Superfish agrees to pay $1 million to settle a class-action privacy lawsuit


The class action lawsuit was brought on behalf of consumers who purchased Lenovo notebooks in late 2014 and early 2015 and alleges that Lenovo bundled Superfish’s “VisualDiscovery” ad-serving software with notebooks which contained security flaws.

Superfish is a program that inserts ads into a variety of Web pages including secure HTTPS pages. To do so, Superfish tinkers with Windows’ cryptographic security, according to numerous reports. But breaking encryption also paves the way for hackers to intercept sensitive data, including passwords and online banking credentials.

Lenovo named in class action lawsuit over installation of Superfish software in its laptops

This class action is brought on behalf of purchasers of Lenovo laptop computers and seeks to redress the deliberate and virtually unprecedented actions of Lenovo and its co-conspirator, Superfish, of secretly installing intrusive, malicious and dangerous software onto Lenovo computers before selling them to unwitting consumers throughout the country. The software, known as “Superfish Visual Discovery” (“Superfish Software”), was designed by Superfish to intercept secure Web connections between the user’s computer and Web sites and inject content, such as unsolicited ads, into those connections so that they would display on the user’s screen.

The Superfish Software operates by adding a “trusted root certificate” to the “root stores” used by the computer’s internet browser, e.g. Windows Explorer or Firefox, telling the browser that the site can be trusted. This allows the Superfish software to effectively create a fake ID for any website, so that it can convince the browser that it is connected to the real website, when it is actually connected to Superfish.

As a result of the installation and operation of the Superfish software, users of the infected computers are subject to slower processing speeds and diminished storage space on their computers. In addition, they are subjected to unsolicited images and advertisements purporting to be responses from the websites to which they intended to connect, when they are actually fake images and advertisements selected by Superfish. The process used by Superfish also involves the monitoring of user activity and the collection of personal information for uploading to Superfish, so it can be analyzed for the purpose of selecting advertisement to be injected into legitimate websites, thereby compromising the security and privacy of Lenovo users Beyond the above described injuries, the manner in which Superfish operates seriously undermines the security features of infected computers in ways that make them extremely vulnerable to attack from third parties other than Superfish. Because Superfish replaces legitimate site certificates with its own certificate, users will not receive the notification that they otherwise would of the expiration of a website’s certificate or of the fact that the site’s certificate has been tampered with or is counterfeit. In essence, any user of a Lenovo computer on which the Superfish software has been installed is stripped of the ability to trust any secure internet connection that they attempt to make.

Superfish uses the same certificate for every site, making it vulnerable to being hijacked by third parties who identify the password for the “private key.” Anyone who does so is able to sign websites and software in a manner that would be trusted by any infected Lenovo computer. And the password Superfish used is a common dictionary word and the name of a manufacturer of related software, which was easily cracked and has been published on the Internet. As a result, every user of a Lenovo computer on which Superfish has been installed is vulnerable to having their passwords, encrypted keys and confidential information stolen by third parties.

As alleged, the presence and operation of the Superfish software was not disclosed to purchasers of Lenovo computers and was not reasonably detectible by them, thereby allowing Superfish to engage in the process of injecting unsolicited ads and images on end-user’s computers without their knowledge or prior approval. Superfish profited from this arrangement by payments from clients whose products or services were featured in the advertisements injected into websites that users visited.

The class action contends that Lenovo profited from its conduct as alleged herein by a direct payment from Superfish, under an agreement whereby such payment would be made in exchange for the secret installation of Superfish software on Lenovo computers, permitting Superfish access to consumers’ internet communications and private information without having to obtain the consent of such consumers. Purchasers of Lenovo laptop computers infected with Superfish software gained no meaningful benefit from the installation and operation of Superfish on their computers, and, in fact, were harmed by such actions.