A little-known Silicon Valley startup was caught in a firestorm of criticism for making software that exposed Lenovo laptop users to hackers bent on stealing personal information.
But Superfish has also won praise for producing visual search technology that many see as the next big thing in online shopping.
Is Superfish an internet pioneer or a computer-user's privacy nightmare?
Either way, don't expect a mea culpa. Faced with a withering publicity barrage that could jeopardise any startup's future, Superfish CEO Adi Pinhas blamed another company for the security flaw and complained about what he called "false and misleading statements made by some media commentators and bloggers".
Researchers revealed last week that some laptops sold by China's Lenovo, the world's biggest PC maker, had a security flaw that could let hackers impersonate shopping, banking and other websites and steal users' credit card numbers and other personal data.
Lenovo has since apologised for pre-loading the computers with Superfish's visual search software, which captures images that users view online, such as a sofa or pair of shoes, and then shows them ads for similar products. By itself, the image recognition algorithm might not be a security risk. But the problem arose because Superfish used software from another company that can eavesdrop when internet users visit secure or encrypted websites.
That software replaced the encryption code on websites with its own easily-hacked code, according to several researchers. The Department of Homeland Security issued an alert Friday saying Lenovo customers should remove Superfish software because of the hacking dangers
Superfish insists its own code is safe and said the security flaw was "introduced unintentionally by a third party". In an email to The Associated Press, Pinhas identified that party as Komodia, a tech startup based in Israel that makes software for other companies, including tools for companies that show online ads and for programs parents can use to monitor their children's web surfing.
Some experts say the problem may extend beyond Lenovo. The Komodia tool could imperil any company or program using the same code.
"It's not just Superfish, other companies may be vulnerable," said Robert Graham, CEO of Errata Security. Komodia CEO Barak Weichselbaum declined comment Friday.
Lenovo released a software tool Friday to help customers remove the Superfish code from their laptops. It can be found at http://support.lenovo.com/us/en/product-security/superfish-uninstall. But some experts say users may want to wipe their hard drives and start over, re-installing the Windows operating system.
That's not an easy task for casual users, said Westin, "but it's the best way to be completely sure."
Share
