Hola browser extension should be uninstalled, researchers say

Israel-based Hola said it is working to fix the problems and will undertake a security review

Researchers are advising users uninstall Hola, a browser extension, due to software vulnerabilities and privacy concerns.

Researchers are advising users uninstall Hola, a browser extension, due to software vulnerabilities and privacy concerns.

Security researchers contend the developer of a popular browser extension has not fixed vulnerabilities they found, and are recommending users should get rid of it.

The free extension, from Israel-based Hola, is a peer-to-peer program that routes people's Internet traffic through other Hola users' computers. It can let users watch geoblocked content by routing traffic through the authorized region or offer greater anonymity, similar to Tor, when Web browsing. It has been downloaded millions of times.

Last week, a group of nine researchers launched a website called "Adios, Hola!" that describes several flaws affecting the Hola Unblocker Windows client, the extension for Firefox and Chrome, and its Android application.

The flaws could allow "a remote or local attacker to gain code execution and potentially escalate privileges on a user's system," according to an advisory.

The researchers also warned that people using Hola could be subjected to a man-in-the-middle attack, where their browsing traffic could be observed or a remote file could be downloaded to their system.

Hola was also accused of not being clear with users that their computers are used during idle time to route traffic from other computers, which saves Hola bandwidth costs.

Consumers may not be aware, for example, that criminal activity could be routed through their computer without their knowledge, causing potential legal problems, the researchers contend.

Hola's CEO, Ofer Vilenski, admitted in a blog post Monday that his company made mistakes but is trying to fix them by undergoing an internal security review and an external audit.

"We have experienced the growing pains of our large network now and are implementing these lessons," he wrote.

The company fixed two vulnerabilities in its products last week, which could allow a hacker to install remote code on devices with Hola installed, Vilenski wrote.

"In fact, we fixed both vulnerabilities within a few hours of them being published and pushed an update to all our community," he wrote.

On Monday, the researchers wrote they identified six vulnerabilities in Hola's applications, not just two, and alleged that none of them are fixed. They contend the changes Hola made broke their tools for checking for flaws and also its demonstration exploit, but not the underlying problems.

Last week, a hacker abused Hola's premium service, called Luminati, to conduct a distributed denial-of-service attack against the image board 8chan. Luminati is a paid-for product that utilizes the bandwidth of computers running the free extension.

8chan wrote on its website that "an attacker used the Luminati network to send thousands of legitimate looking POST requests to 8chan's post.php in 30 seconds," which caused traffic to spike by 100 times.

Vilenski wrote that a spammer managed to trick Hola into allowing him to become a Luminati customer, who are required to show identification.

"He passed through our filters and was able to take advantage of our network," he wrote. "We analyzed the incident and built the necessary measures in our processes to ensure that such incidents do not occur and deactivated his service."

Scrutiny into Hola is now coming from other sources. Vectra, a computer security company, studied Hola and concluded it "contains a variety of features that make it an ideal platform for executing targeted cyber attacks."

The communication protocol used by Hola, for example, has been found in five malware samples on VirusTotal, Vectra wrote. "Unsurprisingly, this means that bad guys had realized the potential of Hola before the recent flurry of public reports by the good guys."

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the PC World newsletter!

Error: Please check your email address.

Tags applicationssecuritybrowserssoftwareHola

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?