Do you use Hola VPN? You could be part of a DDoS, content theft – or worse

Former Lulzsec-ers, security pros poke the many holes

The truth, the Hola truth, and nothing but the truth

When the Luminati service came to public attention after being used to effectively take down the image board 8chan in a DDoS attack, owner Frederick Brennan told The Register it was impossible to distinguish whether a given IP has the Hola VPN software installed or not.

Adam Blake, director and founder of ThreatSpike Labs, told The Register that this may not be the case: "[We] recently did a security review for a UK SMB and our software picked up indications that traffic was being proxied via some of the workstations. On closer inspection we found Hola installed on two endpoints."

Blake, who has worked as a security consultant at Accenture and Deloitte, added: "We have actually found that is is possible to distinguish requests that originate from Hola versus a standard browser, because the headers Hola injects into requests have lower-case names."

Two common headers (Accept-Encoding and Connection) and one uncommon header (Keep-Alive) are injected with fixed values by Hola. Notably, all other headers that were sent by the requester are modified to use a lower-case name.

"This unique set of changes makes it easy to block or redirect requests originating from Hola using a suitable Web Application Firewall (WAF) software or service," says Blake. "Blocking Hola traffic might be attractive to both operators of services that have been attacked via Hola and also content distributors who implement geo-blocking which Hola helps bypass."

Enterprise users of the Luminati service connect to Hola's "Super Proxies" as though they were standard HTTP proxies, to which are forwarded the clients' browser requests.

Blake suggests that these are additional design flaws. As an example he points out that if a user were to access via the Hola Chrome plugin, that user would see requests being made for content on; however the request itself would go to one of Hola's super proxies.

As these super proxies are standard HTTP proxies, there seems to be nothing to prevent anyone with an internet connection from accessing them – other than the ability to specify the credentials in the Proxy-Authorisation header as the username and password.

Blake did exactly this, without using his Hola credentials, and saw that every website he visited through their proxies which provided IP address information showed a different address, indicating the successful use of Hola's distributed network. On the back-end, Hola's super-nodes are HTTP proxy servers, so credentials can be easily captured or altered by an exit-node running a MITM attack.

Blake notes that "with the predictable list of proxy servers and some captured credentials, anybody can begin sending and receiving traffic through a vast array of Hola users' internet connections."

This in turn can be used to run scripts and botnet-style attacks. All this offers a very different picture of the Luminati service, which is pitched by Hola as a way for "screened" customers to route traffic legitimately through the vast array of exit nodes on the Hola network.

Blake explains that his company's original concern on seeing this software within a customer's network was that it could be used to make requests to private network addresses, which would mean access to the internal network.

"We have since confirmed that it blocks these requests, so at least there is an element of protection," said Blake. "For companies which use public address ranges internally, Hola could definitely be used to access those from within the company firewall."

Hola says its service is moving to SSL to deal with this problem. Blake notes that free and open source SSL proxy sniffers do not effectively mitigate Hola's architectural problems, especially the the network's vulnerability to MITM attacks.

Hola told The Register that it "would like to look back on [these issues] as part of the maturity process, really going from a startup two years ago to a mature company." ®


*The Register understands that Donncha O'Cearbhaill ("Palladium"), Ryan Ackroyd, ("APT1337", "Kayla") and Darren Martyn ("pwnsauce" are or have been involved.

Similar topics

Other stories you might like

Biting the hand that feeds IT © 1998–2021