Lenovo Bloatware Breaks HTTPS

Yep, the title says it all.

Link to Hackaday article, which contains further links for wider reading.


Lenovo has released a list of models that may have had Superfish installed.

  • G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
  • U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
  • Y Series: Y430P, Y40-70, Y50-70
  • Z Series: Z40-75, Z50-75, Z40-70, Z50-70
  • S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
  • Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
  • MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
  • YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
  • E Series: E10-30]
1 Like

I love how quickly they backpedaled, and claim the intended use was:

"..to help customers potentially discover interesting products while shopping." 

This is why I don't buy off the shelf or let anyone else install my OS.

And I was just about to get a MIIX to use with my bluetooth keybaord for school. Good thing I didn't.

Its mentions it breifly in the link you provided, but they private key was cracked, here explains how it was done. http://blog.erratasec.com/2015/02/extracting-superfish-certificate.html

Of all things.. the password they used in their superior wisdom was "komodia"... a 7 letter password, and now all those lenovo laptops are potentially crippled.

You’re going to love this statement from the CEO of Superfish (the Bloatware in question)


link to arstechnica article.

I guess Windows Defender has already been updated to remove it.

As if the fairly recent rumors of the Chinese compromising Lenovo wasn't enough to disuade people from buying their products.




Protip: Don't buy Lenovo.

Am I missing something? I recently bought the miix 2 11" and simply uninstalled superfish and all other bloatware as I think is pretty standard practice when buying a any device. I realize its a real shitty thing for a company to have installed but I like the hardware so I bought it anyway.