Researchers unearth evidence of Superfish-style attacks in the wild

It's starting to look like Superfish and other software containing the same HTTPS-breaking code library posed more than a merely theoretical danger to Internet users. For the first time, researchers have uncovered evidence suggesting the critical weakness was exploited against real people visiting real sites, including Gmail, Amazon, eBay, Twitter, and, to name just a few.

As Ars reported one week ago, ad-injecting software preinstalled on some Lenovo laptops caused most browsers to trust fraudulent secure sockets layer certificates. The software was called Superfish. In the coming days, security researchers unearthed more than a dozen other apps that posed the same threat. The common thread among all the titles was a code library provided by an Israel-based company called Komodia.

The Komodia library modified a PC's network stack by adding a new root Certificate Authority certificate. Poor choices in both the way the certificate and underlying code were designed caused most browsers to trust fraudulent certificates that otherwise would have generated warnings. Flagrantly fraudulent certificates got a pass as long as they (a) contained the same easily extracted private key baked into the app or (b) contained the name of the targeted website in certificate's alternate name field. Malicious hackers could exploit this failure to masquerade as secure pages for Bank of America, Google, or any other website on the Internet. As a result, attackers had an easy way to wage man-in-the-middle attacks against otherwise secure HTTPS connections.

Read 4 remaining paragraphs | Comments