Hola browser extension should be uninstalled, researchers say

Israel-based Hola said it is working to fix the problems and will undertake a security review

Researchers are advising users uninstall Hola, a browser extension, due to software vulnerabilities and privacy concerns.

Researchers are advising users uninstall Hola, a browser extension, due to software vulnerabilities and privacy concerns.

Security researchers contend the developer of a popular browser extension has not fixed vulnerabilities they found, and are recommending users should get rid of it.

The free extension, from Israel-based Hola, is a peer-to-peer program that routes people's Internet traffic through other Hola users' computers. It can let users watch geoblocked content by routing traffic through the authorized region or offer greater anonymity, similar to Tor, when Web browsing. It has been downloaded millions of times.

Last week, a group of nine researchers launched a website called "Adios, Hola!" that describes several flaws affecting the Hola Unblocker Windows client, the extension for Firefox and Chrome, and its Android application.

The flaws could allow "a remote or local attacker to gain code execution and potentially escalate privileges on a user's system," according to an advisory.

The researchers also warned that people using Hola could be subjected to a man-in-the-middle attack, where their browsing traffic could be observed or a remote file could be downloaded to their system.

Hola was also accused of not being clear with users that their computers are used during idle time to route traffic from other computers, which saves Hola bandwidth costs.

Consumers may not be aware, for example, that criminal activity could be routed through their computer without their knowledge, causing potential legal problems, the researchers contend.

Hola's CEO, Ofer Vilenski, admitted in a blog post Monday that his company made mistakes but is trying to fix them by undergoing an internal security review and an external audit.

"We have experienced the growing pains of our large network now and are implementing these lessons," he wrote.

The company fixed two vulnerabilities in its products last week, which could allow a hacker to install remote code on devices with Hola installed, Vilenski wrote.

"In fact, we fixed both vulnerabilities within a few hours of them being published and pushed an update to all our community," he wrote.

On Monday, the researchers wrote they identified six vulnerabilities in Hola's applications, not just two, and alleged that none of them are fixed. They contend the changes Hola made broke their tools for checking for flaws and also its demonstration exploit, but not the underlying problems.

Last week, a hacker abused Hola's premium service, called Luminati, to conduct a distributed denial-of-service attack against the image board 8chan. Luminati is a paid-for product that utilizes the bandwidth of computers running the free extension.

8chan wrote on its website that "an attacker used the Luminati network to send thousands of legitimate looking POST requests to 8chan's post.php in 30 seconds," which caused traffic to spike by 100 times.

Vilenski wrote that a spammer managed to trick Hola into allowing him to become a Luminati customer, who are required to show identification.

"He passed through our filters and was able to take advantage of our network," he wrote. "We analyzed the incident and built the necessary measures in our processes to ensure that such incidents do not occur and deactivated his service."

Scrutiny into Hola is now coming from other sources. Vectra, a computer security company, studied Hola and concluded it "contains a variety of features that make it an ideal platform for executing targeted cyber attacks."

The communication protocol used by Hola, for example, has been found in five malware samples on VirusTotal, Vectra wrote. "Unsurprisingly, this means that bad guys had realized the potential of Hola before the recent flurry of public reports by the good guys."

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationssecuritybrowserssoftwareHola

More about Twitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place