Users of free VPN Hola vulnerable to hacking, researchers warn

The Hola free peer-to-peer service claims to have “47 million users worldwide” running either the Chrome extension Hola Better Internet or the Firefox add-on Hola Unblocker. The VPN service pointed out that “while on the Internet you are constantly being tracked, probed and sniffed. You are tracked by the sites that you are looking at (which products are you browsing? which articles are you reading?), and possibly by your government, ISP and corporation.” Hola claimed it could make users more secure, but researchers warn that “in reality, it operates like a poorly secured botnet with serious consequences.”

A team of security researchers issued a Hola security advisory that pointed out multiple critical vulnerabilities and warned users to say adios to Hola and uninstall it immediately. The “censorship-evasion and privacy/anonymity-enhancement tool” Hola actually assigns a unique identifier to each user that doesn’t change even after reboots. The researchers said that Hola “allowed you to be tracked across the Internet, no matter what you do.”

There are more security woes too, but Hola was reportedly most popular among people who wanted to watch videos such as on Netflix from a country that would otherwise be blocked from watching the American version of Netflix.

Hola works by using “idle resources of its users’ PCs to route traffic. This essentially turns a Hola user’s computer into a VPN server, or a small part of one. If you’re in Nebraska, for example, and Hola is running on your PC, you might help users outside the U.S. watch Hulu,” explained PCWorld’s Ian Paul. “Under this set-up Hola doesn’t have to pay bandwidth costs for its free users.”

Yet Hola’s previous FAQ page didn’t mention that it sold users’ bandwidth to another of its service called Luminati. This came to light after 8chan operator Fredrick Brennan told Torrent Freak, “Hola has gotten greedy. They recently (late 2014) realized that they basically have a 9 million IP strong botnet on their hands, and they began selling access to this botnet (right now, for HTTP requests only).” He added, “An attacker used the Luminati network to send thousands of legitimate-looking POST requests to 8chan’s post.php in 30 seconds, representing a 100x spike over peak traffic and crashing PHP-FPM.”

In essence, Israel-based Hola sold users’ bandwidth to Luminati to operate botnets. The previous Hola “security and privacy” FAQ explained the app’s permissions as well as antivirus “false positive” reports, but it didn’t explain Luminati until the bad PR hit the fan.

That’s when security researchers got involved; on Adios, Hola they wrote, “Hola is harmful to the internet as a whole, and to its users in particular.”

1. Hola allows “for you to be tracked across the internet, no matter what you do.”
2. Hola sends “traffic of strangers through your internet connection.” The researchers compared using the peer-to-peer VPN to running a Tor exit node; if another Hola user, who happened to use your internet connection to surf the net, also upload child porn, then Johnny Law might think you did it; “even if you can prove your innocence, you can still get raided and tangled up in a long legal process.”
3. Hola sells “access to third parties” and doesn’t care what it’s used for. The researchers added, “Hola also runs another business, Luminati, that sells access to the Hola network to anybody who is willing to pay up to $20 per GB for it.” Hola’s found Ofer Vilenski claimed the person who attacked 8chan “slipped through” their screening process.
4. Hola lets “anybody execute programs on your computer.” That claim came with an “exploit me” button to illustrate the pwnage via opening the calculator on a user’s system. On May 30, Hola pushed an update that broke the exploit demo, but researchers added, “You are still vulnerable through a second method as described in the technical advisory.”

The security advisory contains tech details on four vulnerabilities: 1) Local file read which “allows a remote website to read arbitrary files on the local system via path traversal.” 2) Information disclosure which an attacker could exploit to “persistently track a Hola user across the Internet.” 3) Remote code execution; researchers held back some details about exploiting the RCE vulnerabilities until users could remove Hola, but both the Hola client on Windows and the Android app are vulnerable. 4) If RCE is achieved, then attackers could escalate privileges.

According to the advisory, “Hola Engine for Windows and the Hola Firefox addon on Windows” are vulnerable to the first RCE vulnerability; “Hola Engine for Windows is also vulnerable to the privilege escalation issue.” Additionally the Chrome app extension for Windows, which is available on the Hola website, and the Hola Android app are vulnerable to the second RCE issue as well as the information disclosure and local file read issues.

Adios Hola is the answer, the researchers said. “The architecture of Hola is most likely unfixable. The only reliable solution to the problem is to completely uninstall Hola, whether it is ‘fixed’ or not.”