Your favorite tool to watch Netflix abroad isn’t just hijacking and selling your connection. It might make you vulnerable to hacking and more easily trackable online, according to a group of security researchers and developers who have analyzed the popular app Hola.
A spam attack on the imageboard 8chan over the weekend helped reveal that Hola, a free VPN that boasts 46 million installs, sells its users as exit nodes as part of a network of proxies called Luminati, exposing them to having their connections involved in illegal or abusive activities, as Motherboard reported on Thursday.
Now, a group of nine security researchers has exposed a series of ways in which the app puts its users at risk, and is asking its users to uninstall it and say “adios” to Hola.
"Hola is harmful to the internet as a whole, and to its users in particular."
“Hola is harmful to the internet as a whole, and to its users in particular,” the researchers wrote on a website created to show their findings, which they called “Adios Hola.”
In fact, Hola’s browser extension, as well as its standalone Windows app, make some of its users trackable by any website on the internet, according to the researchers.
When a user is running Hola, he or she gets assigned a series of unique numbers, allowing sites to track the user while browsing the internet—this is similar to how cookies work. Moreover, these values never change, even when you reboot, according to the researchers, who have created a tool that lets users see their own unique identifying values.
A screenshot of the "Adios Hola" test when I visited it.
Another problem with some versions of Hola’s app, according to the researchers, is that it contains some vulnerabilities in its API that could allow malicious hackers to run arbitrary code on a Hola users’ computer. That means a malicious hacker could get malware installed on the victim’s computer if the hacker could get the Hola user to visit a malicious webpage. The researchers, however, didn’t go too much into detail on how that exploit works, to avoid making it too easy for others to replicate the exploit.
(This affects Hola’s Windows and Android apps, as well as Windows Firefox extension, but not all versions of Hola’s app, according to the researchers.)
To demonstrate this flaw, the researchers have created a proof of concept exploit, programming a red button on the “Adios Hola” site that will open the calculator app.
This is obviously a harmless hack, but the point is that the researchers could have programmed the button to run anything else on a Hola users’ computers, including installing spyware or stealing data from the victim’s computer.
“Somebody with more...malicious goals could have easily done the same, but invisibly, automatically, and with a piece of malware instead of a calculator,” the researchers wrote. “They could take over your entire computer, without you even knowing.”
"They could take over your entire computer, without you even knowing."
Ofer Vilenski, the cofounder of Hola, told Motherboard that “there's absolutely no way that we know of to do that, nor have we ever heard such a claim.”
But this issue, according to the researchers, it’s not just a bug, “it’s negligence.”
“It's exactly as bad as it sounds,” Sven Slootweg, an open-source software developer that participated in the research, told Motherboard over chat. “These issues were not an ‘oversight’ or ‘mistake.’ Security issues of this kind can only arise if you either 1) have no clue what you're doing, or 2) simply don't care (or both).”
On their website, which also comes with a more technical analysis of Hola’s privacy and security vulnerabilities, the researchers also highlight some of the issues that have arisen from the attack on 8chan. Particularly, they accuse Hola of selling users internet connections and IPs to “anybody who is willing to pay” through Luminati, a service owned by Hola.
The researchers even posed as Luminati customers to find out how much Luminati costs and they chatted with a representative. They asked him how they enforce a clause in Luminati’s Terms of Service, which says that Luminati users can’t use it for illegal purposes, according to a portion of a chat log published on the site, which the researchers also shared in full with Motherboard.
“How do you enforce this?” one of the researchers asked.
“We dont [sic] we have no idea what you are doing on our platform,” the representative answered.
These are all good reasons to uninstall Hola—"right now."
This contradicts what Hola’s co-founder Vilenski has said on the record, including in repeated emails to Motherboard.
Luminati “is managed by a commercial company [i.e. Hola] that knows who you are, what you are doing, and can turn you in if you do something illegal,” he told me in an email on Friday. “uminati's web site claimed complete anonymity because it provides the user of the service complete anonymity towards the site they are looking at,” but not toward Luminati itself.
Vilenski also insisted in drawing a distinction between Luminati and Tor, the free and open source anonymizing tool, saying that Hola users don’t face the same risks that Tor exit node operators do, because if Hola “sensed criminal activity” on the network, it could see the source and help authorities find the culprit, “not the Hola user through which that traffic was relayed.”
Yet, just earlier this week, Luminati’s website flaunted it as “the world's largest anonymity network,” highlighting how it was “more anonymous” than Tor, and allowed its users to be “unidentifiable.” On the current version of the site, however, there’s no mention of anonymity, although being “unidentifiable” is still included as a benefit of the service.
For the researchers, all these are good reasons to uninstall Hola—“right now.”
“The attacks that we have demonstrated and explained here, can be carried out by anybody, on any website, without your knowledge,” the researchers wrote, even providing a guide on how to do uninstall it. “Even visiting a single website can be dangerous.”