Lenovo caught preinstalling malware onto its laptops. The kicker? It's horrifically insecure. - Polidicks

"purely theoretical" [img]https://lh5.googleusercontent.com/-ex5wyws6WsI/VOaJjV9570I/AAAAAAAARFA/EXEq9ym7qQY/s0/2015-02-19_17-10-40.png[/img] if you have a lenovo computing device that is compromised, https now means jack shit to you

I recently bought a Lenovo and did notice a program called superfish on it. I returned it for a new one since the one I received had a bad harddrive. The new one doesn't have it, and it looks like they stopped preinstalling it in January.

Got a Y510p laptop second half of 2014, but no signs of the root certificates. Must be an older model I guess. Nice to know though because I'm pretty sure I did some banking on that thing.

[QUOTE=hypno-toad;47174853]Got a Y510p laptop second half of 2014, but no signs of the root certificates. Must be an older model I guess. Nice to know though because I'm pretty sure I did some banking on that thing.[/QUOTE] Actual malware that used it could install a root cert themselves.

[QUOTE=Map in a box;47174870]Actual malware that used it could install a root cert themselves.[/QUOTE] But the fact that there's no sign of superfish in the first place indicates that it was probably never installed. Said malware would need superfish to be installed to do anything

I got a G780, such a beautiful laptop she is. The website loaded only after I proceeded through Chrome's certificate warning. I think I'm good

For anyone not quite understanding the severity of this: Thanks to this I could walk into a cafe, sit around, wait for someone to whip out their Lenovo laptop and log into the free WiFi, and steal their login data for whatever sites they get on. Email, Facebook, online banking. [QUOTE=hypno-toad;47174928]But the fact that there's no sign of superfish in the first place indicates that it was probably never installed. Said malware would need superfish to be installed to do anything[/QUOTE] Other malware wouldn't depend on Superfish in the first place, it would just do the attack Superfish performs by itself.

[QUOTE=DrTaxi;47175026]For anyone not quite understanding the severity of this: Thanks to this I could walk into a cafe, sit around, wait for someone to whip out their Lenovo laptop and log into the free WiFi, and steal their login data for whatever sites they get on. Email, Facebook, online banking. Other malware wouldn't depend on Superfish in the first place, it would just do the attack Superfish performs by itself.[/QUOTE] It's not like that's absurdly hard to do in the first place on an average cafe's free wifi.

[QUOTE=LordCrypto;47174450][img]https://lh5.googleusercontent.com/-RSZXUDuga_Y/VOZ9BLNe4pI/AAAAAAAAREo/DZZmTEf6k5A/s0/2015-02-19_16-17-11.png[/img][/QUOTE] Translation for non-technical people: [QUOTE][B]WSJ:[/B] There seems to be a disparity between what tenants are saying about the potential dangers of having a broken deadbolt on their front door, and what their landlord has said about their unlocked door not presenting a security risk. [B]Hortensius:[/B] We're not trying to get into an argument with our residents. They're dealing with theoretical robberies. We have no insight that any home invasions have occurred. But we agree that this was not something we'd want on our own apartments, and we realized we needed to stop being negligent fuckheads.[/QUOTE]

[QUOTE=Levelog;47175157]It's not like that's absurdly hard to do in the first place on an average cafe's free wifi.[/QUOTE] But it's absurdly easy when the Https is compromised. You just press a button on Cain and abel, Arp poison the computer, and then run wireshark.

[QUOTE=Forumaster;47173858]If you reinstalled using a clean Windows disc, then you're fine. If you used what was provided by Lenovo, probably not. [url]http://canibesuperphished.com/[/url] EDIT: To clarify, you SHOULD get an error when visiting that link if you are SAFE. The error looks like the following: If you get to [URL="http://i.imgur.com/9TQgXC1.png"]this page[/URL] without an error, then your system is compromised.[/QUOTE] Oh fucking goodness I got the error thinking that was a bad sign for a second thank god I have a custom built PC :v:

I still think Lenovo makes the best hardware for the price, I don't like any of the software laptops come with so I always wipe them.

[QUOTE=Levelog;47175157]It's not like that's absurdly hard to do in the first place on an average cafe's free wifi.[/QUOTE] As far as I'm aware it's still reasonably difficult to compromise HTTPS in that kind of scenario, no?

[QUOTE=srobins;47175264]As far as I'm aware it's still reasonably difficult to compromise HTTPS in that kind of scenario, no?[/QUOTE] As long as unsuspecting victims don't click through certification warnings..

Just checked mine, I have the Lenovo IdeaPad Y510p 59388313 and I'm safe thankfully.

[QUOTE=cody8295;47175294]As long as unsuspecting victims don't click through certification warnings..[/QUOTE] Your average user won't give a shit if IE gives them some stupid warning. They'll click right through it.

Okay so, like, I have a Lenovo laptop and removed this program last night. Should I be worried? Cuz I never ever noticed anything

[QUOTE=Forumaster;47173858]If you reinstalled using a clean Windows disc, then you're fine. If you used what was provided by Lenovo, probably not. [URL]http://canibesuperphished.com/[/URL] EDIT: To clarify, you SHOULD get an error when visiting that link if you are SAFE. The error looks like the following: Chrome: ... Firefox: ... Internet Explorer: ... If you get to [URL="http://i.imgur.com/9TQgXC1.png"]this page[/URL] without an error, then your system is compromised.[/QUOTE] Firefox will throw that error whether or not you have the bad CA on your system, since it doesn't use the system certificates (Which is both a good and bad thing, mainly bad for sysadmins though) Also a good reminder for sites that they should be doing key pinning, if a site does that (And the browser includes a pre-loaded list, or the user connects without being MITM) then it'll detect these faulty certs and refuse to connect. Chrome and Firefox support it, and both include a pre-loaded list for a lot of sites (Like Google or Twitter)

[QUOTE=NiandraLades;47175856]Okay so, like, I have a Lenovo laptop and removed this program last night. Should I be worried? Cuz I never ever noticed anything[/QUOTE] did you uninstall the cert? you should be fine from now on, but anything using HTTPS could have been theoretically mitm'd but people weren't really actively aware of it until like yesterday

As much as I live even the new Thinkpads I really REALLY hope Lenovo gets slammed with a saucy lawsuit by a group of blood thirsty lawyers. Not so much because I want them to be bled dry, but more because it'll make the exec's actually FEEL sorry since their decision got the company into trouble, and also teach them to never even think about doing something like this again ever.

So it turns out I'm wrong and it's annoying. Firefox is susceptible, the earlier information I read was wrong, this stuff does insert itself into the Firefox cert store. And key pinning doesn't do jack in Chrome (At least), they ignore it if the certificate presented is signed by a local CA (Which it is in this case) It's apparently to allow for corporate web filtering and AV scanning at home, but then also completely disables a whole bunch of protections in a case like this where it's malware intercepting your connections. I haven't tested Firefox, but if they have the same fears about breaking corporate networks then it's possible their implementation is completely busted as well.

This guy went to a Best Buy and actually tried it out on some laptops in the store (with screenshots): [QUOTE] Summary: ● Superfish performs HTTP MitM for IE, Chrome, and Firefox ● Superfish performs HTTPS MitM for IE and Chrome ● Superfish appears to notperform MitM on HTTPS connections from Firefox ● The Superfish proxy accepts its own certificate, so now that the private key has been leaked, an attacker can mimic an arbitrary site in Chrome and IE [/QUOTE] [url]https://bug1134506.bugzilla.mozilla.org/attachment.cgi?id=8566794[/url]

Kinda unrelated but do Lenovo laptops have tons of bloatware too? I know my Toshiba had lot's of it when I had first gotten it, when I was able to I reformatted it and I've put up Windows 8 on it ever since.

GG Lenovo, now you're practically forcing Mozilla, Google, and Microsoft to issue emergency fixes to get their browsers to reject the certs on sight.

[QUOTE=Sam Za Nemesis;47174218]/g/ is going literally nuts since they're the biggest Thinkpad enthusiasts on earth[/QUOTE] pass the popcorn

[QUOTE=RaTcHeT302;47176162]Kinda unrelated but do Lenovo laptops have tons of bloatware too? I know my Toshiba had lot's of it when I had first gotten it, when I was able to I reformatted it and I've put up Windows 8 on it ever since.[/QUOTE] Lenovos usually have a ton of extra software installed that's really not necessary for the average consumer, yes.

I got a T440s in August and replaced the original hard drive with my own SSD immedeatly. Booted off the hard drive for the first time to try this out, and thankfully it errored as it should.

[QUOTE=TheDecryptor;47176140]... I haven't tested Firefox, but if they have the same fears about breaking corporate networks then it's possible their implementation is completely busted as well.[/QUOTE] It's completely busted. The one mechanism browsers have to detect and defend against a MITM attack, is specifically disabled in this type of MITM attack because they don't want to upset corporate IT departments who want to perform these attacks. Problem is they've now screwed everybody else over, and given attackers an easy way to bypass defences (Which is generally the opposite of what you want to do)

[QUOTE=RaTcHeT302;47176162]Kinda unrelated but do Lenovo laptops have tons of bloatware too? I know my Toshiba had lot's of it when I had first gotten it, when I was able to I reformatted it and I've put up Windows 8 on it ever since.[/QUOTE] Depends how much "tons of bloatware" is for you. When I got my laptop all it had was a bunch of win8 apps and Norton so you could delete everything easily.

[QUOTE=Levelog;47174355]Everything after the * *20 series kinda went to shit. Some *30's like the T430 is alright, but still not as good.[/QUOTE] The X230 is sub-par. My only gripe is the rattly bezel from Lenovo's half-assed repair job and the fact mine was meant to be configured with a 6205 rather than a shit N2200 which is notorious for weak connections. Ended up having to use a wifi dongle.