Chinese computer maker Lenovo is in damage control after being forced to remove hidden pre-installed adware on its laptops and PCs.
Writing in the New York Times, software engineer David Auerbach said that, by installing a single self-signed root certificate, Lenovo intentionally poked a gigantic hole into browser security, allowing anyone to access a user’s Wi-Fi network and hijack the browser to collect bank credentials, passwords and any other data typed into the device.
Other experts told the BBC the hidden software was also injecting adverts onto browsers using techniques more akin to malware.
The US Administration has urged all Lenovo customers to disable the adware, saying it leaves users vulnerable to cyberattacks.
An alert from the Department of Homeland Security said users are vulnerable to SSL spoofing cyberattacks in which remote attackers can read encrypted Web traffic and redirect traffic from official Web sites to spoofs.
Lenovo said it removed Superfish from preloads of new consumer systems in January and disabled existing Lenovo machines from activating Superfish.
The Chinese company has blamed the vulnerability on Israel-based Komodia, which built the application.