14 DAY TRIAL // Following the security blunder impacting customers of Lenovo consumer products that came pre-installed with Superfish browser add-on, a lawsuit was initiated against Lenovo and Superfish by a woman in San Diego, California, on her behalf and of others affected by the risky behavior of the software.
Jessica Bennet, the plaintiff, asks for statutory damages as provided by the California and federal law, plus interest. The two defendants would also have to pay all litigation costs and surrender all revenue resulting from the dangerous practice.
Inadequate ads triggered the alarm
Between September 2014 and January 2015, several Lenovo laptop models for consumers were sold pre-loaded with Superfish, an application that relied on the man-in-the-middle (MitM) technique to intercept secure communication and alter it in order to inject ads on the websites accessed by the user.
The trouble consisted in the fact that all HTTPS websites would be re-signed on all machines with the same root certificate, whose private key was cryptographically insecure, which could be (and was) cracked.
Bennet says that she purchased a Lenovo Yoga 2 laptop for her blog writing business activity. When writing a blog post for one of her clients, she noticed dubious advertising featuring “scantily clad women” being pushed on the web page.
Believing that the client’s website had been hacked, she alerted them through an email. However, at a later time, Bennet was exposed to the same advertisements on the website of a different client; then she realized that the problem was on her end and started to look for it in order to identify the cause.
Lenovo made efforts to solve the issue with the utmost rush
After spending time on forums she found that her laptop came with the Superfish browser add-on that injected ads into the websites she visited.
The filing for the class-action lawsuit was on February 19, a day after Google security engineer Chris Palmer discovered that Superfish had issued a self-generated root certificate that validated all encrypted connections.
Since news about the danger posed by this behavior, Lenovo made every effort to ensure that its customers would be spared of any unpleasant results.
Initially, the company published instructions on how to manually remove Superfish from the affected computers, as well as the root certificate that was injected in the Windows and Mozilla certificate stores.
Later, Lenovo started to distribute a tool that would carry out the cleaning routines automatically. Moreover, it collaborated with Microsoft and McAfee to the same end. Microsoft pushed a detection signature for Superfish, which eliminates the software and its root certificate.
The class-action filing, courtesy of The Register, is available here.