Lenovo caught preinstalling malware onto its laptops. The kicker? It's horrifically insecure. - Polidicks

[QUOTE]It looks like Lenovo has been installing adware onto new consumer computers from the company that activates when taken out of the box for the first time. The adware, named Superfish, is reportedly installed on a number of Lenovo’s consumer laptops out of the box. The software injects third-party ads on Google searches and websites without the user’s permission. Other users are reporting that the adware actually installs its own self-signed certificate authority which effectively allows the software to snoop on secure connections, like [B]banking websites[/B] as pictured in action below. This is a malicious technique commonly known as a man-in-the middle attack, where the certificate allows the software to decrypt secure requests, yet Lenovo appears to be shipping this software with some of its products out of the box. If this is true — we’ve only seen screenshots so far — Superfish could be far more dangerous than just inserting advertising.[/QUOTE] Sauce: [url]http://thenextweb.com/insider/2015/02/19/lenovo-caught-installing-adware-new-computers/[/url] To give some perspective, [URL="https://twitter.com/SwiftOnSecurity"]@SwiftOnSecurity[/URL] has a summary [URL="https://twitter.com/SwiftOnSecurity/status/568307140659523585"]spanning[/URL] [URL="https://twitter.com/SwiftOnSecurity/status/568288402241511426"]several[/URL] [URL="https://twitter.com/SwiftOnSecurity/status/568289996873936898"]tweets[/URL] as to how much of a colossal no-no in the security world this is. If you've recently bought a Lenovo laptop (within the last 6-12 months), visit [URL="http://canibesuperphished.com/"]canibesuperphished.com[/URL] - If you don't get an error, you'll need to need to remove the security cert. tl;dr Lenovo fucked up so badly that "if you have a Lenovo machine purchase 2nd half 2014, that green SSL lock at [url]http://Facebook.com[/url] or [url]http://WellsFargo.com[/url] means jack shit".

lenovo wtf you used to be GOAT as far as laptop manufacturers

thats what you get from buying a laptop from a bunch of russians edit : it has come to my attention that lenovo is chinese

For what purpose would you put malware / adware onto your products? I don't see why any computer manufacturer would put shit like that on their products unless the people behind the malware are paying them loads of cash. And even then, putting countless people's credentials at stake could cost you more than those other people could ever give you

Lawsuit when?

I have a Lenovo Y510p I got last year, but I wiped it like two times ago, am I safe?

Bought one recently. I will be checking this tomorrow I suppose. Didn't do any bank business but did log in on stuff. God damn it, I knew I should have clean installed it but I was far too lazy, I thought it was just the useless software..

These guys are the ones in charge of motorola? They were doing good for now

I'm using a Lenovo right now Tell Martha I love her

[QUOTE=AWarGuy;47173825]I have a Lenovo Y510p I got last year, but I wiped it like two times ago, am I safe?[/QUOTE] If you reinstalled using a clean Windows disc, then you're fine. If you used what was provided by Lenovo, probably not. [url]http://canibesuperphished.com/[/url] EDIT: To clarify, you SHOULD get an error when visiting that link if you are SAFE. The error looks like the following: Chrome: [IMG]http://i.imgur.com/rWdwV5M.png[/IMG] Firefox: [IMG]http://i.imgur.com/pbG9n57.png[/IMG] Internet Explorer: [IMG]http://i.imgur.com/75LbVIw.png[/IMG] If you get to [URL="http://i.imgur.com/9TQgXC1.png"]this page[/URL] without an error, then your system is compromised.

[QUOTE=Forumaster;47173858]If you reinstalled using a clean Windows disc, then you're fine. If you used what was provided by Lenovo, probably not. [url]http://canibesuperphished.com/[/url][/QUOTE] i take it you're supposed to get a privacy error from that?

[QUOTE=Dermock;47173708]lenovo wtf you used to be GOAT as far as laptop manufacturers[/QUOTE] lenovo has always been shit, it's back when they were made by IBM that thinkpads were good laptops

I'm on Lenovo laptop which I bought in the summer of 2014. I get the error. Does this necessarily mean I'm safe though?

[QUOTE=Dermock;47173871]i take it you're supposed to get a privacy error from that?[/QUOTE] yeah, the idea is that if you have superfish you probably won't get the security message [editline]19th February 2015[/editline] [QUOTE=VikCreamCake;47173915]I'm on Lenovo laptop which I bought in the summer of 2014. I get the error. Does this necessarily mean I'm safe though?[/QUOTE] you're probably fine

[QUOTE=Forumaster;47173858]If you reinstalled using a clean Windows disc, then you're fine. If you used what was provided by Lenovo, probably not. [url]http://canibesuperphished.com/[/url][/QUOTE] Thanks man, I wiped it with a Windows 8.1 disc when I first got it. Nice to know I'm safe.

[QUOTE=Dermock;47173871]i take it you're supposed to get a privacy error from that?[/QUOTE] yeah, if you don't get a security error you're at risk.

[QUOTE=Dermock;47173871]i take it you're supposed to get a privacy error from that?[/QUOTE] Yeah, updated my post with examples.

I got a Y-50 about 1.5 months ago but due to an error I had to get my hard drive replaced (free of charge as it was on warranty) and I had to use a recovery media to do a fresh install of Windows 8.1. I checked the link someone posted here and I got a privacy error message, does this mean I'm safe?

Posting from my Lenovo laptop which I got during the fall of last year, but I'm safe too. Thanks, forumaster.

Class action law-nuke inbound PREPARE FOR RETRIBUTION

[QUOTE=AWarGuy;47173825]I have a Lenovo Y510p I got last year, but I wiped it like two times ago, am I safe?[/QUOTE] I dunno if it's just me or a general trend with y510ps, but mine's clean and I've yet to wipe it

[QUOTE=Amiga OS;47174311]The build quality is iffy, the new trackpads aren't as good without the ultranav buttons and the keyboards are inferior. Not to mention /g/entoomen only buy ThinkPads they can get for under $100, ergo 4-5 year old models.[/QUOTE] y510p touchpads are fucking disgusting i can't even imagine anyone using them unironically still tho, lenovo laptops as far as im concerned dont have any hardware that install anything on your hdd if you change it or format, so you should be safe if your hdd isn't in the same condition as it was when you purchased it

Extremely disappointed, was planning on getting a yoga 15 inch on release because of it's Wacom digitizer but if Lenovo does nothing in response to this then fuck that. I'll skip screen size and go for a companion 2.

[QUOTE=Amiga OS;47174311]The build quality is iffy, the new trackpads aren't as good without the ultranav buttons and the keyboards are inferior. Not to mention /g/entoomen only buy ThinkPads they can get for under $100, ergo 4-5 year old models.[/QUOTE] Everything after the * *20 series kinda went to shit. Some *30's like the T430 is alright, but still not as good.

[QUOTE=Telecaster;47173722]thats what you get from buying a laptop from a bunch of russians edit : it has come to my attention that lenovo is chinese[/QUOTE] Don't worry, you didn't mix up that much.

I love that I have someone on twitter who is defending this to high heaven as a clear lenovo fanboy because he says fresh installs windows on every PC he gets anyways therefore doesn't matter and the lenovo is the best. Way to totally miss the point? (yes, this doesn't affect you if you do a fresh install since this comes with preinstalled software on the OS).

[QUOTE=SlickBlade;47173733]For what purpose would you put malware / adware onto your products? I don't see why any computer manufacturer would put shit like that on their products unless the people behind the malware are paying them loads of cash. And even then, putting countless people's credentials at stake could cost you more than those other people could ever give you[/QUOTE] It gets disguised as 'We're trying to improve the customer experience', but in reality it's the same as every ad relationship: They get money out of it.

[img]https://lh5.googleusercontent.com/-RSZXUDuga_Y/VOZ9BLNe4pI/AAAAAAAAREo/DZZmTEf6k5A/s0/2015-02-19_16-17-11.png[/img] [img]https://lh5.googleusercontent.com/-EmgudcIyy5Q/VOZ9Ey3_5EI/AAAAAAAAREw/0D2cjo9DNaw/s0/2015-02-19_16-17-26.png[/img] @swiftonsecurity probably the best parody account in the history of twitter [editline]19th February 2015[/editline] anyways to those of you that don't understand public-private encryption basically this cert is unscoped, so it will work for any site. the private key (aka the one never supposed to be revealed) is included in the cert. with that cert, i could roll up to a starbucks, make a fake starbucks wifi, use the private key from superphish to sign a version of facebook's site, do dns redirects to point at my version of facebook, and chrome will happily browse to it and give it a nice green padlock this is very [U]very[/U] bad

2013 Y500 doesn't seem to have it but I have lost all confidence in Lenovo now. That's fairly impressive considering 2 days earlier I considered them the best in the business.

[QUOTE=Dermock;47173708]lenovo wtf you used to be GOAT as far as laptop manufacturers[/QUOTE] Lenovo was never greatest of all time. They bought a solid brand from IBM and slowly ran the reputability it into the ground. This really goes to show the difference.