Dell on Monday acknowledged a security hole found in some of its new laptops that could make it easy for hackers to access users’ private data.
Some Dell laptops are coming preloaded with a self-signed root digital certificate called eDellRoot, that lets attackers spy on traffic to any secure website. The CA certificate can only be removed manually by consumers makes them vulnerable to cyber intrusions that may allow hackers to read encrypted messages and redirect browser traffic to spoofs of real websites such as Google or those belonging to a bank, among other attacks.
With the private key, which is now available online, anyone can generate a certificate for any website that will be trusted by browsers such as Internet Explorer and Google Chrome that use the Windows certificate store on affected laptops.
"The recent situation raised is related to an on-the-box support certificate intended to provide a better, faster and easier customer support experience," Dell said in a statement. "Unfortunately, the certificate introduced an unintended security vulnerability."
Dell did not say how many computers or which specific models are affected.
Dell plans to provide customers with instructions to permanently remove the certificate by email and on its support website.
Last year, a similar flaw was unveiled in Lenovo computers. But Dell
says that they aren't like Lenovo, because they didn't install bloatware like Superfish. But dear Dell, the problem with Superfish wasn't the software, but the private key. In this respect, your error is exactly as bad as the Superfish error.
|