Update 6/3/2015 1:23 PM: Hola has informed us that Vectra’s claims have been partially retracted by the security firm. Vectra has clarified that Hola is not a botnet, but rather can be used to enable a botnet. Further, it appears that attack samples cited earlier only indicate attempted attacks against Hola users, not attacks proven to be successful.
As a result of these changes, Vectra has rescinded its broad recommendation that users uninstall Hola. Instead, the firm says “we highly encourage organizations to determine if Hola is active in their network and decide whether the risks highlighted in this blog are acceptable.” You can read the full post detailing those risks here.
Original text: Last week the free VPN service Hola Unblocker was revealed by security researchers to be acting as a botnet and selling its free users’ bandwidth through a premium service called Luminati. The security concerns meant someone could possibly gain control of your computer or carry out man-in-the-middle attacks.
A second team of researchers at cybersecurity firm Vectra has now published its own findings into the unblocking service, which it calls “both intriguing and troubling.”
According to Vectra, Hola not only acts like a botnet but has allegedly been designed to be able to carry out a “targeted, human-driven cyber attack on the network in which an [sic] Hola user’s machine resides.”
The researchers found that the VPN features a built-in console, or zconsole, that remains active even when the user is not currently browsing via Hola, allowing a malicious actor to list and kill any running process or open a socket to any “IP address, device, guid, alias or Windows name.” They could also install more software on the user’s computer without her knowing, says the report, and potentially bypass antivirus checks.
“These capabilities enable a competent attacker to accomplish almost anything,” says Vectra. “This shifts the discussion away from a leaky and unscrupulous anonymity network, and instead forces us to acknowledge the possibility that an attacker could easily use Hola as a platform to launch a targeted attack within any network containing the Hola software.”
Furthermore, Vectra analyzed the protocol used by Hola with the VirusTotal tool, which scans for malware. The researchers found five different malware samples that had existed on Hola before the recent news broke. “Unsurprisingly, this means that bad guys had realized the potential of Hola before the recent flurry of public reports by the good guys,” they wrote.
In response to the initial report from Adios, Hola!, who made the botnet claims against the VPN, Hola’s CEO Ofer Vilenski said on Monday that the company had patched two vulnerabilities identified in the report and that a vulnerability “has happened to everyone.”
Adios, Hola in its own reply said that it had in fact identified six vulnerabilities, not two, and rejected the claim that mistakes can happen. “As we have pointed out from the start, the security issues with Hola are of such a magnitude that it cannot be attributed to ‘oversight’; rather, it’s straight-out negligence,” they said. “They are not comparable to the others mentioned – they are much worse.”
The researchers have called for greater transparency from the Israeli company on its security issues. Vilenski added that Hola will launch a bug bounty program soon to identify any more vulnerabilities in the software.
Both Adios, Hola and Vectra are urging users to uninstall the program immediately. The plug-in or add-on has roughly 46 million users globally. Users of the service can route their traffic through other Hola users’ computers. The service is popular with people looking to access streaming sites like Netflix from countries where it has yet to launch.