Cyber Incident Victim: Komodia
Date:
Feb 2015
Location:
United States of America
Summary
Komodia Inc.'s SSL interception technology, utilized by Superfish adware pre-installed on consumer laptops, introduced critical security vulnerabilities by deploying a self-signed root certificate with a universal private key across devices. This flaw enabled man-in-the-middle attacks, compromising encrypted communications such as passwords and sensitive data. The Komodia SDK, integrated into multiple third-party applications including adware and parental-control software, extended the risk to a broader user base by weakening HTTPS security. Following public exposure, Komodia's website experienced a DDoS attack amid scrutiny over its role in facilitating widespread SSL decryption. The incident highlighted systemic risks in supply-chain security practices and third-party code dependencies.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Komodia incident emerged in February 2015 following revelations that Superfish VisualDiscovery software—pre-installed on Lenovo consumer laptops between September 2014 and January 2015—utilized Komodia’s SSL Digester library to intercept encrypted HTTPS traffic. Komodia’s technology acted as a man-in-the-middle proxy, deploying a self-signed root certificate authority (CA) with identical private keys across all affected devices. This universal certificate allowed Superfish to inject advertisements into encrypted web sessions without triggering browser security warnings, but also enabled third parties to decrypt sensitive communications—including passwords and financial data—by extracting the shared private key. Researchers demonstrated that the certificate’s password ("komodia") was easily crackable, exposing users to interception risks. The U.S. Department of Homeland Security’s CERT division issued an alert on February 20, 2015, urging immediate removal of Superfish and its certificate. Microsoft released a Windows Defender update the same day to automate removal. Superfish CEO Adi Pinhas attributed the vulnerability to Komodia’s third-party code, which he claimed introduced the flaw without Superfish’s knowledge. Komodia, founded by former Israeli military programmer Barak Weichselbaum, marketed its SDK as an "SSL hijacker" capable of decrypting traffic for applications like adware and parental controls.
The disclosure triggered immediate repercussions for Komodia. On February 23, 2015, its website became inaccessible due to a distributed denial-of-service (DDoS) attack, which the company initially speculated might be high-volume visitor traffic. Simultaneously, Facebook’s security team identified over a dozen other applications—including adware, popup generators, and games—using Komodia’s library, each distributing the same vulnerable root CA certificates. Affected software included products from SAY Media, Lavasoft’s Ad-Aware Web Companion, and others linked to entities like CartCrunch Israel LTD and WiredTools LTD. These applications collectively exposed over 1,000 systems to SSL decryption risks, with many failing to disclose their traffic interception practices. Detection by antivirus tools was inconsistent, leaving users reliant on manual certificate removal. The incident amplified scrutiny of Israel’s "Download Valley" adware ecosystem, where Komodia operated alongside Superfish. Komodia ceased operations in 2018, though the broader implications persisted, as Lenovo faced widespread criticism for compromising user security through pre-installed software.