After the company was exposed for turning users into a massive botnet, researchers (including ex-LulzSec members) have disclosed a number of zero-day vulnerabilities in the Hola VPN software Update: A follow-up to this story can be found here.Hola, an Israeli company that develops a browser plug-in promoted heavily as a means to bypass region locks on Web-based content and anonymous surfing; has several critical vulnerabilities that put users at risk, researchers warn.Hola was in the news this week after it was discovered that the company was selling their user’s connections, creating what researchers call “a poorly secured botnet.” Hola charges subscribers of their paid service $1.45 to $20 per GB of traffic, which is routed through the networks of those who use the Hola free product.That in itself is bad, but what’s worse is that the software driving this commercial botnet has a number of exploitable flaws that were fully disclosed on Friday. The number of affected users isn’t immediately clear, ranging from 8-42 million people, but the researchers have determined that the Windows client, Firefox add-on, Chrome extension, and Android application contain multiple vulnerabilities.If exploited, these flaws will allow a remote or local attacker to gain code execution and potentially escalate privileges on a user’s system. Moreover, as the users of the free version of Hola act as exit-nodes for those that pay, there is a chance a malicious actor could act as a “Man-in-the-Middle for other users of the free or premium Hola network, or its commercial ‘bandwidth’ service, Luminati,” the researchers explained.“This problem is not just an ‘oversight’. It’s not a thing where you say ‘well, bugs can happen‘. This kind of security issue can only happen if a developer is either grossly incompetent, or simply doesn’t care about the security of their users. It’s negligence, plain and simple, and there’s no excuse for it,” the researchers added.Explaining the reason behind using Full Disclosure instead of trying to work with Hola to fix the flaws, the researchers pointed to the recent botnet news cycle, where Hola altered the product’s FAQ after the story broke.Prior to the edits, the FAQ never clearly explained what was happening on the free user’s network. In fact, the botnet itself was only detected after an administrator at 8Chan noticed the traffic patterns during a recent DDoS attack.The researchers are encouraging users to uninstall Hola completely, as that is the only fix available currently.In addition to their advice, they’ve developed a website explaining the issue, including a script that acts as a proof-of-concept test proving the code execution flaws. Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe