Skip to main content

Lenovo’s Superfish nightmare is a sign that marketing tech has gone too far

Drawing of big fish eating little fish
Image Credit: Shutterstock

Join us in Atlanta on April 10th and explore the landscape of security workforce. We will explore the vision, benefits, and use cases of AI for security teams. Request an invite here.


The revelation that Lenovo has loaded harmful adware onto some of its laptops has sparked a discussion about whether marketing tech has crossed a line.

Lenovo’s customers have been complaining for months about a program that puts product plugs in search results. The software that enables these ads is called Superfish and came preinstalled on some of Lenovo’s laptops. While the marketing itself was annoying for customers, it turns out the adware was also dangerous.

A security researcher at Errata Security discovered that he could extract the computer’s security certificate along with the private key needed to decrypt web communications. As a result he was able to post up at a coffee shop with free Wi-Fi and view the activity of anyone with an infected Lenovo computer.

“It’s not just bad what they’ve done — it’s certainly questionable to begin with — but they’ve subverted the way SSL works and they’ve done it in a way that other people can exploit,” said Joe Siegrist, CEO of security firm LastPass. In the wake of Superfish’s unveiling, LastPass has launched a website that will let Lenovo users know whether they’re infected and if so, steps they can take to remove Superfish.

VB Event

The AI Impact Tour – Atlanta

Continuing our tour, we’re headed to Atlanta for the AI Impact Tour stop on April 10th. This exclusive, invite-only event, in partnership with Microsoft, will feature discussions on how generative AI is transforming the security workforce. Space is limited, so request an invite today.
Request an invite

Siegrist says this isn’t the first time that marketing tech has made consumers vulnerable to hackers. Back in 2005, security experts realized Sony music CDs automatically downloaded a rootkit on computers, without the user’s consent, as a digital rights management tool. But the software also opened up a huge access security vulnerability — hackers could get onto your system and you wouldn’t know it.

It was a fiasco similar to the one Lenovo is facing and called into question whether a big corporate company had gone too far to save its bottom line.

With Lenovo, the question is slightly different: How invasive do marketers get to be before they cross the line?

As our attention is increasingly fixed on a screen, be it mobile or otherwise, marketers are refining the ways they get ads in front of our eyes. Targeted advertising and tracking web activity is one of those methods. And it’s another annoying marketing measure that also has potential consequences for customers. To track you, marketers deploy tags on webpages.

“If the provider of that tag is compromised, then your data can be compromised. But even that is a different level,” said Siegrist.

He said that what makes the tag hack less severe is that the person deploying the tag will know when they’ve been compromised and can apply a fix. But it does still potentially put consumers at risk — and at what cost?

Siegrist hopes that this will be a wakeup call to companies and marketers that deploying undisclosed malware to sell ads is not OK.

“As soon as you put people in any danger, you’ve gone too far, and that has to be the line that this has gone too far.”

VB Daily - get the latest in your inbox

Thanks for subscribing. Check out more VB newsletters here.

An error occured.