Dell is facing a further backlash after another vulnerable root certificate was discovered on its retail computer systems.
The flaw affects a root certificate called DSDTestProvider, and can allow hackers to launch a man-in-the-middle attack to snoop on internet traffic, impersonate legitimate websites, install malicious software and even decrypt HTTPS traffic.
The true scope of the problem remains unclear, but it has been confirmed that recent Dell models, including the XPS and Inspiron 5000 series, come pre-loaded with the self-signed digital certificates.
Dell has admitted that a piece of software called Dell System Detect comes with the DSDTestProvider certificate, which it claims has "similar characteristics" to the much-publicised eDellRoot flaw.
"The impact is limited to customers who used the ‘detect product' functionality on our support site between 20 October and 24 November 2015," the firm said in a statement.
"Like eDellRoot, the support certificate in question was designed to make it faster and easier for our customers to get support."
Dell faced mounting criticism earlier this week after the discovery of a major security vulnerability pre-installed in even the most up-to-date computer hardware which can leave sensitive data wide open to attack.
In similar way to the much-publicised Superfish debacle that hit Lenovo less than a year ago, the security flaw stems from a certificate named eDellRoot which can be exploited to intercept and modify web traffic, including usernames and passwords, while passing through a system connected to open WiFi.
"Setting things up, I was surprised to see a trusted root certificate pre-installed on the machine labelled eDellRoot. I'm having a tough time coming up with a good reason that Dell needs to be a trusted root CA [Certificate Authority] on my computer," he wrote in a blog post.
"The eDellRoot certificate is a trusted root that expires in 2039 and is intended for 'all' purposes. Notice that this is more powerful than the clearly legitimate DigiCert certificate just above it, which spikes more curiosity.
"As a user computer, I should never have a private key that corresponds to a root CA. Only the certificate-issuing computer should have a private key and that computer should be very well protected."
The discovery was backed up by a user on Reddit under the pseudonym Rotorcowboy, who found the same security flaw on a "shiny new" XPS 15 Dell laptop.
"While attempting to troubleshoot a problem, I discovered that it came pre-loaded with a self-signed root CA by the name of eDellRoot," explained the Reddit post.
"With it came its private key, marked as non-exportable. However, it is still possible to obtain a raw copy of the private key by using several tools available.
"After briefly discussing this with someone else who had discovered this too, we determined that they are shipping every laptop they distribute with the exact same root certificate and private key, very similar to what Superfish did on Lenovo computers. For those that aren't familiar, this is a major security vulnerability that endangers all recent Dell customers."
Dell faced a barrage of messages via social media demanding an explanation for the certificate mix-up.
@nixcraft - Customer security and privacy is a top concern for Dell. We are investigating the issue and will have further updates soon.— Dell (@Dell) November 24, 2015
Dell has now released a statement admitting to the problem and outlining the steps it is taking to resolve the situation.
"Today we became aware that a certificate (eDellRoot), installed by our Dell Foundation Services application on our PCs unintentionally introduced a security vulnerability," the firm said.
The certificate was intended to make it easier for Dell customer support to assist customers in troubleshooting issues with their hardware, according to Dell.
"The certificate was implemented as part of a support tool and intended to make it faster and easier for our customers to service their system. Customer security and privacy is a top concern and priority for Dell; we deeply regret that this has happened and are taking steps to address it."
The firm has stressed that the pre-installed certificate is "not malware or adware".
"It was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers," the statement continued.
"This certificate is not being used to collect personal customer information. It's also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process."
Dell has also released step-by-step instructions in how remove the certificate, and will push a software update to fully solve the problem.
"Commercial customers who reimaged their systems without Dell Foundation Services are not affected by this issue. Additionally, the certificate will be removed from all Dell systems moving forward," said the firm.
"Your trust is important to us and we are actively working to address this issue."
Kevin Bocek, vice president of security strategy and threat intelligence at security firm Venafi, warned that the discovery could lead to a loss of trust.
"In this case, they're breaking everything that's been built over the past 20 years to create trust and privacy on the internet by inserting a rogue CA into systems that can impersonate any trusted site," he said.
"This is exactly what bad guys do with trojans and other malicious software to trick users to access fake sites to surveil/monitor private communications. It's what APT operators, online banking thieves and other cyber criminals have been doing for years."
Security researcher Graham Cluley agreed, saying: "Dell is about to learn an important lesson: it takes years to earn your customers' trust, but only seconds to lose it."
And, yep, it'll run Android rather than RiscOS
US engineering giant's cost-cutting outsourcing plan is on the rocks, according to insiders
HP Envy X2 laptop only affordable if you've got loadsamoney
Counterfeit code-signing certificates enabling hackers to hide malware being sold by cyber criminals
Certificates can be used as part of layered obfuscation to evade detection by anti-virus software