Lenovo, the Chinese tech giant, was shipping PCs with spyware that tracks its customers’ every move online, and renders the computers vulnerable to hackers.
Lenovo, the world’s largest PC manufacturer, was installing Superfish, a particularly pernicious form of adware that siphons data from a user’s machine via web browser. Banking and e-commerce sites, or any web page that purports to be secure with the image of a tiny padlock, are made vulnerable.
The adware discovery was made early last month by Peter Horne, a 25-year veteran of the financial services technology industry, after he bought a brand-new Lenovo Yoga 2 Notepad at a computer retailer in Sydney, Australia.
Even though the PC came with McAfee antivirus software, Mr. Horne said, he installed antivirus software made by Trend Micro. Neither virus scanner picked up any adware on the machine. But Mr. Horne noted that traffic from the PC was being redirected to a website called best-deals-products.com. When he dug further, he found that website’s server was making calls to Superfish adware.
Superfish’s “visual discovery” adware, Mr. Horne and others now say, is far more intrusive than typical adware. It not only drops ads into a user’s web browser sessions, it hijacks a secure browsing session and scoops up data as users enter it into secure websites.
Superfish does this so it can introduce ads into an otherwise encrypted web page, but the way it does so compromises the security of trusted websites and makes it easy for other hackers to intercept users’ communications.
Mr. Horne returned his PC, and went on to test Lenovo’s demonstration machines at Best Buys in New York and Boston, and other retailers in Sydney and Perth. There, he found the adware on other Lenovo Yoga 2 models and the Lenovo Edge 15.
“The company had placed the adware a very low-level part of the operating system,” Mr. Horne said in an interview. “If they can do that, they can do anything.”
In a statement issued Thursday, Lenovo said it had included Superfish in some consumer notebook products shipped between September and December “to help customers potentially discover interesting products while shopping.”
Citing bad user reviews, the company said it stopped including the adware in January, the same month Mr. Horne brought the issue to the company’s attention.