Are You at Risk from Superfish? Check Now.

News broke on Wednesday, February 18th that Lenovo devices had shipped with adware that may compromise secure connections to websites and leave sensitive consumer information exposed. Use our tool now: www.LastPass.com/superfish to check if you were affected by the Superfish vulnerability.

What is the Superfish vulnerability?

A software known as Superfish Visual Discovery was pre-installed on Lenovo products over the last two years. The Superfish software pushes ads in Google search results and websites that “help users find and discover products visually”. However, it was discovered that the Superfish software was installing its own self-signed Root Certificate Authority so that the Superfish software always appears as a trusted party. The Superfish software would have the ability to then intercept supposedly-secure communications to websites via a man-in-the-middle attack. Researchers also confirmed that hackers on the same network, like an open WiFi hotspot at a coffee shop, can exploit Superfish to steal things like your banking login details or to read your emails.

How does this affect LastPass?

LastPass uses SSL as an extra layer of protection, in addition to other encryption layers. If you logged in via the LastPass extension, there is no additional risk from a local man-in-the-middle attack. If you logged in via the LastPass.com website, the risk is slightly greater, but we have no cause to believe LastPass users are at risk. We have no indication this vulnerability has been targeted to LastPass users, and the original goal of this malware was to serve advertisements.

Take action now to protect yourself from Superfish.

The good news is that Lenovo has stopped pre-loading Superfish as of January 2015. The bad news is that millions of Lenovo laptops were shipped with Superfish running on them (we don’t have a list of affected devices at this time). Superfish appears to impact Internet Explorer and Chrome on those Lenovo computers. Our Superfish checker: https://lastpass.com/superfish/ will verify if Superfish is running on your machine and tell you whether or not your system is at risk. If you’re affected by Superfish, you must first remove the Superfish program:

• Click the Windows Start button
• Search uninstall program
• Launch uninstall program
• Right-click on Superfish Inc VisualDiscovery and select Uninstall
• If prompted for administrator password, enter or provide confirmation

Then you must uninstall the Superfish certificates as well:

• Click the Windows Start button
• Type certmgr.msc into the Search box
• Click the certmgr.msc Program to launch it
• If prompted for administrator password, enter the password or provide confirmation
• Click on Trusted Root Certification Authorities
• Open Certificates
• Look for certificates mentioning Superfish Inc
• Right-click on any Superfish Inc certificates and delete
• Restart your browser

Once your system is clean:

• Download LastPass to start managing your passwords: www.LastPass.com
• Run the Security Check (from the Tools menu in your LastPass browser extension).
• Use Auto-Password Change to instantly update weak or duplicate passwords.
• Update other weak and duplicate passwords with the LastPass password generator.
• Update passwords for critical websites like email, banking, and social networks.

We also continue to update our LastPass Security Check tool to provide you with the latest information regarding vulnerabilities and your web accounts that are at-risk. We will continue to monitor the situation and update our community.