Superfish Keeps Digging Deeper And Deeper Hole: Still Refuses To Acknowledge Seriousness Of What Its Software Did

from the first-rule-of-holes dept

I pointed out earlier that it was fairly astounding that Superfish was basically remaining mostly quiet on the whole controversy over its software. If you’ve been under a rock, earlier this week, the security community pointed out how Superfish’s software (installed by default on certain Lenovo laptops) created a massive security vulnerability. Superfish itself is adware, but that’s the least of the problems. The software doesn’t track your behavior like other adware, but instead tries to insert other buying options when you’re viewing images of certain products. It tries to find the same or similar products that you can buy for less and tell you about them. I could see how that might be interesting for some people on some shopping sites if they chose to use the software. But, by being a default bloatware install on Lenovo laptops, there was no choice. Furthermore, it apparently was trying to do this on every website. And that’s where the real problem came in.

Because many websites these days are encrypted via HTTPS (to better protect privacy), Superfish teamed up with a sneaky company named Komodia, to install a really nasty and poorly implemented “trick.” It installed its own, self-signed root certificate, and would then effectively offer up fake security certificates for ANY and EVERY HTTPS connection. And, of course, it used the same key on every install, and that key was easily cracked (password: komodia), meaning that anyone who had this installed, was basically open to a massive and hugely dangerous man-in-the-middle attack on any HTTPS connection. That’s HUGE.

And Superfish still won’t cop to it. Its website has nothing about this whole thing. Its Facebook page has nothing. Its Twitter feed only has that post from yesterday saying that Lenovo would soon be putting out a statement clarifying things — but Lenovo’s statement (which has changed over time) admits that there were problems and the company is working hard to remove all the damage that Superfish has done. And Superfish still doesn’t get it. Its latest press statement shows that the company is in total denial about what kind of mess it helped create. It is still defending the whole “adware” thing, rather than the security hole. And, its only comment on the security hole is “some other company did that.”

Superfish Statement from CEO

There has been significant misinformation circulating about Superfish software that was pre-installed on certain Lenovo laptops. The software shipped on a limited number of computers in 2014 in an effort to enhance the online shopping experience for Lenovo customers. Superfish’s software utilizes visual search technology to help users achieve more relevant search results based on images of products they have browsed.

This is not the time for your marketing speak. This is the time you apologize for putting many, many, many people at serious risk. Stop with the PR-sanitized “enhance their shopping experience.”

Despite the false and misleading statements made by some media commentators and bloggers, the Superfish software does not present a security risk. In no way does Superfish store personal data or share such data with anyone. Unfortunately, in this situation a vulnerability was introduced unintentionally by a 3rd party. Both Lenovo and Superfish did extensive testing of the solution but this issue wasn’t identified before some laptops shipped. Fortunately, our partnership with Lenovo was limited in scale. We were able to address the issue quickly. The software was disabled on the server side (i.e., Superfish’s search engine) in January 2015.

This statement is almost entirely pure bullshit. No one has complained about Superfish storing personal data, but it absolutely does present a security risk. A massive one. A incredibly humungous, cannot be overstated, sized-security risk. And Superfish says it “does not present a security risk”? Bullshit. And then to say “a vulnerability was introduced unintentionally by a 3rd party.” That’s passing the buck. Yes, it’s Komodia (which Superfish doesn’t name) who appears to have done this, but it’s Superfish who decided to use Komodia’s braindead stupid method of breaking HTTPS. Yes, you tested it, but your tests suck if you didn’t spot this kind of security mess.

Finally, disabling the software isn’t even the main part of the issue, since the dangerous root certificate still remained after that. And, yes, actions are now being taken to fix that, but no thanks to Supefish and its refusal to admit what happened.

Superfish takes great pride in the quality of its software, the transparency of its business practices, and its strong relationship with the Superfish user community. Superfish’s visual search technology enables millions of people to explore and learn about the world in an engaging and highly intuitive manner. A positive user experience has been the cornerstone of Superfish’s success.

Again, bullshit. If you took great pride in the quality of your software, you’d stop this marketing-speak and admit that you seriously screwed up and put many people at risk. Anyone with a modicum of understanding of how HTTPS and certificate systems work would recognize quickly what a dangerous situation this was, but neither Superfish nor Lenovo did. At least Lenovo now seems to be trying to make things right, while Superfish remains in total denial, hoping that a combination of mostly silence and bullshit “statements from the CEO” written by marketing are the way to solve this mess.

This is not how you solve a mess up of this size. You need to own it. You need to come clean and admit that you messed up, how you messed up, why you messed up and what you’re going to do to make sure it never, ever happens again. Superfish didn’t do that, and at this point it’s probably too late to try to turn that around.

Filed Under: ,
Companies: komodia, lenovo, superfish

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Superfish Keeps Digging Deeper And Deeper Hole: Still Refuses To Acknowledge Seriousness Of What Its Software Did”

Subscribe: RSS Leave a comment
34 Comments
beltorak (profile) says:

and we thought technologically clueless lawmakers were the only bad thing we had to worry about

Yes, it’s Komodia (which Superfish doesn’t name) who appears to have done this, but it’s Superfish who decided to use Komodia’s braindead stupid method of breaking HTTPS. Yes, you tested it, but your tests suck if you didn’t spot this kind of security mess.

This goes beyond calling out that their tests suck. Maybe their tests do not. How many laptop provisioners have a line item in their test suite “does not expose user to massive MitM”? Probably none (arguments can be made that they should….)

This is purely and simply “technology and security cluelessness” in spades.

Because any halfway decent laptop provisioner should know the end result of what they are purchasing from their subcontractors. Even hearing a high level, 30,000 feet description of the process (“we inject ads into shopping sites for you by decrypting web sites and reencrypting it so the user doesn’t notice”) would have had any halfway competent neuron exposed to the security disasters in recent years lighting up like a distress flair. This conversation absolutely should have happened between superfish and komodia, or lenovo and superfish.

Being this ignorant of technology and security, for lawmakers and provisioners alike, is flat out unacceptable.

MO'B says:

I think I figured it out

Lenovo has in-house lawyers who don’t need extra work, so when they caught wind of this BS, they told Lenovo to StFU and make this go away ASAP!
StupidFish, on the other hand, has a lawyer that charges by the hour, and has told them to just deny and spin, deny and spin, all the while mentally spending the hoards of cash they will make when the first breach can be tied back to this fine product!
In that light, the continued denials make more sense!

jim says:

Re: I'm really glad of two decisions I made since I retired

What makes you think this only affects dos/windows? Never heard of Linux,or mac photography? One of the great things is offline storage, and photo interpretation done by third party online, that’s where I believe I’ve seen the ads for super fish before, even on my mint machine. Don’t have a Mac yet, but I would believe that feature would be available to them also. By does sound like a neat feature, built in mitm attacks, I wonder if ad aware is on board with the companies or the consumers?

tracyanne (profile) says:

Re: Re: Never heard of Linux,or mac photography?

The “patented Technology” sounds very similar to the way KDE’s Semantic desktop is implemented, as it pertains to photo recognition in Digikam.

This particular instance, Superfish, is really just yet another example of the shenanigans you get through out the Windows ecosystem.

The idea itself may be sound, but typically it is corporate interests that foist insecure or badly implemented software on unsuspecting users, where even technically proficient users are generally caught out, because the software is closed source/proprietary, and no can easily inspect it, and no one but the proprietor can do anything about it, until it’s too late, and mostly the proprietor won’t do anything because the functionality that everyone hates is the feature they most want.

And unlike where there was a huge out cry at Canonical, for instance with their Dash search, and Canonical was very transparent about the whole process, mostly nothing gets done, because Corporate interests supersede user interests, and transparency is considered a bug, not a feature.

John Fenderson (profile) says:

Re: Re: Re: Never heard of Linux,or mac photography?

“The “patented Technology” sounds very similar to the way KDE’s Semantic desktop is implemented, as it pertains to photo recognition in Digikam.”

KDE’s “semantic desktop” has several serious security issues, it’s true. That’s why I have it disabled and recommend disabling it to everyone else as well.

Anonymous Coward says:

Superfish is all about transparency? So what was the nature of the deal they made with Lenovo? How much did they pay Lenovo? Where where they making money?

I posted a link earlier to an interview the Superfish CEO gave where he says they are a company of geniuses (14% have PhDs) and they don’t sugarcoat anything. If something sucks, they say so.

Well Adi Pinhas, your software sucks, your handling of this situation sucks, and now your brand has negative equity. It does look like neat technology, but if building it into adware / malware is where they are at, the company must be in pretty bad shape.

John Fenderson (profile) says:

Re: Re: Komodia is one guy...

Komodia is not a security company. It’s the exact opposite: they make spyware.

“It seems like the “security” industry (not just software but the TSA, etc.) is based mostly on snake oil and theater.”

That’s because the security industry (this is true whether it’s physical or digital security) has a long history of overstating their claims. However, if you ignore their hyperbole and deception, security companies do actually offer some real help in keeping yourself secure.

This is in contrast to the TSA, which I don’t think actually offers real help toward that end.

Paul Renault (profile) says:

US-Cert added an Alert for Superfish

https://www.us-cert.gov/ncas/current-activity/2015/02/20/Lenovo-Computers-Vulnerable-HTTPS-Spoofing

The Alert fingers Komodia Redirector’s SDK (Komodia is offline from a DDOS attack right now), as well as other vendors’ products:
http://www.kb.cert.org/vuls/id/529496
“.. the root CA certificates have been found to use trivially obtainable, publicly disclosed, hard-coded private keys..”

Care to try to back up your claim that it’s safe, Mr. Pinhas?

John Fenderson (profile) says:

Topping Lenovo in extreme badness

Superfish’s transparent effort to put the blame on one of their suppliers (while claiming that their software doesn’t present a security risk) is even worse than Lenovo’s incredibly awful responses to the fiasco.

Both Superfish and Komodia have pretty shady histories. Komodia is to blame for creating incompetently implemented malware, Superfish is to blame for creating malware that includes Komodia’s incompetent engine, and Lenovo is to blame for using Superfish’s software.

There’s plenty of blame to go around here, Superfish. You aren’t doing yourself any favors by pretending that you don’t deserve a very large portion of it.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...