Lenovo faces lawsuit for pre-installing Superfish adware

A class action lawsuit has been filed against Lenovo after it was found to have pre-installed adware vulnerable to cyber attacks

A class action lawsuit has been filed against Lenovo after it emerged that the company pre-installed adware that made customers vulnerable to HTTPS man-in-the-middle attacks.

The lawsuit was reportedly filed by Jessica N. Bennet in California, despite Lenovo admitting that pre-installing Superfish was a mistake and issuing an open-source tool to remove the software.

The tool is also designed to remove the self-signed root HTTPS certificate installed by Superfish that can intercept encrypted traffic for every website a user visits.

This introduced a security vulnerability because attackers could potentially use the certificate to create fake HTTPS websites that would not be detected as fakes by vulnerable Lenovo machines.

In other words, the vulnerability could enable attackers to impersonate shopping, banking and other websites and steal users' credit card numbers and other personal data.

Lenovo said in a statement it had worked with Microsoft and McAfee. Security applications from both companies are also now able to remove Superfish software and certificates.

Remote monitoring of Lenovo users' web activity

Superfish is also named as a defendant in the class action lawsuit that claims the software allowed remote monitoring of internet activity in violation of state and US federal privacy laws.

Bennet accuses Lenovo and Superfish of invading her privacy and making money by studying her internet browsing habits.

According to the lawsuit, Bennet noticed spam advertisements on a client’s website after writing a blog post for that customer, which she traced back to the Superfish software on her Yoga 2 laptop.

The court documents also claim that Superfish took up internet bandwidth and caused Bennet’s computer to slow down by using computer memory resources.

Lenovo has claimed that it stopped pre-installing Superfish in January 2015, but prior to that the software was installed on a wide variety of consumer PC series, including Flex, Miix and Yoga.


  • University researchers document Android adware privacy risks
  • Adware targets Mac OS X
  • Security report finds rise in banking Trojans, adware, fewer viruses
  • Can companies control their affiliate-based adware?

The company said the issue does not affect Lenovo ThinkPads, any tablets, desktops or smartphones, or any enterprise server or storage device.

The first complaints of Superfish on Lenovo’s laptops emerged in September 2014, but the security risks were uncovered last week by security researchers.

Lenovo said it had halted the installation of Superfish after customers complained about intrusive pop-up ads appearing on their browsers.

But the company said it was not aware of the security risks until last week and was "focused on fixing it".

"We apologise for causing these concerns among our users – we are learning from this experience and will use it to improve what we do and how we do it in the future," said a company statement.

Wider questions over security of Komodia code

But the security vulnerability may extend further than Lenovo because Superfish insists its software is safe and that the security flaw was introduced unintentionally by a third party, reports Phys.Org.

In an email to The Associated Press, Superfish identified that party as Komodia, a tech startup based in Israel that makes software for other companies.

This means any company or software using the same Komodia code as Superfish could be affected by the same security vulnerabilities as Superfish.

Read more on Privacy and data protection