Superfish
{{short description|Advertising company}}
{{Use mdy dates|date=November 2015}}
{{Infobox company
| name = Superfish
| fate = Closed
| successor = JustVisual.com
| logo =
| type = Private
| foundation = {{Start date|2006}}
| founder =
| defunct = May 2015
| location_city = Palo Alto, California
| location_country = United States
| key_people = {{ubl|Adi Pinhas (co-founder & CEO)|Michael Chertok (co-founder & CTO)}}
| industry = Internet
| revenue = c. $40 million
| operating_income =
| net_income =
| assets =
| num_employees = 90
}}
Superfish was an advertising company that developed various advertising-supported software products based on a visual search engine. The company was based in Palo Alto, California. It was founded in Israel in 2006{{Cite web |title=Microsoft, Lenovo scramble to protect users from Superfish security flaw |url=http://www.cbsnews.com/news/microsoft-lenovo-superfish-security-flaw/ |website=CBSnews.com |access-date=2015-09-11 |date=February 22, 2015 |publisher=CBS/AP}} and has been regarded as part of the country's "Download Valley" cluster of adware companies.{{Cite web |title=Another blow to Israel's 'Download Valley' as Google bans toolbars |url=http://www.haaretz.com/business/.premium-1.565275 |website=Haaretz.com |access-date=2015-09-11 |last=Hirschauge |first=Orr |date=December 25, 2013 |quote=Among the companies in Download Valley most likely to be hurt by the change are the startups Revizer, Superfish, CrossReader and the Client Connect division of the company Conduit …}} Superfish's software is malware and adware. The software was bundled with various applications as early as 2010, and Lenovo began to bundle the software with some of its computers in September 2014. On February 20, 2015, the United States Department of Homeland Security advised uninstalling it and its associated root certificate, because they make computers vulnerable to serious cyberattacks, including interception of passwords and sensitive data being transmitted through browsers.{{cite web |url=https://www.us-cert.gov/ncas/alerts/TA15-051A |title=Alert: Lenovo "Superfish" Adware Vulnerable to HTTPS Spoofing |publisher=United States Computer Emergency Readiness Team |date=February 20, 2015 |access-date=February 20, 2015}}{{cite news |url=https://www.reuters.com/article/us-lenovo-cybersecurity-dhs-idUSKBN0LO21U20150220 |title=U.S. government urges Lenovo customers to remove Superfish software |publisher=Reuters |date=February 20, 2015 |access-date=February 20, 2015}}
History
Superfish was founded in 2006 by Adi Pinhas and Michael Chertok.{{cite news |url=http://www.bizjournals.com/sanfrancisco/blog/2013/07/superfish-gets-10m-for-image-search.html |title=Superfish gets $10M for image search |work=San Francisco Business Times |date=July 30, 2013}} Pinhas is a graduate of Tel Aviv University.{{cite news |url=http://www.mercurynews.com/business/ci_27246085/q-adi-pinhas-founder-and-ceo-tech-startup |title=Q&A: Adi Pinhas, founder and CEO of tech startup Superfish |work=San Jose Mercury News |date=January 2, 2015}} In 1999, he co-founded Vigilant Technology, which has provided digital monitoring systems to protect people from crime and terrorism in many key locations: Manhattan, George Bush Intercontinental Airport, Salt Lake City International Airport, and the Federal Reserve Bank of New York.{{cite web |url=https://www.israel21c.org/israeli-surveillance-cameras-help-the-us-stay-vigilant/ |title=Israeli surveillance cameras help the US stay ‘vigilant’ |work=Israel21c |access-date=February 22, 2025}} Before that, he worked at Verint, an intelligence company that analyzed telephone signals and had allegedly tapped Verizon communication lines.{{Cite news |url=https://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-history-of-malware-and-surveillance/ |title=Superfish: A History Of Malware Complaints And International Surveillance |last=Fox-Brewster |first=Thomas |date=February 19, 2015 |work=Forbes|access-date = February 21, 2015}} Chertok is a graduate of Technion and Bar-Ilan University with 10 years of experience in "large scale real-time data mining systems".{{cite web |url=https://www.bloomberg.com/research/stocks/private/person.asp?personId=30618415&privcapId=30608198&previousCapId=30608198&previousTitle=Superfish,%2520Ltd. |title=Executive Profile – Michael Chertok – Co-Founder and Chief Technology Officer, Superfish, Inc. |work=Bloomberg, retrieved |access-date=February 20, 2015}}
Since its founding, Superfish has used a team of "a dozen or so PhDs" primarily to develop algorithms for the comparison and matching of images. It released its first product, WindowShopper, in 2011.{{cite web |url=http://www.xconomy.com/san-francisco/2014/07/16/superfish-aims-to-dominate-visual-search-one-product-at-a-time/ |title=Superfish Aims to Dominate Visual Search, One Product at a Time |last=Craig |first=Elise |date=July 16, 2014 |publisher=Xconomy |access-date=November 17, 2014}} WindowShopper immediately prompted a large number of complaints on Internet message boards, from users who did not know how the software had been installed on their machines.
Superfish initially received funding from Draper Fisher Jurvetson, and to date has raised over $20 million, mostly from DFJ and Vintage Investment Partners.{{cite web |url=http://www.xconomy.com/san-francisco/2014/07/16/superfish-aims-to-dominate-visual-search-one-product-at-a-time/ |title=Superfish Aims to Dominate Visual Search, One Product at a Time |last=Craig |first=Elise |date=July 16, 2014 |publisher=Xconomy |pages=2 |access-date=November 17, 2014}} Forbes listed the company as number 64 on their list of America's most promising companies.{{Cite news |url=https://www.forbes.com/most-promising-companies/list/ |title=America's Most Promising Companies |date=January 2015 |work=Forbes|access-date = February 21, 2015}}
Pinhas in 2014 stated that "Visual search is not here to replace the keyboard ... visual search is for the cases in which I have no words to describe what I see."{{cite web |url=http://www.emarketer.com/Article/What-Will-Take-Visual-Search-Catch-On/1011566 |title=What Will It Take for Visual Search to Catch On? |date=November 11, 2014 |publisher=eMarketer |access-date=November 17, 2014}}
As of 2014, Superfish products had over 80 million users.{{cite news |url=http://jewishbusinessnews.com/2014/09/03/adi-pinhas-superfish-1-fastest-growing-private-software-company-in-the-us/ |title=Adi Pinhas' Superfish #1 Fastest Growing Private Software Company in the US |last=Weiss |first=Vered |date=September 3, 2014 |publisher=Jewish Business News |access-date=November 17, 2014}}
In May 2015, following the Lenovo security incident (see below) and to distance itself from the fallout, the team behind Superfish changed its name and moved its activities to JustVisual.com.{{cite web |url=https://abcnews.go.com/Technology/wireStory/security-scandal-tech-firm-changing-focus-31373750 |title=After Security Scandal, a Tech Firm Says It's Changing Focus |date=May 28, 2015 |work=ABC News |access-date=May 31, 2015 |archive-url=https://web.archive.org/web/20150529003146/https://abcnews.go.com/Technology/wireStory/security-scandal-tech-firm-changing-focus-31373750 |archive-date=2015-05-29}}
=Lenovo security incident=
Users had expressed concerns about scans of SSL-encrypted web traffic by Superfish Visual Search software pre-installed on Lenovo machines since at least early December 2014.{{citation needed|date=June 2015}} This became a major public issue, however, only in February 2015. The installation included a universal self-signed digital certificate issued by certificate authority; the certificate authority allows a man-in-the-middle attack to introduce ads even on encrypted pages. The digital certificate had the same private key across laptops; this allowed third-party eavesdroppers to intercept or modify HTTPS secure communications without triggering browser warnings by either extracting the private key or using a self-signed certificate.{{cite web |url=https://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-need-to-know/ |title=How Lenovo's Superfish 'Malware' Works And What You Can Do To Kill It |work=Forbes |date=February 19, 2015 |access-date=February 20, 2015 |author=Fox-Brewster, Thomas}}{{cite news |url=https://www.theguardian.com/technology/2015/feb/19/lenovo-accused-compromising-user-security-installing-adware-pcs-superfish |first=Alex |last=Hern |title=Lenovo accused of compromising user security by installing adware on new PCs |work=The Guardian |date=February 19, 2015 |access-date=February 19, 2015}}{{cite web |url=https://blog.filippo.io/komodia-superfish-ssl-validation-is-broken/ |title=Komodia/Superfish SSL Validation is broken |date=February 20, 2015 |access-date=February 25, 2015 |author=Valsorda, Filippo}}
On February 20, 2015, Microsoft released an update for Windows Defender which removes Superfish.{{cite web |url=http://www.pcworld.com/article/2886827/bravo-windows-defender-update-fully-removes-lenovos-dangerous-superfish-malware.html |title=Bravo! Windows Defender update fully removes Lenovo's dangerous Superfish malware |publisher=PC World |date=February 20, 2015 |access-date=February 20, 2015 |author=Chacos, Brad}} In an article in Slate tech writer David Auerbach compares the incident to the Sony DRM rootkit scandal and says of Lenovo's actions, "installing Superfish is one of the most irresponsible mistakes an established tech company has ever made."{{cite news |last1=Auerbach |first1=David |title=You Had One Job, Lenovo |url=http://www.slate.com/articles/technology/bitwise/2015/02/lenovo_superfish_scandal_why_it_s_one_of_the_worst_consumer_computing_screw.html |access-date=February 21, 2015 |work=Slate |date=February 20, 2015}} On February 24, 2015, Heise Security published an article revealing that the certificate in question would also be spread by a number of applications from other companies including SAY Media and Lavasoft's Ad-Aware Web Companion.{{cite web |url=http://heise.de/-2557619 |title=Gefährliche Adware: Mehr als ein Dutzend Anwendungen verbreiten Superfish-Zertifikat |trans-title=Dangerous Aware: More than a Dozen Applications spreading Superfish Certificate |language=de |work=Heise Security |date=February 24, 2015 |access-date=May 5, 2015}}
Criticisms of Superfish software predated the "Lenovo incident" and were not limited to the Lenovo user community: as early as 2010, users of computers from other manufacturers had expressed concerns in online support and discussion forums that Superfish software had been installed on their computers without their knowledge, by being bundled with other software.
CEO Pinhas, in a statement prompted by the Lenovo disclosures, maintained that the security flaw introduced by Superfish software was not, directly, attributable to its own code; rather, "it appears [a] third-party add-on introduced a potential vulnerability that we did not know about" into the product. He identified the source of the problem as code authored by the tech company Komodia, which deals with, among other things, website security certificates.{{cite news |url=http://www.siliconbeat.com/2015/02/20/superfish-denies-blame-in-lenovo-security-mess/ |publisher=The Mercury News: siliconbeat |title=Superfish denies blame in Lenovo security mess |date=February 20, 2015}} Komodia was founded by Barak Weichselbaum, a former programmer for Israel's IDF Intelligence Core.{{cite news |last=Brewster |first=Thomas |date=February 20, 2015 |title=The Company Behind Lenovo's Dangerous Superfish Tech Claims It's Under Attack |website=forbes.com |url=https://www.forbes.com/sites/thomasbrewster/2015/02/20/komodia-lenovo-superfish-ddos/ |accessdate=January 25, 2023 |quote=In a brief email conversation with Barak Weichselbaum, Komodia's founder who was once a programmer in Israel’s IDF’s Intelligence Core,...}} Komodia code is also present in other applications, among them, parental-control software; and experts have said "the Komodia tool could imperil any company or program using the same code" as that found within Superfish.{{cite news |url=http://www.contracostatimes.com/business/ci_27577643/superfish-points-fingers-over-lenovo-ad-software-security |publisher=Contra Costa Times |title=Palo Alto startup points fingers over Lenovo ad software security flaws |date=February 23, 2015}} In fact, Komodia itself refers to its HTTPS-decrypting and interception software as an "SSL hijacker", and has been doing so since at least January 2011.{{cite web |title=Komodia's SSL Decoder/Digestor product page |date=December 14, 2010 |publisher=Komodia Inc. |url=http://www.komodia.com/products/komodias-ssl-decoderdigestor |access-date=February 27, 2015 |archive-url=https://web.archive.org/web/20110122221405/http://www.komodia.com/products/komodias-ssl-decoderdigestor |archive-date=January 22, 2011}} Its use by more than 100 corporate clients may jeopardize "the sensitive data of not just Lenovo customers but also a much larger base of PC users".{{cite web |url=https://arstechnica.com/security/2015/02/ssl-hijacker-behind-superfish-debacle-imperils-big-number-of-users/ |publisher=ars technica |title="SSL hijacker" behind Superfish debacle imperils large number of users |date=February 20, 2015}} Komodia was closed in 2018.{{Cite web|url=https://www.komodia.com/about|title = About|work=Komodia|date = December 13, 2010}}
Products
Superfish's first product, WindowShopper, was developed as a browser add-on for desktop and mobile devices, directing users who hover over browser images to shopping Web sites to purchase similar products. As of 2014, WindowShopper had approximately 100 million monthly users, and according to Xconomy, "a high conversion to sale rate for soft goods". Superfish's business model is based on receiving affiliate fees on each sale.
The core technology, Superfish VisualDiscovery, is installed as a man-in-the-middle proxy on some Lenovo laptops. It injects advertising into results from Internet search engines; it also intercepts encrypted (SSL/TLS) connections.{{cite web |url=https://thenextweb.com/insider/2015/02/19/lenovo-caught-installing-adware-new-computers/ |title=Lenovo caught installing adware on new computers |last=Williams |first=Owen |publisher=The Next Web |date=February 19, 2015 |access-date=February 19, 2015}}{{cite web |url=https://www.zdnet.com/article/lenovo-accused-of-pushing-superfish-self-signed-mitm-proxy/ |title=Lenovo accused of pushing Superfish self-signed MITM proxy |access-date=February 19, 2015 |date=February 19, 2015 |last=Duckett |first=Chris |publisher=DNet}}
In 2014, Superfish released new apps based on its image search technology.