Have a recent Lenovo laptop? You may also have been netted by Superfish, an insidious little ad-insertion program that sidesteps ordinary security measures in ways that could expose your personal or financial information to unsavory characters.

Where Superfish Swims And What It Eats

Superfish has been installed on select Lenovo computers since at least 2014, and does a number of nasty things. It can alter non-encrypted traffic—i.e., visits to all websites that aren’t protected by HTTPS encryption (that green padlock in Chrome)—by injecting JavaScript that displays affiliated ads on unsuspecting websites. That’s annoying because it can cause problems on those sites, though it’s not necessarily dangerous.

But Superfish can also apparently spy on encrypted traffic, such as your visits to banking sites, email or social media. It does this by installing its own rogue root certificate in Windows. This allows the software to falsely represent itself as a trusted authority for every website you visit, even though its certificate has been self-signed and is controlled by Superfish. Google security engineer Chris Palmer was the first to notice the implications.

See also: Why Google Wants To Padlock The Web

“This allows Superfish to intercept an encrypted SSL connection, decrypt it, then re-encrypt it again,” writes Errata Security CEO Robert Graham. As a result, Superfish is effectively conducting what security pros call a “man-in-the-middle attack,” in which a malicious party eavesdrops on supposedly trusted communications, and can even alter transmitted information on the fly. As a result, it could have access to your bank account, your email and other sensitive data.

Making matters worse, Superfish apparently does its spying in such spectacularly clumsy fashion that other hackers could also exploit affected users. Technically, Superfish uses the same private encryption key for each Lenovo machine. 

“This means that hackers at your local cafe WiFi hotspot, or the NSA eavesdropping on the Internet, can use that private key to likewise intercept all [encrypted] connections from Superfish users,” writes Graham, who cracked the cryptographic key and extracted the certificate.

Throwing Superfish Back

Although many virus scans flag Superfish as spyware, they don’t disable the rogue root certificate, which means your machine could still be vulnerable to hacking. Lenovo has listed models that may be affected, and says that it stopped preloading the adware in January and will not preload it in the future. (It has published instructions for removing the app, although they don’t include removing the malicious certificate.)

You can find out if your computer is infected using a test site created by Italian security consultant Filippo Valsorda at https://filippo.io/Badfish/, using either Chrome or Internet Explorer. (Firefox behaves a little differently.)

If you are affected, Valsorda’s cleanup instructions are the best place to start. To summarize:

  1. Uninstall Superfish via the Control Panel. Look for “Superfish Inc VisualDiscovery”
  2. Then it’s time to uninstall the certificate from Windows. First open the Windows certificate manager. You can search for “certmgr.msc,” right-click it and choose the option “Run as administrator”
  3. Click “Trusted Root Certificate Authorities” and select “Certificates”
  4. Scroll to the “Superfish, Inc.” certificate
  5. Right-click it and select “delete”

Valsorda also includes directions for deleting the certificate from Firefox, which might not be necessary. You can also check the site canibesuperphished.com to make sure your computer is no longer infected, although it’s a little counter-intuitive. If you get a certificate error message on loading the site, you’re safe.

Photo by OakleyOriginals