Lenovo Admits Preloading Laptops With 'Potentially Dangerous' Adware

Lenovo CEO Yang Yuanqing attends a news conference in Sao Paulo September 5, 2012. Nacho Doce/Reuters

Chinese computer manufacturer Lenovo has been accused of putting the security and privacy of many of its customers at risk after they admitted to pre-installing an adware program that promoted selected adverts to web users on its laptops.

The firm say they have removed the hidden adware - called Superfish - and that they stopped installing it on new products in January. But that has not stopped a wave of complaints from consumers who are worried about the potential security risks they may have been exposed to.

The adware was preloaded on a number of laptop models between October and December 2014 according to Lenovo, although the first complaint about it on their forums came in September of that year. It is still unclear how many laptops have been affected.

Superfish works in browsers such as Google Chrome and Internet Explorer by hijacking secure web connections and dropping selected advertisements into search results that are disguised to blend in.

Hi all, we're aware of Superfish concerns & are taking immediate action to address them. Details here: http://t.co/xYg0P0GriV

— Lenovo (@Lenovo) February 19, 2015

Prof Alan Woodward, a security expert at Surrey University, told the BBC people have shown the software can "basically intercept everything and it could be really misused". Superfish purportedly creates its own certificates when users are browsing the web over secure servers - which means it would be capable of collecting user data in what is known as a man-in-the-middle malware attack. If these certificates were compromised by hackers for example, the user's sensitive browser data could be at risk.

One customer on the forum today wrote: "How on earth can Lenovo justify the installation of software that can generate spoof web certificates on the fly for any site visited? This effectively means that the software can spy on ALL browser traffic - to my bank, my doctor, my employer, my email and dozens of other things."

According to technology site The Next Web: "Superfish could be far more dangerous than just inserting advertising."

Lenovo responded to security fears with a statement: "To be clear, Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted."

They also say "the relationship with Superfish in not financially significant" and that the reason for preloading the adware was to "enhance the experience for users".

Lenovo say any customers who would like to take further action or find more information should go to http://forums.lenovo.com.