Earlier this morning it was reported that Lenovo is installing adware to their new laptops. This piece of adware is called SuperFish, and it basically MITM’s your connections — including secure ones — and inserts ads into webpages you visit. This in itself should be alarming and is an extremely scummy thing to do, but now things have taken a turn for the worse. Yes, it can get even worse.
Since Lenovo has installed a root CA of their own on the computer, they can basically make your browser trust any site they want by using the CA to create certificates for them. But now everyone can. A couple of people have already extracted the private key from the adware app and bruteforced the terrible, inexcusably bad password. A password of only 7 characters in length, consisting of nothing but lowercase a–z characters. komodia. Really, that’s it right there.
So now anyone can create certificates that new Lenovo machines automatically trust. Shame on you, Lenovo.
And yes, I know Lenovo is not directly responsible because they didn’t make the adware, but they shouldn’t have added some in the first place. At the very least they should have had oversight, because this is complete buffoonery. Hopefully some heads will roll as a result. This race to the bottom where laptops are preinstalled with bloat in ever increasing crappiness must stop.
In case you are using a Lenovo computer and want to check if you are vulnerable, try going here. If you get a security warning from your browser, you are safe. If not, douse your computer in some holy water and go make an angry call to Lenovo support.