! It has malware preloaded!
The IBM Thinkpads (and early Lenovo Thinkpads based on IBM’s) were fantastic. Now I wouldn’t touch one.
Well done there Barry on your top casual racism. We all know the Chinese were the first to load bloatware/spyware on PCs/laptops.
The Lenovo laptops themselves are as good or bad as most other companies out there, there are better and worse, but for them to knowingly and intentionally sell laptops with this software which can steal web traffic using a traffic using man-in-the-middle attack is criminal.
The Superfish software was present on their laptops until late last month, so far there’s no indication how far back this went, it used fake, self-signed, root certificates, they only removed it when users began complaining about it on forums. Lenovo said;
“we have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues”
“As for units already in market, we have requested that Superfish auto-update a fix that addresses these issues.
Statements like this do not inspire confidence, they have temporarily removed Superfish and have failed to satisfy the millions of customers who already have it installed, illegally. This fails to address why it was ever installed in the first place, what Lenovo got from the deal and if other malware is present on Lenovo computers.
G’way with the racism crap. It’s a fact that Chinese companies have been shipping Android phones with pre-installed malware for a while now. Doesn’t mean they were first but it does mean I wouldn’t by a Chinese company’s Android phone. Nothing personal against the Chinese but I don’t trust a company that’s owned by a repressive government who smother their citizens in propaganda and deny them access to any information outside a distorted reality that’s defined by an elite.
Not to say I trust NSA/GCHQ/[enter other western intelligence agency] any bit either…
Guys. Lenovo is possibly the cheapest shittiest Chinese brand of desktop hardware. You get what you pay for.
Consumer wise yes. Enterprise, they were decent until recently.
Poor old Lenova they’ve never been the same since IBM sold them. Used to be brilliant.
Their T530s and W530s are rock solid. Use these at work. But why oh why do they go and screw it up with the new w540/T540p range?
Crap plastic feel, KB relayout and no actual mouse pad buttons.
I have a w520 for nearly 4 years. It’s still a great spec. i7- 8-32 gigs of ram – 2 gig quadro graphics card. Powers 1 – 3 external monitors. A complete desktop replacement. I use it for heavy work every day and never had one issue and it’s still well able for anything I can throw at it. 6 months ago I extended my warranty from 3 years (included) to five years for 100 euro so its still covered by lenovo. Best purchase I ever made!
LOL! good old Lenovo!!! ring their support ….really helpful!!!
What’s with all the Lenovo hate? Bought mine 6 years ago and it still works perfectly, despite the abuse it’s taken!
Lean over
I got an Ideapad 4 years back, and apart from some recent problems, it’s never been a problem for me. I was surprised to see so much Lenovo hate here
Lenovo laptops are useless lumps of shite. I repair laptops & desktops for people all the time and it’s mostly lenovos.
Avoid them like the plague
Here come the Lenovo fanboys. Ffs.
Faux outrage at a comment that hasn’t been posted yet ?!…. Really?
I love Len O’Va!
There, happy now?
IBM support this brand, what more can one say.
It’s really a Think bad…
“Levono” Really?! who’s asleep today?
Not so super then
have your say