The security certificate used by Superfish the installed add-on on Lenovo computers just broke (Cracked).
We have recently reported that the Superfish software used by Lenovo produces a security certificate to re-sign all the security certificates it receives from HTTPS pages, such as bank pages, virtually allowing access to plain text information to traffic between client and server otherwise it would be encrypted.
Too many experts on issues ασφάλειας που εξέτασαν το θέμα αποκάλυψαν ότι το add-on χρησιμοποιεί το ίδιο κλειδί RSA (1024 bits) σε όλες τις συσκευές, κάτι που σημαίνει ότι αν κάποιος καταφέρει να το σπάσει, θα είναι σε θέση να “διαβάσει” την κρυπτογραφημένη κυκλοφορία που ανταλλάσσεται μεταξύ ενός χρήστη με computer Lenovo χρήστη και μιας ασφαλής services. That's exactly what he did Robert Graham, Chief Executive Officer of Errata Security.
The researcher used a system with Superfish installed by dumping the data generated by processes into the system memory.
After discovering the encrypted private key of the security certificate used by Superfish, and the certificate itself, it tried to verify that the data protected with a password.
Cracking the password turned out to be a bit more difficult than expected, as it required a modified brute-force program. When Graham had to develop a new brute-force software for the needs of this attack.
He assumed that the Password would not be complex, so he instructed the program to search only between lowercase letters. In less than 10 seconds, he discovered the password which was “komodia.”
The password decrypts the root certificate and could be used in man-in-the-middle attacks against Lenovo users who have Superfish installed on their system.