Last week, PC maker Lenovo was called out for shipping laptops with adware, called “Superfish,” pre-installed – an incident that led Facebook to investigate the larger issue of SSL-sniffing software being packaged as seemingly harmless applications to users.
Facebook found that more than a dozen other applications used the same third party SSL decryption library from Komodia that Superfish relies on “to modify the Windows networking stack and install a new root Certificate Authority (CA),” the company revealed Friday on its Protect the Graph security blog.
When the Lenovo news surfaced last week, security experts noted that the Superfish issue allowing man-in-the-middle (MitM) attacks via a self-signed root certificate was so troubling, because it meant attackers could intercept encrypted SSL connections, and, ultimately, eavesdrop and steal or modify data belonging to users as they peruse webmail or sign into online banking, among other online activities.
Matt Richard, a threats researcher on Facebook's security team, who authored the Friday post, explained that the company teamed with Carnegie Mellon University researchers in 2012 to start tracking the prevalence of SSL MitM attacks in the wild.
Through its research, released soon after the Lenovo-Superfish news, Facebook observed a number of certificate issuers, including CartCrunch Israel LTD, WiredTools LTD, Say Media Group LTD, and ArcadeGiant, leveraging the Komodia library.
“Although this list is not exhaustive, it represents certificates seen in more than 1,000 systems on the internet at any given point in time,” Richard wrote. “Some of these applications appear as games, while others seem to generate pop-ups based on your search behavior or claim to perform a specific function like Superfish's Visual Search. What all of these applications have in common is that they make people less secure through their use of an easily obtained root CA, they provide little information about the risks of the technology, and in some cases they are difficult to remove," he said.
Facebook – which even detected software that was “more aggressively categorized as malware using Komodia's libraries,” such as the Windows trojan Nurjax – said that it was currently working with AV vendors to prevent similar infections among users in the future.