Chinese electronics company Lenovo has been in hot water this week after users of some of its laptops (the G40, Y40 and Y50 specifically) noticed sponsored links popping up in search results. The cause of the problem was a third-party browser add-on called Superfish, a Google Goggles-like visual search tool Lenovo stuck on its machines and didn’t let customers opt-in to. Worse, it didn’t even tell users it was there in the first place. Worse (again), Superfish apparently functions in the same way as a man-in-the-middle malware attack, inserting itself between users and whatever it is they’re doing. Even if it’s online banking. Oops.
Lenovo has now apologised for pre-installing Superfish on some of its products and wants to reassure its customers that add-on will no longer run on affected machines and that it has learnt from its misstep. Many users expressed outrage at Lenovo for forcing the software on them, failing to disclose it had done so and for the possible security vulnerabilities the software could introduce to machines without the owner’s knowledge.
“We thought [Superfish] would enhance the shopping experience,” Lenovo saids in a statement released on Friday morning. “It did not meet our expectations or those of our customers. In reality, we had customer complaints about the software. We acted swiftly and decisively once these concerns began to be raised. We apologise for causing any concern to any users for any reason – and we are always trying to learn from experience and improve what we do and how we do it.”
Lenovo claims it stopped pre-installing Superfish in January and that it also shut down the server connections that enabled the software. The company has also provided instructions on how to remove Superfish entirely from affected machines.
The company says its “working directly with Superfish and with other industry partners to ensure we address any possible security issues now and in the future”.
Lenovo also wants to reassure the computer-buying public that the software was never installed on it’s top-end enterprise-targeted ThinkPad range, nor on its desktops, smartphones or enterprise products. From the list below, though, it looks like it may have appeared on just about any of its other devices. Lenovo says any of the following devices may be affected:
G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30
Whether or not Superfish provided better search results for some users, the problem with Lenovo’s approach was not asking for their permission first, and that whole possible malware thing. Claiming it was done do enhance users’ online shopping experience isn’t doing the company any favours, either, but at least it’s admitted guilt and addressed the problem head on. One has to wonder, however, what would’ve happened if Lenovo hadn’t been caught, what other questionable software might be installed on its machines, and how many other computer companies are entering into similar arrangements with third parties without informing their customers?
In the post-Snowden era, perhaps debacles like this one will serve to remind computer and mobile device companies that it is, in fact, better to ask for permission than forgiveness.