Hola browser extension should be uninstalled, researchers say

Israel-based Hola said it is working to fix the problems and will undertake a security review

Researchers are advising users uninstall Hola, a browser extension, due to software vulnerabilities and privacy concerns.

Researchers are advising users uninstall Hola, a browser extension, due to software vulnerabilities and privacy concerns.

Security researchers contend the developer of a popular browser extension has not fixed vulnerabilities they found, and are recommending users should get rid of it.

The free extension, from Israel-based Hola, is a peer-to-peer program that routes people's Internet traffic through other Hola users' computers. It can let users watch geoblocked content by routing traffic through the authorized region or offer greater anonymity, similar to Tor, when Web browsing. It has been downloaded millions of times.

Last week, a group of nine researchers launched a website called "Adios, Hola!" that describes several flaws affecting the Hola Unblocker Windows client, the extension for Firefox and Chrome, and its Android application.

The flaws could allow "a remote or local attacker to gain code execution and potentially escalate privileges on a user's system," according to an advisory.

The researchers also warned that people using Hola could be subjected to a man-in-the-middle attack, where their browsing traffic could be observed or a remote file could be downloaded to their system.

Hola was also accused of not being clear with users that their computers are used during idle time to route traffic from other computers, which saves Hola bandwidth costs.

Consumers may not be aware, for example, that criminal activity could be routed through their computer without their knowledge, causing potential legal problems, the researchers contend.

Hola's CEO, Ofer Vilenski, admitted in a blog post Monday that his company made mistakes but is trying to fix them by undergoing an internal security review and an external audit.

"We have experienced the growing pains of our large network now and are implementing these lessons," he wrote.

The company fixed two vulnerabilities in its products last week, which could allow a hacker to install remote code on devices with Hola installed, Vilenski wrote.

"In fact, we fixed both vulnerabilities within a few hours of them being published and pushed an update to all our community," he wrote.

On Monday, the researchers wrote they identified six vulnerabilities in Hola's applications, not just two, and alleged that none of them are fixed. They contend the changes Hola made broke their tools for checking for flaws and also its demonstration exploit, but not the underlying problems.

Last week, a hacker abused Hola's premium service, called Luminati, to conduct a distributed denial-of-service attack against the image board 8chan. Luminati is a paid-for product that utilizes the bandwidth of computers running the free extension.

8chan wrote on its website that "an attacker used the Luminati network to send thousands of legitimate looking POST requests to 8chan's post.php in 30 seconds," which caused traffic to spike by 100 times.

Vilenski wrote that a spammer managed to trick Hola into allowing him to become a Luminati customer, who are required to show identification.

"He passed through our filters and was able to take advantage of our network," he wrote. "We analyzed the incident and built the necessary measures in our processes to ensure that such incidents do not occur and deactivated his service."

Scrutiny into Hola is now coming from other sources. Vectra, a computer security company, studied Hola and concluded it "contains a variety of features that make it an ideal platform for executing targeted cyber attacks."

The communication protocol used by Hola, for example, has been found in five malware samples on VirusTotal, Vectra wrote. "Unsurprisingly, this means that bad guys had realized the potential of Hola before the recent flurry of public reports by the good guys."

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags browserssoftwareapplicationsHola

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?