Hola browser extension should be uninstalled, researchers say

Israel-based Hola said it is working to fix the problems and will undertake a security review

Researchers are advising users uninstall Hola, a browser extension, due to software vulnerabilities and privacy concerns.

Researchers are advising users uninstall Hola, a browser extension, due to software vulnerabilities and privacy concerns.

Security researchers contend the developer of a popular browser extension has not fixed vulnerabilities they found, and are recommending users should get rid of it.

The free extension, from Israel-based Hola, is a peer-to-peer program that routes people's Internet traffic through other Hola users' computers. It can let users watch geoblocked content by routing traffic through the authorized region or offer greater anonymity, similar to Tor, when Web browsing. It has been downloaded millions of times.

Last week, a group of nine researchers launched a website called "Adios, Hola!" that describes several flaws affecting the Hola Unblocker Windows client, the extension for Firefox and Chrome, and its Android application.

The flaws could allow "a remote or local attacker to gain code execution and potentially escalate privileges on a user's system," according to an advisory.

The researchers also warned that people using Hola could be subjected to a man-in-the-middle attack, where their browsing traffic could be observed or a remote file could be downloaded to their system.

Hola was also accused of not being clear with users that their computers are used during idle time to route traffic from other computers, which saves Hola bandwidth costs.

Consumers may not be aware, for example, that criminal activity could be routed through their computer without their knowledge, causing potential legal problems, the researchers contend.

Hola's CEO, Ofer Vilenski, admitted in a blog post Monday that his company made mistakes but is trying to fix them by undergoing an internal security review and an external audit.

"We have experienced the growing pains of our large network now and are implementing these lessons," he wrote.

The company fixed two vulnerabilities in its products last week, which could allow a hacker to install remote code on devices with Hola installed, Vilenski wrote.

"In fact, we fixed both vulnerabilities within a few hours of them being published and pushed an update to all our community," he wrote.

On Monday, the researchers wrote they identified six vulnerabilities in Hola's applications, not just two, and alleged that none of them are fixed. They contend the changes Hola made broke their tools for checking for flaws and also its demonstration exploit, but not the underlying problems.

Last week, a hacker abused Hola's premium service, called Luminati, to conduct a distributed denial-of-service attack against the image board 8chan. Luminati is a paid-for product that utilizes the bandwidth of computers running the free extension.

8chan wrote on its website that "an attacker used the Luminati network to send thousands of legitimate looking POST requests to 8chan's post.php in 30 seconds," which caused traffic to spike by 100 times.

Vilenski wrote that a spammer managed to trick Hola into allowing him to become a Luminati customer, who are required to show identification.

"He passed through our filters and was able to take advantage of our network," he wrote. "We analyzed the incident and built the necessary measures in our processes to ensure that such incidents do not occur and deactivated his service."

Scrutiny into Hola is now coming from other sources. Vectra, a computer security company, studied Hola and concluded it "contains a variety of features that make it an ideal platform for executing targeted cyber attacks."

The communication protocol used by Hola, for example, has been found in five malware samples on VirusTotal, Vectra wrote. "Unsurprisingly, this means that bad guys had realized the potential of Hola before the recent flurry of public reports by the good guys."

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags applicationssecuritybrowserssoftwareHola

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?