Security researchers announced on February 19, 2015 a vulnerability that allows an attacker to potentially collect sensitive data transmitted during secure browser sessions.
The vulnerability is rooted in the use of pre-installed adware on Lenovo systems that uses man-in-the-middle attack techniques in order to, among other activities, monitor user activity, inject ads into legitimate pages, and display pop up ads. The adware relies on its own password protected certificate authority to perform its functions and this password was hacked and published online.
[Updated 2/26/2015] Other software has been noted to use similar techniques that expose users to the same vulnerability.
Per the manufacturer, this vulnerability affects Lenovo laptops sold between September 2014 to January 2015, but any user can test their system for the vulnerability here. Lenovo users can also uninstall the adware following these instructions.
[Updated 2/26/2015] Lenovo has issued their own instructions and a removal tool.
In addition, to uninstalling the adware, OneLogin recommends account owners recommend to their impacted users to avoid public Wi-Fi networks when possible, while more information is released regarding this vulnerability and its remediation. As a reminder, it’s recommended best practice to configure OneLogin to force passwords to expire after a period of time, which can help mitigate some of the risk of these type of vulnerabilities.