The "eDellRoot" flaw lets snoops and crooks spy on users.
Dell has sold computers preinstalled with a potential security vulnerability that makes it easy for hackers to hijack Internet connections and masquerade as trusted websites.
The problem in Dell’s case lies in a trusted root certificate—a notarized digital credential—called “eDellRoot” that a computer programmer named Joe Nord recently discovered on his Inspiron Series 5000 notebook. The digital certificate verifies that the website a computer user visits is, in fact, the intended one.
After Nord posted about his finding, another Dell customer tweeted that his device was also affected. “Holy cow,” the fellow Dell user, who had purchased an XPS 15 laptop, said in reply. “Yessir, we have the exact same certificate and private key.”
Digital certificates use keys—long and complex secret codes—to sign and validate that encrypted Internet connections are secure. In Dell’s case, these certificate-specific keys are stored locally on at least two Dell laptop models, allowing savvy hackers to reverse engineer them. So, if a hacker is positioned in the correct spot on a network—between a user and an HTTPS-protected website, for instance—that attacker can pose as a legitimate website, steal sensitive user information (such as password or banking credentials), or snoop on a user’s browsing activity.
The problem appears to affect more laptops than those mentioned above, including the XPS 13 model, according to tech news site the Verge. Some Dell Inspiron desktop computers and Precision M4800 and Latitude laptop models are also impacted, reports Ars Technica.
In a post on Reddit, the second Dell customer writes that “this is a major security vulnerability that endangers all recent Dell customers.” He also provides technical instructions for users who seek to know whether their machines are affected.
Computer security expert Kenn White has also demonstrated how attackers can use the flaw to impersonate seemingly sound websites. In a screenshot, he shows how he was able to establish an encrypted connection to what is apparently an HTTPS-secured link to bankofamerica.com, but is in reality a webpage sporting a dog in a ski-mask. (He has also created a test for users to determine whether their machines are vulnerable here.)
The Firefox web browser, White noted, will issue a warning when it connects via Dell’s bogus security certificate, since the browser uses its own store of security certificates.
Christina-Marie Furtado, a Dell spokesperson, told Fortune that the company is telling customers how to remove the problematic certificate and that the company will eliminate them on its machines in the future. She said in an email that the certificate was “intended to provide a better, faster and easier customer support experience.”
“Unfortunately, the certificate introduced an unintended security vulnerability,” she continued. “To address this, we are providing our customers with instructions to permanently remove the certificate from their systems via direct email, on our support site or Technical Support. We are also removing the certificate from all Dell systems moving forward.”
The incident, which is still ongoing, recalls a problem that affected the Chinese PC-maker Lenovo earlier this year. The computer manufacturer had preinstalled advertising software called Superfish that intercepted Internet traffic and used a certificate with similarly trusted privileges to inject ads into users’ browsers. The security community reacted with outrage, lashing out at the company for approving such a vulnerable system. Lenovo said it would stop shipping the pre-installed software, and it promised to be more transparent about similar pre-installs in the future.
Fortune recently spoke to Dell’s chief security officer, John McClurg, who highlighted the importance of cybersecurity to the company’s strategy. He said that security is “what enables your program to sell at all.” (The conversation focused more on the firm’s enterprise market than its consumer one.)
Founder and CEO Michael Dell also recently came out strong against tech companies adding “backdoor” access in their products to users’ encrypted data for the benefit of governments and law enforcement investigations.
Follow Robert Hackett on Twitter at @rhhackett. Read his cybersecurity, technology, and business coverage here. And subscribe to Data Sheet, Fortune’s daily newsletter on the business of technology, where he writes a weekly column.
For more on Dell, watch the video below:
For more on Lenovo’s Superfish scandal, watch this video: