We’ve seen plenty of companies score own goals over the years, but this one is still quite a doozy. PCWorld reports that security researchers recently discovered that Lenovo has been shipping its new computers with man-in-the-middle adware installed that hijacks HTTPS traffic to inject its own ads onto encrypted sites.
While this kind of third-party ad injection is obnoxious enough, PCWorld writes that it also creates major potential security vulnerabilities for end users as well.
Specifically, PCWorld says the adware “installs a self-generated root certificate into the Windows certificate store and then resigns all SSL certificates presented by HTTPS sites with its own certificate,” which creates “a weakness that hackers could potentially use to steal sensitive data like banking credentials or just observe your web surfing activities.”
This has predictably caused a pretty big public relations problem for Lenovo, which on Thursday put out a press release stating that it has disabled the adware on its computers and that it will no longer preload it onto its products. That said, Lenovo defiantly insisted that its decision to load the software onto its machines didn’t compromise user security.
“We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns,” the company writes. “But we know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software. We will continue to review what we do and how we do it in order to ensure we put our user needs, experience and priorities first.”
Nonetheless, if you just bought a new Lenovo computer and want to make sure the offending adware is removed for good, PCWorld has a great step-by-step guide for removing it entirely. Check it out by clicking here.