Researchers have found at least a dozen other products — including another tool that inserts ads into Web pages and parental control software — that subvert the HTTPS security protocol.
These products trick computers into trusting a security certificate, even if it wasn’t issued by a legitimate authority, to function. This could let attackers execute man-in-the-middle attacks on affected devices (such as the Lenovo devices with Superfish pre-loaded) with relative ease.
Facebook’s Matt Richard, CloudFlare’s Filippo Valsorda, and Marc Rogers all claim these products use Komodia software to function. Komodia’s website is currently down, perhaps as the result of a distributed denial of service (DDoS) attack inspired by “recent media attention.”
Komodia’s software will reportedly cause Web browsers to accept any security certificate with the correct name inserted into the appropriate field, thus “lower[ing]the bar for successful exploitation of the serious vulnerability,” as Ars Technica put it in a recent report on the issue.
“What all of these applications have in common,” Facebook’s Richard said, “Is that they make people less secure through their use of an easily obtained root CA, they provide little information about the risks of the technology, and in some cases they are difficult to remove.”
And the problems can persist even after the offending software has been removed. Lenovo devices from which Superfish has been uninstalled, for example, are still vulnerable to attack. The same could be true of the other products that undermine consumer security for profit.
Superfish was bad enough when it was thought to be swimming alone. Now we know there’s a whole school of software that introduces the same vulnerabilities to other consumers, and many of them probably don’t even know that attackers could steal information from them.
Put another way: There are a bunch of fish in the sea just looking for blood, and most people aren’t even aware that they’re swimming in dangerous waters. Superfish was just the start.