It looks like Lenovo has been installing adware onto new consumer computers from the company that activates when taken out of the box for the first time.
The adware, named Superfish, is reportedly installed on a number of Lenovo’s consumer laptops out of the box. The software injects third-party ads on Google searches and websites without the user’s permission.
Potentially more troubling:
With Superfish, it’s been claimed Lenovo is using a self-signed certificate to appear as a trusted party (which it no doubt considers itself to be) along the chain. In theory, it is therefore able to see users’ traffic and alter it in whatever way it sees fit. This method, according to Robert Graham of Errata Security, makes Superfish the root Certificate Authority (CA) – essentially the link that decides what encrypted communications to trust.
“It means Superfish can generate a valid (from the browser’s standpoint) encryption certificate for Facebook or Google, or any other site using HTTPS,” noted security analyst Andreas Lindh.
From a privacy perspective, this isn’t ideal…
Uh, no, that isn't ideal.