Hola VPN Vulnerabilities Still Unfixed: Researchers

It has been a tough week for Hola.

During the past several days, the peer-to-peer virtual private network (VPN) has come into the crosshairs of the security community. Last week, security researchers uncovered multiple vulnerabilities affecting the Hola Overlay Network Client that exposed users to remote code execution by attackers. Though Hola said the vulnerabilities have been patched, a group of researchers is contending that the vulnerabilities remain open.

“The vulnerabilities are still there, they just broke our vulnerability checker and exploit demonstration,” the researchers explained in a statement posted on the website ‘Adios,Hola!’.

In their advisory, the researchers explained that the Hola Unblocker Windows client, Firefox add-on, Chrome extension and Android application contain multiple bugs that enable attackers to remotely execute code and elevate privileges.

“Additional design flaws allow a Hola user to be tracked across the internet via a persistent ID,” the advisory notes. “Furthermore, as Hola users – wittingly, or otherwise – act as exit-nodes for the overlay network, each is capable of acting as a Man-in-the-Middle for other users of the free or premium Hola network, or its commercial ‘bandwidth’ service, Luminati, and thereby compromising the privacy and anonymity of their browsing and exposing them to further attacks.”

In a statement, Hola CEO Ofer Vilenski responded that two vulnerabilities had been found in the company’s product in the past week and had been fixed “within hours of them being published.” However, the security researchers noted that six vulnerabilities had been found, not just two, and called the security issues with Hola “straight-out negligence.”

Hola describes itself as a community-powered VPN that routes traffic through other nodes (peers) in the Hola network as opposed to routing it through servers. The company offers a free service for consumers as well as a business-class VPN through its Luminati service. Luminati was the target of additional criticism last week when 8Chan founder Fredrick Brennan said the message board was hit by a distributed denial-of-service (DDoS) attack that was traced to the Luminati network. As a result, concerns were raised that Hola users could be used as part of a botnet.

“There was some concern that by selling our VPN services to enterprise customers, we were possibly exposing our users to cyber criminal traffic that could get them in trouble (Thus the ‘botnet’ accusation),” blogged Vilenski. “The reality is that we have a record of the real identification and traffic of the Luminati users, such that if a crime is committed, we can report this to the authorities, and thus the criminal is immediately identified. This makes the Hola/Luminati network unattractive to criminals – as opposed to Tor for example, which provides them complete anonymity for free.”

Vilenski acknowledged that an attacker used Luminati last week by posing as a corporation.

“We analyzed the incident, and built the necessary measures in our processes to ensure that such incidents do not occur, and deactivated his service,” the CEO explained. “We will cooperate with any investigation of the incident to ensure that he will be punished to the fullest extent.”

The company said it will be hiring a chief security officer in the coming weeks to improve security, and has plans to launch a bug bounty program to encourage bug-finders to come forward.