Class Actions For Everybody: Lenovo Targeted Following Superfish Debacle

It hasn’t been a great week for Lenovo, but who can feel bad for it? Last week, it was discovered that the company has, in recent months, preinstalled a piece of adware called ‘Superfish’ onto many of its shipping PCs. It seemed like a simple ad-injector at first, but it didn’t take long before it was discovered that it introduces a serious flaw: a crippled SSL implementation.

To be more effective, Superfish employs an engine from Komodia which can intercept secure traffic. In a proper implementation, this is to protect badness from coming through on a secure pipe. That’s good; what’s bad is when the implementation is so bad, it could allow people to eavesdrop on your secure traffic. Forget about Google searches; think about your bank information floating about.

As Ars Technica has reported, it’s not just Lenovo at fault here. Even Lavasoft has admitted that one of its security products made use of the Komodia engine.

On one hand, we have a company that preinstalled a major flaw on its customers’ PCs (not on purpose, I must stress) for monetary gain, and on the other, we have a provider of security software failing to actually make sure that its solution didn’t have a glaring hole – and let’s be honest: a hole like that shouldn’t have been hard for security experts to find.

We posted earlier about NVIDIA being slapped with a class action lawsuit for misleading its customers, but here’s one that has some real importance. Whether or not Lenovo knew of the security impact Superfish would have on its customers PCs, it went ahead and installed it without doing its research first. The crippled user security on these PCs was the direct result of incompetence, plain and simple.

What do you think will be worse? Lenovo’s tarnished name? Or the fine that could stem from this lawsuit?