The software is called Superfish, which is described as a "technology that helps users find and discover products visually... instantly [analysing] images on the web and [presenting] identical and similar product offers that may have lower prices."
According to The Next Web's Owen Williams, what Superfish actually does is serve up intrusive and unwanted adverts on web pages like Google. Because it comes pre-installed on laptops, Lenovo customers might end up using it inadvertently.
Worse, there are reports that Superfish is carrying out what's known as a "man in the middle" attack - impersonating the security certificates of encrypted websites to let it serve up its ads. This potentially compromises the sensitive information of any customer affected by Superfish - like passwords or banking details.
According to The Register, almost a dozen antivirus software suites flag up Superfish as a "potentially unwanted program, adware, or a trojan."
Here's a screengrab from Twitter of Superfish allegedly impersonating Bank Of America:
This is a problem. #superfish pic.twitter.com/jKDfSo99ZR
- Kenn White (@kennwhite) February 19, 2015
The reaction on social media has ranged from outrage to scorn:
Guys. The second you start calling superfish a "potentially unwanted program" and not malware you make it ok for Lenovo to do this again.
- Sid (@Trojan7Sec) February 19, 2015
Who needs the NSA when ad networks can get implants pre-installed from the factory? #superfish
- matt blaze (@mattblaze) February 19, 2015
This is a nightmare scenario. Hackers can make their attacks look like updates from Microsoft on Lenovo computers. http://t.co/t0yBNYKyrA
- Brianna Wu (@Spacekatgal) February 19, 2015
got that superfish pic.twitter.com/M5bfX9lwzY
- Sarah Jeong (@sarahjeong) February 19, 2015
TL;DR #superfish: @lenovo ships laptops that break all HTTPS browsing, with an ad-insertion program called Superfish.
- Chris Palmer (@fugueish) February 19, 2015
Goodbye Lenovo, and thanks for all the Superfish.
- InfoSec Taylor Swift (@SwiftOnSecurity) February 19, 2015
To be clear, Superfish comes with Lenovo consumer products only and is a technology that helps users find and discover products visually. The technology instantly analyses images on the web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine.
The Superfish Visual Discovery engine analyses an image 100% algorithmically, providing similar and near identical images in real time without the need for text tags or human intervention. When a user is interested in a product, Superfish will search instantly among more than 70,000 stores to find similar items and compare prices so the user can make the best decision on product and price.
Superfish technology is purely based on contextual/image and not behavioural. It does not profile nor monitor user behaviour. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent. When using Superfish for the first time, the user is presented the Terms of User and Privacy Policy, and has option not to accept these terms, i.e., Superfish is then disabled."