Security Experts:

Connect with us

Hi, what are you looking for?



Hola VPN Vulnerabilities Still Unfixed: Researchers

It has been a tough week for Hola.

It has been a tough week for Hola.

During the past several days, the peer-to-peer virtual private network (VPN) has come into the crosshairs of the security community. Last week, security researchers uncovered multiple vulnerabilities affecting the Hola Overlay Network Client that exposed users to remote code execution by attackers. Though Hola said the vulnerabilities have been patched, a group of researchers is contending that the vulnerabilities remain open.

“The vulnerabilities are still there, they just broke our vulnerability checker and exploit demonstration,” the researchers explained in a statement posted on the website ‘Adios,Hola!’.

In their advisory, the researchers explained that the Hola Unblocker Windows client, Firefox add-on, Chrome extension and Android application contain multiple bugs that enable attackers to remotely execute code and elevate privileges.

“Additional design flaws allow a Hola user to be tracked across the internet via a persistent ID,” the advisory notes. “Furthermore, as Hola users – wittingly, or otherwise – act as exit-nodes for the overlay network, each is capable of acting as a Man-in-the-Middle for other users of the free or premium Hola network, or its commercial ‘bandwidth’ service, Luminati, and thereby compromising the privacy and anonymity of their browsing and exposing them to further attacks.”

In a statement, Hola CEO Ofer Vilenski responded that two vulnerabilities had been found in the company’s product in the past week and had been fixed “within hours of them being published.” However, the security researchers noted that six vulnerabilities had been found, not just two, and called the security issues with Hola “straight-out negligence.”

Hola describes itself as a community-powered VPN that routes traffic through other nodes (peers) in the Hola network as opposed to routing it through servers. The company offers a free service for consumers as well as a business-class VPN through its Luminati service. Luminati was the target of additional criticism last week when 8Chan founder Fredrick Brennan said the message board was hit by a distributed denial-of-service (DDoS) attack that was traced to the Luminati network. As a result, concerns were raised that Hola users could be used as part of a botnet.

“There was some concern that by selling our VPN services to enterprise customers, we were possibly exposing our users to cyber criminal traffic that could get them in trouble (Thus the ‘botnet’ accusation),” blogged Vilenski. “The reality is that we have a record of the real identification and traffic of the Luminati users, such that if a crime is committed, we can report this to the authorities, and thus the criminal is immediately identified. This makes the Hola/Luminati network unattractive to criminals – as opposed to Tor for example, which provides them complete anonymity for free.”

Vilenski acknowledged that an attacker used Luminati last week by posing as a corporation.

“We analyzed the incident, and built the necessary measures in our processes to ensure that such incidents do not occur, and deactivated his service,” the CEO explained. “We will cooperate with any investigation of the incident to ensure that he will be punished to the fullest extent.”

The company said it will be hiring a chief security officer in the coming weeks to improve security, and has plans to launch a bug bounty program to encourage bug-finders to come forward.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet