This story just keeps getting worse for Lenovo. After getting called out for inserting additional ads into user's browsing experience and claiming to have disabled and stopped installing the offending software, Lenovo's "Superfish" adware has seen its certificate cracked by security researchers. The worst part is, it evidently was easy to break the app's security. The end result is that affect Lenovo computer users — and there are potentially hundreds of thousands of them — could see their computers needlessly exposed to attack.
Per computer security researcher Rob Graham:
"I extracted the certificate from the SuperFish adware and cracked the password ("komodia") that encrypted it. […] The consequence is that I can intercept the encrypted communications of SuperFish's victims (people with Lenovo laptops) while hanging out near them at a cafe wifi hotspot."
The worst part is that the certificate was cracked using a run-of-the-mill dictionary attack, running through words in the dictionary until access was granted. And so, within 10 seconds, Graham was in and able to run "man-in-the-middle" traffic interception attacks on any affected Lenovo user with Superfish installed.
What's frightening about this sort of attack is that it offers access to your outgoing and incoming data. The attacker can simply record it, or can actually intercept and change what you're downloading or uploading, all without your knowledge.