Superfish was an advertising company that developed various advertising-supported software products based on a

visual search engine A visual search engine is a search engine designed to search for information on the World Wide Web through the input of an image or a search engine with a visual display of the search results. Information may consist of web pages, locations, oth ...

. The company was based in

Palo Alto, California Palo Alto (; Spanish for "tall stick") is a charter city in the northwestern corner of Santa Clara County, California, United States, in the San Francisco Bay Area, named after a coastal redwood tree known as El Palo Alto. The city was ...

. It was founded in Israel in 2006 and has been regarded as part of the country's "

Download Valley Download Valley is a cluster of software companies in Israel, producing and delivering adware to be installed alongside downloads of other software. The primary purpose is to monetize shareware and downloads. These software items are commonly bro ...

" cluster of adware companies. Superfish's software is

malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, de ...

and

adware Adware, often called advertising-supported software by its developers, is software that generates revenue for its developer by automatically generating online advertisements in the user interface of the software or on a screen presented to the ...

. The software was bundled with various applications as early as 2010, and

Lenovo Lenovo Group Limited, often shortened to Lenovo ( , ), is a Chinese multinational technology company specializing in designing, manufacturing, and marketing consumer electronics, personal computers, software, business solutions, and related se ...

began to bundle the software with some of its computers in September 2014. On February 20, 2015, the

United States Department of Homeland Security The United States Department of Homeland Security (DHS) is the Federal government of the United States, U.S. United States federal executive departments, federal executive department responsible for public security, roughly comparable to the I ...

advised uninstalling it and its associated

root certificate In cryptography and computer security, a root certificate is a public key certificate that identifies a root certificate authority (CA). Root certificates are self-signed (and it is possible for a certificate to have multiple trust paths, say if ...

, because they make computers vulnerable to serious

cyberattacks A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, or personal computer devices. An attacker is a person or process that attempts to access data, functions, or other restricte ...

, including interception of passwords and sensitive data being transmitted through browsers.

History

Superfish was founded in 2006 by Adi Pinhas and Michael Chertok. Pinhas is a graduate of

Tel Aviv University Tel Aviv University (TAU) ( he, אוּנִיבֶרְסִיטַת תֵּל אָבִיב, ''Universitat Tel Aviv'') is a public research university in Tel Aviv, Israel. With over 30,000 students, it is the largest university in the country. Locate ...

. In 1999, he co-founded Vigilant Technology, which "invented digital video recording for the surveillance market", according to his

LinkedIn LinkedIn () is an American business and employment-oriented online service that operates via websites and mobile apps. Launched on May 5, 2003, the platform is primarily used for professional networking and career development, and allows job s ...

profile. Before that, he worked at Verint, an intelligence company that analyzed telephone signals and had allegedly tapped Verizon communication lines. Chertok is a graduate of Technion and

Bar-Ilan University Bar-Ilan University (BIU, he, אוניברסיטת בר-אילן, ''Universitat Bar-Ilan'') is a public research university in the Tel Aviv District city of Ramat Gan, Israel. Established in 1955, Bar Ilan is Israel's second-largest academic ...

with 10 years of experience in "large scale real-time data mining systems". Since its founding, Superfish has used a team of "a dozen or so PhDs" primarily to develop algorithms for the comparison and matching of images. It released its first product, WindowShopper, in 2011. WindowShopper immediately prompted a large number of complaints on Internet message boards, from users who did not know how the software had been installed on their machines. Superfish initially received funding from

Draper Fisher Jurvetson Draper Fisher Jurvetson (DFJ) is an American venture capital firm focused on investments in enterprise, consumer and disruptive technologies. In January 2019, DFJ Venture, the early-stage team, spun out and formed Threshold Ventures. DFJ Growth ...

, and to date has raised over $20 million, mostly from DFJ and Vintage Investment Partners. ''

Forbes ''Forbes'' () is an American business magazine owned by Integrated Whale Media Investments and the Forbes family. Published eight times a year, it features articles on finance, industry, investing, and marketing topics. ''Forbes'' also r ...

'' listed the company as number 64 on their list of America's most promising companies. Pinhas in 2014 stated that "Visual search is not here to replace the keyboard ... visual search is for the cases in which I have no words to describe what I see." As of 2014, Superfish products had over 80 million users. In May 2015, following the Lenovo security incident (see below) and to distance itself from the fallout, the team behind Superfish changed its name and moved its activities to JustVisual.com.

Lenovo security incident

Users had expressed concerns about scans of SSL-encrypted web traffic by Superfish Visual Search software pre-installed on

machines since at least early December 2014. This became a major public issue, however, only in February 2015. The installation included a universal self-signed

certificate authority In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. Th ...

; the certificate authority allows a

man-in-the-middle attack In cryptography and computer security, a man-in-the-middle, monster-in-the-middle, machine-in-the-middle, monkey-in-the-middle, meddler-in-the-middle, manipulator-in-the-middle (MITM), person-in-the-middle (PITM) or adversary-in-the-middle (AiTM) ...

to introduce ads even on encrypted pages. The certificate authority had the same

private key Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...

across laptops; this allows third-party eavesdroppers to intercept or modify

HTTPS Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is e ...

secure communications without triggering browser warnings by either extracting the private key or using a self-signed certificate. On February 20, 2015, Microsoft released an update for

Windows Defender Microsoft Defender Antivirus (formerly Windows Defender) is an anti-malware component of Microsoft Windows. It was first released as a downloadable free anti-spyware program for Windows XP and was shipped with Windows Vista and Windows 7. It h ...

which removes Superfish. In an article in ''

Slate Slate is a fine-grained, foliated, homogeneous metamorphic rock derived from an original shale-type sedimentary rock composed of clay or volcanic ash through low-grade regional metamorphism. It is the finest grained foliated metamorphic ro ...

'' tech writer

David Auerbach David Auerbach is an American writer and former Microsoft and Google software engineer. He has written on a variety of subjects, including social issues and popular culture, the environment, computer games, philosophy and literature. His 2018 book ...

compares the incident to the Sony DRM rootkit scandal and said of Lenovo's actions, "installing Superfish is one of the most irresponsible mistakes an established tech company has ever made." On February 24, 2015, ''Heise Security'' published an article revealing that the certificate in question would also be spread by a number of applications from other companies including

SAY Media Say Media (formerly VideoEgg) is a technology and advertising firm. The company provides a publishing platform (Tempest) to professional publishers and sells advertising across that platform and extended network of sites. Say Media has offices ...

and

Lavasoft Adaware, formerly known as Lavasoft, is a software development company that produces spyware and malware detection software, including Adaware. It operates as a subsidiary of Avanquest a division of Claranova. The company offers Adaware in ...

Ad-Aware Adaware, formerly known as Lavasoft, is a software development company that produces spyware and malware detection software, including Adaware. It operates as a subsidiary of Avanquest a division of Claranova. The company offers Adaware in ...

Web Companion. Criticisms of Superfish software predated the "Lenovo incident" and were not limited to the Lenovo user community: as early as 2010, users of computers from other manufacturers had expressed concerns in online support and discussion forums that Superfish software had been installed on their computers without their knowledge, by being bundled with other software. CEO Pinhas, in a statement prompted by the Lenovo disclosures, maintained that the security flaw introduced by Superfish software was not, directly, attributable to its own code; rather, "it appears third-party add-on introduced a potential vulnerability that we did not know about" into the product. He identified the source of the problem as code authored by the tech company Komodia, which deals with, among other things, website security certificates. Kommodia was founded by Barak Weichselbaum, a former programmer for Israel's IDF Intelligence Core. Komodia code is also present in other applications, among them, parental-control software; and experts have said "the Komodia tool could imperil any company or program using the same code" as that found within Superfish. In fact, Komodia itself refers to its

-decrypting and interception software as an "SSL hijacker", and has been doing so since at least January 2011. Its use by more than 100 corporate clients may jeopardize "the sensitive data of not just Lenovo customers but also a much larger base of PC users". Komodia was closed in 2018.

Products

Superfish's first product, WindowShopper, was developed as a browser add-on for desktop and mobile devices, directing users who hover over browser images to shopping Web sites to purchase similar products. As of 2014, WindowShopper had approximately 100 million monthly users, and according to

Xconomy Xconomy is a Boston, Massachusetts–based media company providing news on business, life sciences, and technology{{cite web , title=Company Overview of Xconomy, Inc. , url=https://www.bloomberg.com/research/stocks/private/snapshot.asp?privcapId=3 ...

, "a high conversion to sale rate for soft goods". Superfish's business model is based on receiving affiliate fees on each sale. The core technology, Superfish VisualDiscovery, is installed as a man-in-the-middle proxy on some Lenovo laptops. It injects advertising into results from Internet search engines; it also intercepts encrypted (SSL/TLS) connections. In 2014, Superfish released new apps based on its image search technology.

References

{{Reflist, 30em * 2006 establishments in California Companies based in Palo Alto, California Digital marketing companies of the United States Software companies established in 2006 Adware

History

Lenovo security incident

Products

See also

References