Are You at Risk from Superfish? Check Now.

By February 19, 2015 Security News 16 Comments
LastPass Now Checks If You're Affected by the Superfish Vulnerability

News broke on Wednesday, February 18th that Lenovo devices had shipped with adware that may compromise secure connections to websites and leave sensitive consumer information exposed.

Use our tool now: www.LastPass.com/superfish to check if you were affected by the Superfish vulnerability.

What is the Superfish vulnerability?

A software known as Superfish Visual Discovery was pre-installed on Lenovo products over the last two years. The Superfish software pushes ads in Google search results and websites that “help users find and discover products visually”.

However, it was discovered that the Superfish software was installing its own self-signed Root Certificate Authority so that the Superfish software always appears as a trusted party. The Superfish software would have the ability to then intercept supposedly-secure communications to websites via a man-in-the-middle attack. Researchers also confirmed that hackers on the same network, like an open WiFi hotspot at a coffee shop, can exploit Superfish to steal things like your banking login details or to read your emails.

How does this affect LastPass?

LastPass uses SSL as an extra layer of protection, in addition to other encryption layers. If you logged in via the LastPass extension, there is no additional risk from a local man-in-the-middle attack. If you logged in via the LastPass.com website, the risk is slightly greater, but we have no cause to believe LastPass users are at risk. We have no indication this vulnerability has been targeted to LastPass users, and the original goal of this malware was to serve advertisements.

Take action now to protect yourself from Superfish.

The good news is that Lenovo has stopped pre-loading Superfish as of January 2015. The bad news is that millions of Lenovo laptops were shipped with Superfish running on them (we don’t have a list of affected devices at this time). Superfish appears to impact Internet Explorer and Chrome on those Lenovo computers.

Our Superfish checker: https://lastpass.com/superfish/ will verify if Superfish is running on your machine and tell you whether or not your system is at risk.

If you’re affected by Superfish, you must first remove the Superfish program:

  • Click the Windows Start button
  • Search uninstall program
  • Launch uninstall program
  • Right-click on Superfish Inc VisualDiscovery and select Uninstall
  • If prompted for administrator password, enter or provide confirmation

Then you must uninstall the Superfish certificates as well:

  • Click the Windows Start button
  • Type certmgr.msc into the Search box
  • Click the certmgr.msc Program to launch it
  • If prompted for administrator password, enter the password or provide confirmation
  • Click on Trusted Root Certification Authorities
  • Open Certificates
  • Look for certificates mentioning Superfish Inc
  • Right-click on any Superfish Inc certificates and delete
  • Restart your browser

Once your system is clean:

  • Download LastPass to start managing your passwords: www.LastPass.com
  • Run the Security Check (from the Tools menu in your LastPass browser extension).
  • Use Auto-Password Change to instantly update weak or duplicate passwords.
  • Update other weak and duplicate passwords with the LastPass password generator.
  • Update passwords for critical websites like email, banking, and social networks.

We also continue to update our LastPass Security Check tool to provide you with the latest information regarding vulnerabilities and your web accounts that are at-risk. We will continue to monitor the situation and update our community.

16 Comments

  • humblepie says:

    Refreshing the Lastpass page for detecting this thing isn’t as effective as re-launching the page. At least that’s my experience. I uninstalled PrivDog Firefox add-on (plus uninstalled from Windows applications too) and restarted browser. Refreshing the Lastpass detector indicated Superfish was still an issue. But when I went back to the original article and selected the link to check for Superfish, my system was said to be clean.

  • humblepie says:

    So Lastpass site detects Superfish, yet Superfish does not show up in my programs list. Now what? Thanks.

    • humblepie says:

      To begin with, both Lastpass’ superfish detector and https://filippo.io/Badfish/ indicated this was an issue for me. I then uninstalled PrivDog Firefox add-on. At this point, the filippo.io site indicates I’m clean, but Lastpass’ superfish detector still indicates I’m vulnerable. I did not find any references to Superfish in certificate store either in Windows or within Firefox. Now I’m not sure what to think. Any clues? Thanks.

  • Deb says:

    Have 3 browsers on my phone, Lastpass is showing “at risk” but the other 2 are safe. Which one is correct? Does Superfish affect phones?’

    • Joe Siegrist says:

      It will show as unsafe if it’s showing images with invalid certs — did the browser ask if it was okay to show insecure content? If not that’s a big bug that need to be reported and fixed.

  • Moot says:

    Why is the Android LastPass app/browser showing a positive (at Risk)???

    • Joe Siegrist says:

      If you accepted SSL certificate warnings you’ll show up as insecure (because you insecurely loaded the image) — we’ve avoided that for Android for now. If you did this, for another browser restart your browser or phone and don’t say yes to SSL warnings on this page.

  • Hal DeVore says:

    Superfish affects more than Windows systems. The Last Pass app / browser on my Android (Lollipop) tablet is testing as affected by superfish. I’m looking for info on certificate removal for Android.

    • Joe Siegrist says:

      If you accepted SSL certificate warnings you’ll show up as insecure (because you insecurely loaded the image) — we’ve avoided that for Android for now. If you did this, for another browser restart your browser or phone and don’t say yes to SSL warnings on this page.