SAN
FRANCISCO (AP) — A little-known Silicon Valley startup was caught in a
firestorm of criticism this week for making software that exposed Lenovo
laptop users to hackers bent on stealing personal information. But
Superfish Inc. has also won praise for producing visual search
technology that many see as the next big thing in online shopping.
Is Superfish an Internet pioneer or a computer-user's privacy nightmare?
Either
way, don't expect a mea culpa. Faced with a withering publicity barrage
that could jeopardize any startup's future, Superfish CEO Adi Pinhas
blamed another company for the security flaw and complained about what
he called "false and misleading statements made by some media
commentators and bloggers."
Researchers
revealed Thursday that some laptops sold by China's Lenovo, the world's
biggest PC maker, had a security flaw that could let hackers
impersonate shopping, banking and other websites and steal users' credit
card numbers and other personal data.
Lenovo
has since apologized for pre-loading the computers with Superfish's
visual search software, which captures images that users view online,
such as a sofa or pair of shoes, and then shows them ads for similar
products. By itself, the image recognition algorithm might not be a
security risk. But the problem arose because Superfish used software
from another company that can eavesdrop when Internet users visit secure
or encrypted websites.
That
software replaced the encryption code on websites with its own
easily-hacked code, according to several researchers. The Department of
Homeland Security issued an alert Friday saying Lenovo customers should
remove Superfish software because of the hacking dangers
Superfish
on Friday insisted its own code is safe and said the security flaw was
"introduced unintentionally by a third party." In an email to The
Associated Press, Pinhas identified that party as Komodia, a tech
startup based in Israel that makes software for other companies,
including tools for companies that show online ads and for programs
parents can use to monitor their children's Web surfing.
Some
experts say the problem may extend beyond Lenovo. The Komodia tool
could imperil any company or program using the same code. "It's not just
Superfish, other companies may be vulnerable," said Robert Graham, CEO
of Errata Security. Komodia CEO Barak Weichselbaum declined comment
Friday.
Launched in Israel
by Pinhas and fellow entrepreneur Michael Chertok, Superfish is among a
handful of companies pioneering the use of "visual recognition"
technology, which industry experts say could revolutionize online
shopping by letting people search online with pictures as easily as they
now search with words. Superfish's visual recognition algorithms can
analyze a picture and search through a database for similar images, even
if they're not labeled with descriptive text.
"I've
been impressed. They're probably one of the best technologies that's
out there," said Sucharita Mulpuru, a Forrester Research analyst. "It
can be a powerful tool for a lot of things, but definitely for shopping
and e-commerce."
Consumers
will see more of this in the future, said Yory Wurmser at the eMarketer
research firm. Amazon.com Inc. built a similar shopping feature into
its Fire smartphone last year. Google Inc., Facebook Inc., Pinterest and
other tech giants are investing heavily in visual search
Now
based in Palo Alto, Calif., Pinhas has called Superfish a "deep
technology company." But Superfish critics call its products "ad-ware"
or worse. Several Internet message boards are filled with complaints
that an earlier Superfish program, WindowShopper, bombarded users with
annoying ads and diverted them to websites they didn't want to visit.
Pinhas didn't respond to an emailed question about WindowShopper.