A U.S. Lenovo customer has filed a class-action lawsuit against the Chinese technology manufacturing company and its Superfish adware, charging both with having invaded customers’ privacy and made money off of analyzing their web browsing habits.
The lawsuit was reportedly filed by Jessica N. Bennet in California, despite Lenovo admitting that pre-installing Superfish was a mistake and issuing an open-source tool to remove the software.
The tool is also designed to remove the self-signed root HTTPS certificate installed by Superfish that can intercept encrypted traffic for every website a user visits.
This introduced a security vulnerability because attackers could potentially use the certificate to create fake HTTPS websites that would not be detected as fakes by vulnerable Lenovo machines.
Lenovo said in a statement it had worked with Microsoft and McAfee. Security applications from both companies are also now able to remove Superfish software and certificates.
Superfish is also named as a defendant in the class action lawsuit that claims the software allowed remote monitoring of internet activity in violation of state and US federal privacy laws.
Bennet accuses Lenovo and Superfish of invading her privacy and making money by studying her internet browsing habits.
According to the lawsuit, Bennet noticed spam advertisements on a client’s website after writing a blog post for that customer, which she traced back to the Superfish software on her Yoga 2 laptop.
The court documents also claim that Superfish took up internet bandwidth and caused Bennet’s computer to slow down by using computer memory resources.
Lenovo has claimed that it stopped pre-installing Superfish in January 2015, but prior to that the software was installed on a wide variety of consumer PC series, including Flex, Miix and Yoga.
The company said the issue does not affect Lenovo ThinkPads, any tablets, desktops or smartphones, or any enterprise server or storage device.
Lenovo has yet to comment on the lawsuit.
