Do you use Hola VPN? You could be part of a DDoS, content theft – or worse

Former Lulzsec-ers, security pros poke the many holes


Embattled "free" VPN provider Hola is facing criticism over its practice of turning its users into exit nodes in a paid-for anonymisation service which can easily be used for nefarious activities. Hola's software is also claimed to include "unpatchable" vulnerabilities allowing takeover of user machines.

As the Register reported in May, the Israeli company Hola, which provides a P2P VPN, is selling access to its users' devices for use as exit nodes for those wanting to obfuscate the source of HTTP, HTTPS or TLS requests.

This service is being offered through Hola's Luminati brand, which sells VPN users' bandwidth at $20/GB – without compensating those users for essentially carrying all the overhead expenses.

The company has been facing criticism from a group including some former Lulzsec hackers* which has established a site known as "Adios, Hola!".

Initially postulating that there were numerous holes in Hola's overlay network client, the group warned of vulnerabilities which could "allow a remote or local attacker to gain code execution and potentially escalate privileges on a user's system".

Responses and ripostes between Hola and its critics led to Hola issuing several updates. The company claimed the remote code execution issue was "all patched up and remotely updated to all customers".

The Adios Hola! group acknowledged that the critical vulnerabilities have been "(at least partly) patched". However, their same email cautiously claimed that some might potentially still be exploited.

They told The Register that they believed Hola's checks on the origins of executable commands "are not enough though, because they could still be exploited through MITM [man-in-the-middle attacks] or, potentially, XSS in hola.org."

Talking to The Register before the latest update, the hackers suggested that some of the vulnerabilities might be unpatchable.

"The way Hola designed the software, it requires being able to 'launch applications on request' like that. Removing/blocking that functionality would break *actual* Hola functionality. So, it's a problem with their architecture, really. They most likely just didn't think through the security implications."

According to a group member known as Raylee, many of the problems originate with a Hola component called zconsole. This is a command line interface "used by the full Hola client for mainly debugging, which contains a lot of features that would prove useful to an attacker, not least download and execute."

Of course, there are other issues. zconsole still exists, at least in the last version I checked (but it's now harder to get to). Also, there's the whole exit node thing, which is by design. Also, MITM is pretty easy, also by design: if some unlucky person goes through a bad exit node they could get iframes to exploit kits injected into all their website browsing through Hola, or they could get a phish instead of Netflix.

A Hola spokesperson described zconsole as a "software module that is part of our remote update mechanism – it is used to continuously update our software to counter the censorship attempts that are implemented on a daily basis".

The company acknowledged to The Register that there "was a vulnerability that was identified", and claimed that it has "fixed [and also] removed much of the console that could have in any way assisted hackers".

A spokesperson also told The Register:

"Hola has been in contact with the guys at Adios, Hola! and will continue to be in order to learn as much as possible from the thorough research they've done. We would also welcome their participation in our upcoming Vulnerability Bounty Program when it is formally announced following the completion of our security review."

Broader topics


Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading
  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • Zero Trust: What does it actually mean – and why would you want it?
    'Narrow and specific access rights after authentication' wasn't catchy enough

    Systems Approach Since publishing our article and video on APIs, I’ve talked with a few people on the API topic, and one aspect that keeps coming up is the importance of security for APIs.

    In particular, I hear the term “zero trust” increasingly being applied to APIs, which led to the idea for this post. At the same time, I’ve also noticed what might be called a zero trust backlash, as it becomes apparent that you can’t wave a zero trust wand and instantly solve all your security concerns.

    Zero trust has been on my radar for almost a decade, as it was part of the environment that enabled network virtualization to take off. We’ve told that story briefly in our SDN book – the rise of microsegmentation as a widespread use-case was arguably the critical step that took network virtualization from a niche technology to the mainstream.

    Continue reading
  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading

Biting the hand that feeds IT © 1998–2022