A California woman has filed the first lawsuit against Lenovo and Superfish over the pair's adware debacle, claiming the "malware" injected smutty pictures into her web browser on her Yoga laptop.
A class-action filing [PDF] in the state's southern district court recounts how Jessica Bennett bought a Lenovo Yoga 2 laptop in late 2014 for work. She was writing a blog post for a client's website when she saw raunchy ads appearing on the site. She feared the blog had been hacked, and emailed her client to warn them of the compromise.
But then a few hours later, we're told, she surfed to another website and saw the same block of ads in her web browser – featuring "scantily clad women" – and began to suspect malware was tampering with her computer.
Bennett, of San Diego County, went into the customer support forums on Lenovo's website to find out what was going on. She read a January 30 posting by a user who blamed the Superfish software, but Lenovo had apparently denied it had anything to do with the program.
"I have spoken on two separate occasions with Lenovo phone support, both times they insisted that this Superfish software was not installed by Lenovo and that it is malicious and should be removed, at which time they offered to charge me either a one-time fee of $120, or sell me a monthly software support subscription," the user posted.
The following month Lenonope confessed that, yes, it was bundling the Superfish scumware with its laptops to "help customers potentially discover interesting products while shopping," while insisting there was nothing to worry about.
Superfish works by installing a root CA certificate on a user's Windows computer, and uses it to intercept their connections to websites, even encrypted connections. Ads are inserted into web pages to add to Lenovo's bottom line.
Unfortunately, the Superfish software can be exploited by miscreants to dress up password-stealing websites as legit sites, such as online banks and webmail. Anyone with the Superfish software installed browsing to, say, bankofamerica.com could in fact be looking at a malicious site masquerading as the bank, and the user would be none the wiser.
After security experts and the US government labeled the Superfish code, and the Komodia SSL redirection tool it used, as badware, Lenovo's CTO Peter Hortensius admitted the bundling was a mistake. The Chinese PC slinger created a removal tool, adding that proper due diligence had not been carried out.
That admission could now cost Lenovo dear. In the famously litigious Land of the Free™ lawyers started perking their ears up. Ms Bennett is unlikely to be alone in filing for damages against the Chinese giant, which has offices in Beijing, and North Carolina in the US.
Her class-action filing reckons affected citizens should get up to $10,000 each from the PC giant, with costs paid by Lenovo. The total bill could be more than $5m, it's claimed.
Superfish, a Palo Alto-based small software biz, insists it has done nothing wrong and that its software is not a security hazard. Meanwhile, Komodia's website has been down with a distributed denial of service attack since the scandal broke and won’t be back up and running any time soon.
"Right now our main priority is working on fixes to the SDK, once it's ready we can deal with the site and DDOS attach which is not a priority right now," founder Barak Weichselbaum told El Reg in an emailed statement. ®