Hola, a popular, free, peer-to-peer service that enables anonymous surfing and access to blocked online resources, said today it has patched vulnerabilities discovered last week that expose its millions of users to possible code execution, remote monitoring and other threats to privacy and security.
The researchers who last week disclosed vulnerabilities in the Hola Unblocker Windows client, Firefox and Chrome extensions, and the Hola Android app, however today said that the flaws are still present and that all Hola did was break a vulnerability checker proof-of-concept tool developed by the researchers.
The flaws, the researchers said, turn Hola into a “poorly secured botnet—with serious consequences,” they said on the Adios, Hola! website. They add that a half-dozen security issues were identified, not two as claimed by Hola.
“Hola also claims that ‘[vulnerabilities happen] to everyone.’ As we have pointed out from the start, the security issues with Hola are of such a magnitude that it cannot be attributed to ‘oversight’; rather, it’s straight-out negligence,” the researchers said. “They are not comparable to the others mentioned—they are much worse.”
In an advisory, the researchers describe the vulnerabilities that expose users to information disclosure, local file read, and remote code execution.
“As Hola users—wittingly, or otherwise–act as exit-nodes for the overlay network, each is capable of acting as a Man-in-the-Middle for other users of the free or premium Hola network, or its commercial ‘bandwidth’ service, Luminati, and thereby compromising the privacy and anonymity of their browsing and exposing them to further attacks,” the advisory said.
Hola CEO Ofer Vilenski conceded today in a blogpost to mistakes he attributed to his company’s rapid growth. He called the accusations “unjustified” that Hola sells Luminati access to its network for $20 per GB and does a shoddy job screening those paying for access and what they’re doing. Chat logs published on adios-hola.org between the researchers and a Hola salesperson allege that the salesperson said certain potentially harmful terms of service are not enforced. “We have no idea what you are doing on our platform,” adios-hola quotes the unnamed salesperson.
Being a free peer-to-peer network, Hola shares its users’ bandwidth with the network, and Vilenski said the company has changed its website and product “installation flows” to make that clear. Users who do not want to share idled resources can pay for Hola Premium. Vilenski also said Hola does not make its users part of a botnet.
“There was some concern that by selling our VPN services to enterprise customers, we were possibly exposing our users to cyber criminal traffic that could get them in trouble (Thus the ‘botnet’ accusation),” Vilenski wrote. “The reality is that we have a record of the real identification and traffic of the Luminati users, such that if a crime is committed, we can report this to the authorities, and thus the criminal is immediately identified. This makes the Hola/Luminati network unattractive to criminals – as opposed to Tor for example, which provides them complete anonymity for free.”
Last week, a distributed denial of service attack against the message board website 8chan, however, did take advantage of the Hola network. The DDoS was tracked back to Luminati, and today Vilenski admitted the hacker passed through the company’s filters.