Security expert Kenn White showed Superfish's proxy certificates in action in a Twitter post today. White's photo shows a certificate issued to Bank of America, but issued by Superfish, rather than by a trusted root certificate authority such as VeriSign. The nature of Superfish, a program capable of checking web traffic and sending that data onwards for advertising purposes, means that hackers could potentially access information transmitted across supposedly secure connections — online stores and banking sites, for example, that have https:// in their URLs, and display a lock in users' browsersSuperfish has used the same private key for its root certificate on every Lenovo PC that comes preloaded with its adware. If someone was able to crack this key, hackers could create certificates or malware that all Lenovo machines would trust.
This is a problem. #superfish pic.twitter.com/jKDfSo99ZR
— Kenn White (@kennwhite) February 19, 2015
Lenovo defends its actions, claiming Superfish's technology is innocuous, but says it's no longer pre-installing the adware on new PCs and the existing copies will be removed via a software update.