Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Hola VPN Vulnerabilities Still Unfixed: Researchers

It has been a tough week for Hola.

It has been a tough week for Hola.

During the past several days, the peer-to-peer virtual private network (VPN) has come into the crosshairs of the security community. Last week, security researchers uncovered multiple vulnerabilities affecting the Hola Overlay Network Client that exposed users to remote code execution by attackers. Though Hola said the vulnerabilities have been patched, a group of researchers is contending that the vulnerabilities remain open.

“The vulnerabilities are still there, they just broke our vulnerability checker and exploit demonstration,” the researchers explained in a statement posted on the website ‘Adios,Hola!’.

In their advisory, the researchers explained that the Hola Unblocker Windows client, Firefox add-on, Chrome extension and Android application contain multiple bugs that enable attackers to remotely execute code and elevate privileges.

“Additional design flaws allow a Hola user to be tracked across the internet via a persistent ID,” the advisory notes. “Furthermore, as Hola users – wittingly, or otherwise – act as exit-nodes for the overlay network, each is capable of acting as a Man-in-the-Middle for other users of the free or premium Hola network, or its commercial ‘bandwidth’ service, Luminati, and thereby compromising the privacy and anonymity of their browsing and exposing them to further attacks.”

In a statement, Hola CEO Ofer Vilenski responded that two vulnerabilities had been found in the company’s product in the past week and had been fixed “within hours of them being published.” However, the security researchers noted that six vulnerabilities had been found, not just two, and called the security issues with Hola “straight-out negligence.”

Hola describes itself as a community-powered VPN that routes traffic through other nodes (peers) in the Hola network as opposed to routing it through servers. The company offers a free service for consumers as well as a business-class VPN through its Luminati service. Luminati was the target of additional criticism last week when 8Chan founder Fredrick Brennan said the message board was hit by a distributed denial-of-service (DDoS) attack that was traced to the Luminati network. As a result, concerns were raised that Hola users could be used as part of a botnet.

“There was some concern that by selling our VPN services to enterprise customers, we were possibly exposing our users to cyber criminal traffic that could get them in trouble (Thus the ‘botnet’ accusation),” blogged Vilenski. “The reality is that we have a record of the real identification and traffic of the Luminati users, such that if a crime is committed, we can report this to the authorities, and thus the criminal is immediately identified. This makes the Hola/Luminati network unattractive to criminals – as opposed to Tor for example, which provides them complete anonymity for free.”

Advertisement. Scroll to continue reading.

Vilenski acknowledged that an attacker used Luminati last week by posing as a corporation.

“We analyzed the incident, and built the necessary measures in our processes to ensure that such incidents do not occur, and deactivated his service,” the CEO explained. “We will cooperate with any investigation of the incident to ensure that he will be punished to the fullest extent.”

The company said it will be hiring a chief security officer in the coming weeks to improve security, and has plans to launch a bug bounty program to encourage bug-finders to come forward.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.