Do you use Hola VPN? You could be part of a DDoS, content theft – or worse
Former Lulzsec-ers, security pros poke the many holes
Embattled "free" VPN provider Hola is facing criticism over its practice of turning its users into exit nodes in a paid-for anonymisation service which can easily be used for nefarious activities. Hola's software is also claimed to include "unpatchable" vulnerabilities allowing takeover of user machines.
As the Register reported in May, the Israeli company Hola, which provides a P2P VPN, is selling access to its users' devices for use as exit nodes for those wanting to obfuscate the source of HTTP, HTTPS or TLS requests.
This service is being offered through Hola's Luminati brand, which sells VPN users' bandwidth at $20/GB – without compensating those users for essentially carrying all the overhead expenses.
The company has been facing criticism from a group including some former Lulzsec hackers* which has established a site known as "Adios, Hola!".
Initially postulating that there were numerous holes in Hola's overlay network client, the group warned of vulnerabilities which could "allow a remote or local attacker to gain code execution and potentially escalate privileges on a user's system".
Responses and ripostes between Hola and its critics led to Hola issuing several updates. The company claimed the remote code execution issue was "all patched up and remotely updated to all customers".
The Adios Hola! group acknowledged that the critical vulnerabilities have been "(at least partly) patched". However, their same email cautiously claimed that some might potentially still be exploited.
They told The Register that they believed Hola's checks on the origins of executable commands "are not enough though, because they could still be exploited through MITM [man-in-the-middle attacks] or, potentially, XSS in hola.org."
Talking to The Register before the latest update, the hackers suggested that some of the vulnerabilities might be unpatchable.
"The way Hola designed the software, it requires being able to 'launch applications on request' like that. Removing/blocking that functionality would break *actual* Hola functionality. So, it's a problem with their architecture, really. They most likely just didn't think through the security implications."
According to a group member known as Raylee, many of the problems originate with a Hola component called zconsole. This is a command line interface "used by the full Hola client for mainly debugging, which contains a lot of features that would prove useful to an attacker, not least download and execute."
Of course, there are other issues. zconsole still exists, at least in the last version I checked (but it's now harder to get to). Also, there's the whole exit node thing, which is by design. Also, MITM is pretty easy, also by design: if some unlucky person goes through a bad exit node they could get iframes to exploit kits injected into all their website browsing through Hola, or they could get a phish instead of Netflix.
A Hola spokesperson described zconsole as a "software module that is part of our remote update mechanism – it is used to continuously update our software to counter the censorship attempts that are implemented on a daily basis".
The company acknowledged to The Register that there "was a vulnerability that was identified", and claimed that it has "fixed [and also] removed much of the console that could have in any way assisted hackers".
A spokesperson also told The Register:
"Hola has been in contact with the guys at Adios, Hola! and will continue to be in order to learn as much as possible from the thorough research they've done. We would also welcome their participation in our upcoming Vulnerability Bounty Program when it is formally announced following the completion of our security review."