[nfmangano]

I'm surprised that this is just now news. I received complaints from people participating in our beta trial (http://sketchtogether.com) from as early as October 22nd, 2014 that our website was broken, and it was because of Superfish being installed on their lenovo laptops. When they uninstalled Superfish, our webpage started working again.

Superfish injected a line of code that referenced "sf_main.jsp" from a remote site into all webpages (including ours) that interfered with our code. Here's a pastebin of the sf_main.jsp javascript file it linked to: http://pastebin.com/bZFkfRd5 (I assume the linked code is not copyrighted, if it is, please let me know and I can take it down).

[aselzer]

Interestingly it is disabled for Google services (making the article's image irrelevant :). If this regex matches, `nofish` is set true, which disables superfish:

/^https?:\/\/(www|play)\.google\.(?!com\/analytics\/)/i

Also, if you add a <meta name="superfish" content="nofish"> tag, it gets disabled as well.

Possibly some agreement with Google, like the ones they tend to make with ad-blockers? (http://www.theverge.com/2015/2/2/7963577/google-ads-get-thro...)

[makomk]

That doesn't disable the part of Superfish that MITMs SSL connnections to sites - in fact, it obviously can't because that check can't even run until they've MITMed the connection and injected the code that includes those checks.

[lstamour]

Line 194 -- They customized their ad script for Lenovo. Making them entirely aware of what's going on...

[userbinator]

Googling "hdrykzc" returns some interesting results...

[regularfry]

For reference, it's safe to assume that code is under copyright, but don't take it down: this is almost classic fair use.

[kitestramuort]

> (I assume the linked code is not copyrighted, if it is, please let me know and I can take it down).

it probably is, but by the look of things one can safely assume that they can fuck off

[kentonv]

An all-new reason to use Content-Security-Policy.

How much you want to bet that thing is XSSable?

[pmh]

>An all-new reason to use Content-Security-Policy

Correct me if I'm wrong, but I don't think any amount of CSP will help you in this situation. They're MITMing traffic and thus can modify the CSP headers.

[kentonv]

Fair enough, though I'd bet they aren't smart enough to have actually blocked the header. They apparently don't even support WebSocket.

[mahouse]

`https://www.best-deals-products.com/' sounds like the classic online store that will steal your CC :-)

[userbinator]

I wonder how many people would find the domain name suspicious - I instinctively felt "this sounds scammy to me" when I saw that name, but can't quite explain exactly to someone else how I got that feeling. Perhaps the keywords "best", "deal" and "product" raised the red flags for me, and it's an instinct acquired by many years of being online.

[lkbm]

If the company/website name consists entirely of SEO keywords, run?