The false website security certificates could allow Superfish to decrypt a user's HTTPS web traffic. It's unlikely that Superfish is out to get your banking credentials or other logins. The site certificate tampering could, however, open the door for hackers to launch phishing attacks — especially since Superfish appears to be using the same private encryption key on all Lenovo machines.
A hacker could, for example, create a phony banking site relying on the faked Superfish security certificates for authentication. Under this scenario, Lenovo PCs wouldn't be able to detect they were visiting a forged site.
Despite concerns from critics, Lenovo believes Superfish is safe. "We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns," a company spokesperson said via e-mail.
Without going into details, the Lenovo representative said Superfish was installed on select consumer-grade machines. A report by Myce from January said the adware was found on Lenovo Y50, Z40, Z50, G50, and Yoga 2 Pro laptops. If you've recently bought a Lenovo laptop, there's a good chance your PC has Superfish pre-installed.
"Preinstalled software is always a concern because there's often no easy way for a buyer to know what that software is doing — or if removing it will cause system problems further down the line," said Chris Boyd, a malware intelligence analyst at Malwarebytes, via email.
Boyd advises users to uninstall Superfish, then to type certmgr.msc into the Windows search bar, open the program, and remove the Superfish root certificate from there. Apparently many anti-virus programs identify Superfish as malware and will take care of removing it — though not the root certificate — for you.
Sign up for CIO Asia eNewsletters.