Security researchers contend the developer of a popular browser extension has not fixed vulnerabilities they found, and are recommending users should get rid of it.
The free extension, from Israel-based Hola, is a peer-to-peer program that routes people’s Internet traffic through other Hola users’ computers. It can let users watch geoblocked content by routing traffic through the authorized region or offer greater anonymity, similar to Tor, when Web browsing. It has been downloaded millions of times.
Last week, a group of nine researchers launched a website called ”Adios, Hola!” that describes several flaws affecting the Hola Unblocker Windows client, the extension for Firefox and Chrome, and its Android application.
The flaws could allow “a remote or local attacker to gain code execution and potentially escalate privileges on a user’s system,” according to an advisory.
The researchers also warned that people using Hola could be subjected to a man-in-the-middle attack, where their browsing traffic could be observed or a remote file could be downloaded to their system.
Hola was also accused of not being clear with users that their computers are used during idle time to route traffic from other computers, which saves Hola bandwidth costs.
Consumers may not be aware, for example, that criminal activity could be routed through their computer without their knowledge, causing potential legal problems, the researchers contend.
Hola’s CEO, Ofer Vilenski, admitted in a blog post Monday that his company made mistakes but is trying to fix them by undergoing an internal security review and an external audit.
“We have experienced the growing pains of our large network now and are implementing these lessons,” he wrote.
The company fixed two vulnerabilities in its products last week, which could allow a hacker to install remote code on devices with Hola installed, Vilenski wrote.
“In fact, we fixed both vulnerabilities within a few hours of them being published and pushed an update to all our community,” he wrote.
On Monday, the researchers wrote they identified six vulnerabilities in Hola’s applications, not just two, and alleged that none of them are fixed. They contend the changes Hola made broke their tools for checking for flaws and also its demonstration exploit, but not the underlying problems.
Last week, a hacker abused Hola’s premium service, called Luminati, to conduct a distributed denial-of-service attack against the image board 8chan. Luminati is a paid-for product that utilizes the bandwidth of computers running the free extension.
8chan wrote on its website that “an attacker used the Luminati network to send thousands of legitimate looking POST requests to 8chan’s post.php in 30 seconds,” which caused traffic to spike by 100 times.
Vilenski wrote that a spammer managed to trick Hola into allowing him to become a Luminati customer, who are required to show identification.
“He passed through our filters and was able to take advantage of our network,” he wrote. “We analyzed the incident and built the necessary measures in our processes to ensure that such incidents do not occur and deactivated his service.”
Scrutiny into Hola is now coming from other sources. Vectra, a computer security company, studied Hola and concluded it “contains a variety of features that make it an ideal platform for executing targeted cyber attacks.”
The communication protocol used by Hola, for example, has been found in five malware samples on VirusTotal, Vectra wrote. “Unsurprisingly, this means that bad guys had realized the potential of Hola before the recent flurry of public reports by the good guys.”