Home Superfish: How To Get Unhooked From Lenovo’s Dangerous Adware

Superfish: How To Get Unhooked From Lenovo’s Dangerous Adware

Have a recent Lenovo laptop? You may also have been netted by Superfish, an insidious little ad-insertion program that sidesteps ordinary security measures in ways that could expose your personal or financial information to unsavory characters.

Where Superfish Swims And What It Eats

Superfish has been installed on select Lenovo computers since at least 2014, and does a number of nasty things. It can alter non-encrypted traffic—i.e., visits to all websites that aren’t protected by HTTPS encryption (that green padlock in Chrome)—by injecting JavaScript that displays affiliated ads on unsuspecting websites. That’s annoying because it can cause problems on those sites, though it’s not necessarily dangerous.

But Superfish can also apparently spy on encrypted traffic, such as your visits to banking sites, email or social media. It does this by installing its own rogue root certificate in Windows. This allows the software to falsely represent itself as a trusted authority for every website you visit, even though its certificate has been self-signed and is controlled by Superfish. Google security engineer Chris Palmer was the first to notice the implications.

See also: Why Google Wants To Padlock The Web

“This allows Superfish to intercept an encrypted SSL connection, decrypt it, then re-encrypt it again,” writes Errata Security CEO Robert Graham. As a result, Superfish is effectively conducting what security pros call a “man-in-the-middle attack,” in which a malicious party eavesdrops on supposedly trusted communications, and can even alter transmitted information on the fly. As a result, it could have access to your bank account, your email and other sensitive data.

Making matters worse, Superfish apparently does its spying in such spectacularly clumsy fashion that other hackers could also exploit affected users. Technically, Superfish uses the same private encryption key for each Lenovo machine. 

“This means that hackers at your local cafe WiFi hotspot, or the NSA eavesdropping on the Internet, can use that private key to likewise intercept all [encrypted] connections from Superfish users,” writes Graham, who cracked the cryptographic key and extracted the certificate.

Throwing Superfish Back

Although many virus scans flag Superfish as spyware, they don’t disable the rogue root certificate, which means your machine could still be vulnerable to hacking. Lenovo has listed models that may be affected, and says that it stopped preloading the adware in January and will not preload it in the future. (It has published instructions for removing the app, although they don’t include removing the malicious certificate.)

You can find out if your computer is infected using a test site created by Italian security consultant Filippo Valsorda at https://filippo.io/Badfish/, using either Chrome or Internet Explorer. (Firefox behaves a little differently.)

If you are affected, Valsorda’s cleanup instructions are the best place to start. To summarize:

  1. Uninstall Superfish via the Control Panel. Look for “Superfish Inc VisualDiscovery”
  2. Then it’s time to uninstall the certificate from Windows. First open the Windows certificate manager. You can search for “certmgr.msc,” right-click it and choose the option “Run as administrator”
  3. Click “Trusted Root Certificate Authorities” and select “Certificates”
  4. Scroll to the “Superfish, Inc.” certificate
  5. Right-click it and select “delete”

Valsorda also includes directions for deleting the certificate from Firefox, which might not be necessary. You can also check the site canibesuperphished.com to make sure your computer is no longer infected, although it’s a little counter-intuitive. If you get a certificate error message on loading the site, you’re safe.

Photo by OakleyOriginals

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.