Lenovo has apologised to customers and will help them remove pre-installed software that could have exposed them the security threats.
The biggest maker of personal computers said it was a mistake to have the software, made by a company called Superfish, included on Lenovo machines.
Lenovo posted links on Twitter to its website with information about the software and removal instructions.
The Beijing-based company was responding to a deluge of criticism from cyber-security specialists regarding Superfish’s ability to monitor Web behavior and suggest advertisements based on images that a user might be viewing.
The technology used by Superfish essentially breaks the encryption between Web browsers and banking, e-commerce and other sites that handle sensitive information, potentially exposing machines to hacking.
“The Superfish software undermines Internet security for the rather ridiculous purpose of serving advertisements,” said Rainey Reitman, director of activism at the Electronic Frontier Foundation. “It’s a severe security issue, and frankly a betrayal by Lenovo of all of its affected customers.”
Superfish uses image-recognition algorithms that watch where users point on their screens and suggest ads based on the images they’re looking at. The software was included on some models of consumer laptops sold worldwide between September and December and was turned off in January after user complaints, Lenovo said.
“We messed up badly here,” Peter Hortensius, Lenovo’s chief technology officer, said in an interview. “We made a mistake. Our guys missed it. We’re not trying to hide from the issue — we’re owning it.”
Superfish said in a statement that the company is “completely transparent in what our software does and at no time were consumers vulnerable.”