DHS: 'Superfish' flaw in computers goes all the way back to 2010

The government is urging anyone who has purchased a Lenovo computer since 2010 to remove a software program called “Superfish” from their devices.

Earlier this week, security researchers discovered the software could be easily co-opted by hackers and used to snoop on users’ web traffic, collect personal data and imitate websites.


Previous reports had said Lenovo, the world’s largest PC maker, started received complaints about the software in the middle of 2014.

Friday’s warning from the Department of Homeland Security (DHS) significantly expands the number of potentially affected consumers.

“Systems that came with the software already installed will continue to be vulnerable until corrective actions have been taken,” the DHS said.

Superfish is meant to provide users with individually tailored ads while browsing the web. The software is recognized as a trusted app when injecting ads into Internet browsers, making it desirable to cyber thieves.

Lenovo has admitted it “didn’t do enough” examination of the software before deciding to pre-install it on its laptops and is working on a tool to eradicate “all traces” of Superfish from computers, which goes a step beyond simply uninstalling the software.

In the meantime, the DHS said users need to move on their own.

Until they do, hackers can use the trusted access Superfish provides to sit on a web browser and collect data without detection in what's known as a "man-in-the-middle" attack.

In the extreme, it could allow cyber crooks to create fake websites that lure users into giving up their personal information.

“Websites, such as banking and email, can be spoofed without a warning from the browser,” the DHS said.