Disable Superfish on Your Site
by: @brettpaden
With all the recent attention to the superfish/Lenovo scandal I thought I would share our experience with the fallout from this malware and show developers and site maintainers a simple solution to stop the injected code from Superfish's malware from working on your site (well, at least until they patch it :-)).
TL;DR
Put his in the head section of your web pages:
<meta name="superfish" content="nofish">
The Story
I work at Glip, an enterprise communications platform that competes with the likes of Slack, Asana, HipChat and Flowdock. Sometime in early December we started getting reports from customers that Glip simply ceased functioning for them … on all browsers … on their new laptops.
Something was fishy (ehhhhheheheheh) and I requested a TeamViewer session with one of our more helpful customers.
I saw from the console that malware of some kind was injecting javascript into every single site requested. The injected javascript pulled in some code from best-deals-products.com (specifically https://www.best-deals-products.com/ws/sf_main.jsp?dlsource=hdrykzc). The script was crashing for some reason and halting javascript execution on the page.
Crap, I thought, now my team has to figure out how to unfuck some asshole's malware so our web app works properly.
We downloaded the source for sf_main.jsp, manually injected it into a sandbox instance of our app and started stack tracing. This jumped out immediately:
//if (false && location.protocol === 'https:' && queryString.search(/dlsource=hdrykzc/i) !== -1) // Patch for Lenovo - do not run on https sites
if (queryString.search(/dlsource=hdrykzc/i) !== -1) // Disable Lenovo users
{
return;
}
WTF. Hardware vendor specific instructions???
Mind you, we hadn't deduced anything about the model of new laptops our users had, but immediately asked. Why yes, said our customer, it is a Lenovo. Ironically this little bit of code intended to disable the best-deals script wasn't working as intended, leading to another error later in the stack.
From this code and comment it's pretty clear that there was some level of collusion between Lenovo and Superfish; either Lenovo requested the malware to be disabled or Superfish tried to mitigate its impact in an effort not to get caught. But I digress ... we still had to figure out something for our customers.
Giving them malware removal instructions or telling them to install a particular anti-virus wasn't really an option. (we later learned simply uninstalling Superfish software removes the malware as well). But our main concern was all the users that had not or would not contact our customer service. You know the old rule: for every bug report there are at least 10X people more out there feeling the pain but not reporting it.
One of our devs known simply as Beard (also the source of his hacker prowess and ability to brew beer) had the brilliant idea of reading sf_main from the beginning. Lo, it was was revealed unto him:
var nofish = false;
var metaTags = document.getElementsByTagName('meta');
var metaTag;
for (var i=0, l=metaTags.length; i<l; i++)
{
metaTag = metaTags[i];
if (metaTag.getAttribute('name') && metaTag.getAttribute('name').toLowerCase() == 'superfish' && metaTag.getAttribute('content') && metaTag.ge tAttribute('content').toLowerCase() == 'nofish')
{
nofish = true;
break;
}
}
Later in the code there are instruction to simply stop executing if nofish was true. We could pre-emptively disable the injected code from running with the addition of a simple meta tag.
<meta name="superfish" content="nofish">
Hope this helps any web developers who are having to contend with this.