Lenovo's Superfish adware drew a lot of anger and criticism last week to the point where the software was immediately disabled and the company promised it would not upload it in future releases. Even with Superfish disabled and Lenovo's assurance that there were no vulnerabilities associated with the software, the effect on affected products is irreversible. In the wake of the incident, a class-action lawsuit was filed against Lenovo last week which could put the company in jeopardy.
The class-action suit, with blogger Jessica Bennett as the plaintiff, was filed at the U.S. District Court in the Southern District of California. Bennett claims that Lenovo invaded her privacy and made a profit by keeping track of her online browsing.
She initially noticed the problem when she wrote a blog post for a client's website with the website featuring spam ads "involving scantily clad women." Further investigation by Bennett on other websites showed more pop-up ads, which led her to believe her Yoga 2 was compromised or contained spyware. She eventually found the source on the Lenovo forums in the form of the company's Superfish software.
Superfish worked by placing ads in search engines and other websites without the user's permission. It also made secure connections vulnerable because of the company's own root certificate, which would replace a secure site's own certificate. Even though the software is now deactivated, those who had Superfish on their Lenovo devices are still vulnerable to hackers who can monitor user traffic and steal important banking credentials.
Another law firm also opened up a class action lawsuit against Lenovo and is encouraging customers to reach out if they want to participate. Both cases are still in their early stages, so the process could take some time before Lenovo gets its day in court. But with Lenovo potentially fighting a legal battle on two fronts, the company seems to be taking a turn for the worse, with the trust of customers slowly fading away.