Computer manufacturer Lenovo has been under fire lately after news of an ad-injecting software,
known as Superfish, was discovered to come pre-installed on some of its laptops.
The issue, which was ongoing for several months, posed significant risk to affected users, as the software installed self-signed root certificates capable of intercepting HTTPS encrypted traffic.
Recently, however, security researchers revealed that the software library Superfish uses – developed by an Israel-based company called Komodia – is also present in more than a dozen other software products, including parental control software, and alleged privacy-enhancing and ad-blocking software.
Electronic Frontier Foundation (
EFF) researchers Joseph Bonneau and Jeremy Gillula disclosed some of their research in a
blog post on Wednesday, stating that anyone with “a little technical know-how could intercept and modify otherwise secure HTTPS traffic.”
“We searched the
Decentralized SSL Observatory for examples of certificated that Komodia should have rejected, but which it ended up causing browsers to accept, and found over 1,600 entries,” wrote the researchers.
The affected domains included many highly-trafficked and sensitive websites, such as Google (including mail.google.com, accounts.google.com and checkout.google.com); Yahoo (including login.yahoo.com); Bing; Amazon; eBay; Twitter; Netflix; Windows Live Mail; as well as several banking and insurance websites.
“While it’s likely that some of these domains had legitimately invalid certificates (due to configuration errors or other routine issues), it seems unlikely that all of them did. Thus it’s possible that Komodia’s software enabled real MitM attacks, which gave attackers access to people’s email, search histories, social media accounts, e-commerce accounts, bank accounts, and even the ability to install malicious software that could permanently compromise a user’s browser or read their encryption keys.”
In addition, the researchers noted that Komodia is not the only software vendor vulnerable to these attacks. A supposed privacy protection software called
PrivDog was also found to include a flaw that signed all certificates, whether they were valid or not.
“For users, we’ve learned that you can’t trust the software that comes pre-installed on your computers—which means reinstalling a fresh OS will now have to be standard operating procedure whenever someone buys a new computer,” read the blog post.
Nonetheless, Bonneau and Gillula point out that the most important lesson following the Superfish debacle is that they “should learn that attempting to intercept their customers’ encrypted HTTPS traffic will only put their customers’ security at risk.”
