By now this is old news but in case people here haven’t seen it yet, it’s pretty important.
The TL;DR is if you, or someone you know, has purchased a Lenovo computer recently, check “Programs and Features” for something called “Superfish”. If the computer has it on there, click me to download Lenovo’s removal tool and run it. Then you are done.
Or if you want to do it manually, this is Lenovo’s support page for it http://support.lenovo.com/us/en/product_security/superfish_uninstall
So the story behind this…
Lenovo shipped almost all of their units with software installed called Superfish. The software is ultimately adware that injects advertisements onto your webpages. The issue is that, because Lenovo put the software on the computer, it comes with a signed root certificate which allows Superfish to see and change anything it wants which includes encrypted traffic. Basically it’s a man-in-the-middle where Superfish can create “legit” encryption certificates for your secure websites you log in to.
As if this wasn’t bad enough, the company that developed the software Superfish is using to make this possible (Komodia), left a massive security hole in the root certificate. The private key used to sign all of the certificates is “komodia” which took someone about 3 hours to figure out.
So all in all this means someone on the same network as a person with a Lenovo computer can easily intercept what is supposed to be encrypted connections to their bank account, email, etc.
I’ll let people know to look out for it when running anti-malware scans