Hola VPN client vulnerabilities put millions of users at risk

After the company was exposed for turning users into a massive botnet, researchers (including ex-LulzSec members) have disclosed a number of zero-day vulnerabilities in the Hola VPN software

tunnel gate entrance
Credit: Adam Carter

Update: A follow-up to this story can be found here.

Hola, an Israeli company that develops a browser plug-in promoted heavily as a means to bypass region locks on Web-based content and anonymous surfing; has several critical vulnerabilities that put users at risk, researchers warn.

Hola was in the news this week after it was discovered that the company was selling their user's connections, creating what researchers call "a poorly secured botnet." Hola charges subscribers of their paid service $1.45 to $20 per GB of traffic, which is routed through the networks of those who use the Hola free product.

That in itself is bad, but what's worse is that the software driving this commercial botnet has a number of exploitable flaws that were fully disclosed on Friday.

The number of affected users isn't immediately clear, ranging from 8-42 million people, but the researchers have determined that the Windows client, Firefox add-on, Chrome extension, and Android application contain multiple vulnerabilities.

If exploited, these flaws will allow a remote or local attacker to gain code execution and potentially escalate privileges on a user's system.

Moreover, as the users of the free version of Hola act as exit-nodes for those that pay, there is a chance a malicious actor could act as a "Man-in-the-Middle for other users of the free or premium Hola network, or its commercial 'bandwidth' service, Luminati," the researchers explained.

"This problem is not just an 'oversight'. It's not a thing where you say 'well, bugs can happen'. This kind of security issue can only happen if a developer is either grossly incompetent, or simply doesn't care about the security of their users. It's negligence, plain and simple, and there's no excuse for it," the researchers added.

Explaining the reason behind using Full Disclosure instead of trying to work with Hola to fix the flaws, the researchers pointed to the recent botnet news cycle, where Hola altered the product's FAQ after the story broke.

Prior to the edits, the FAQ never clearly explained what was happening on the free user's network. In fact, the botnet itself was only detected after an administrator at 8Chan noticed the traffic patterns during a recent DDoS attack.

The researchers are encouraging users to uninstall Hola completely, as that is the only fix available currently.

In addition to their advice, they've developed a website explaining the issue, including a script that acts as a proof-of-concept test proving the code execution flaws.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.