Beyond Superfish: Turns out SSL-trashing spyware is widespread

Last week Lenovo found itself in deep trouble over the Superfish spyware that it installed on many recent consumer laptops. Designed to insert ads into customers’ browsing experiences, the software has very insecure foundations and basically made users vulnerable to hacking attacks.

Turns out it’s not just Lenovo customers who should be worried about their exposure — the insecurity of Superfish is largely due to its use of technology from an Israeli company called Komodia, and quite a few software packages in the areas of antivirus and parental protection also use Komodia’s engine. Examples highlighted by the U.S. Department of Homeland Security include products from parental control outfits Qustodio, Kurupira, Infoweise and Komodia’s own KeepMyFamilySecure, and security firms such as Lavasoft and Websecure.

Qustodio wrote in a Saturday blog post that it was working on a “fix in order to avoid potential phishing attacks from external malicious users.”

These various packages, including the Superfish software that Lenovo quietly installed on its consumer laptops late last year, used Komodia to put a fake root certificate authority (CA) on each user’s PC, together with a private key, in order to be able to intercept and analyze even encrypted “SSL” browsing sessions. However, this mechanism was really badly implemented.

As Facebook’s Matt Richard noted, the reuse of the same root CA across multiple machines (with the same “komodia” private key password) means bad actors could “potentially obtain that CA file and perform ‘man-in-the-middle’ (MITM) attacks on untrusted networks like public Wi-Fi, set up authentic-looking phishing pages, or sign software that makes people vulnerable to other malicious code as they browse the internet.”

Cloudflare researcher Filippo Valsorda wrote about the potential manipulation of Komodia’s mechanism even without the need for extracting the private key: “An attacker can intercept any https connection, present a self-signed certificate to the client and browsers will show a green lock because Komodia will sign it for them.”

In short, this software greatly increases insecurity, which is why the DHS is urging people to uninstall all software that uses the Komodia Redirector and SSL Digestor libraries, and all associated root CA certificates, and why Mozilla is considering blacklisting those certificates in Firefox.

That’s kind of ironic, seeing as so many of these software applications are intended to protect their users. The same goes for Comodo, an actual certificate authority that also puts out a security-focused browser called Comodo Dragon. As researcher Hanno Böck wrote on Monday, this and other Comodo products ship with a “privacy” tool called PrivDog that supposedly replaces ads in webpages with ads from “trusted sources” – and as with Komodia’s tools, this one also verifies dodgy certificates when it shouldn’t.

CloudFlare’s Valsorda has come up with a tool called Badfish that was originally designed to detect infections by Superfish, but now also scans for those by other Komodia-using products and PrivDog as well. If you’re a Windows user and you’re using parental control software or certain antivirus products, it might be worth giving that page a visit to see if you need to be uninstalling anything.