Misadventures with Hola service, or A lot of strings attached

June 9, 2015

A severe scandal broke recently around a popular free p2p service Hola, whose main purpose is enabling anonymous surfing. Aside from a number of vulnerabilities which directly put Hola users at risk, researchers also blamed Hola for selling the users’ bandwidth without notifying them properly; also there has been at least one report of abuse of Hola’s capabilities to launch a DDoS-attack. This serves to show that even when something is “free,” there may still be a cost.

Hola and adios

Hola is a free service that redirects traffic in the fashion of any other p2p network, thus enabling both anonymous surfing and access to online resources blocked for whatever reason – from censorship to regional restrictions by media companies.

Free and capable, Hola offers a Windows standalone client, plugins for Firefox and Chrome, as well as an Android app. Unsurprisingly, it is quite popular – Hola’s website boasts 46 million users of its service. The popularity makes Hola’s network strong and vast. And prone to abuse as well, unfortunately.

holawide

“Holander”: full of holes

According to Threatpost, late in May security researchers published a highly critical report on Hola, discovering a large number of possible fatal vulnerabilities which expose users to information disclosure, local file read, and remote code execution.

The researchers also revealed that Hola runs another business, Luminati, which sells access to the Hola network to anyone who is willing to pay up to $20 per GB for it. Hola’s founder Ofer Vilenski essentially confirmed that claim.

The Hola Unblocker Windows client, Firefox addon, Chrome extension and Android application contain multiple vulnerabilities which allow a remote or local attacker to gain code execution and potentially escalate privileges on a user’s system. Additional design flaws allow a Hola user to be tracked across the internet via a persistent ID. Furthermore, as Hola users – wittingly, or otherwise – act as exit-nodes for the overlay network, each is capable of acting as a Man-in-the-Middle for other users of the free or premium Hola network, or its commercial ‘bandwidth’ service, Luminati, and thereby compromising the privacy and anonymity of their browsing and exposing them to further attacks,” said researchers in their advisory, claiming that no solution for these problems exists other than a prompt uninstallation of Hola software with manual removal of C:Program FilesHola folder.

Researchers also said that the half dozen vulnerabilities discovered are of such a magnitude that they can be only described as “negligence, plain and simple”.

Some of their other findings on Hola are also quite disturbing:

Hola is a “peer-to-peer” VPN. This may sound nice, but what it actually means is that other people browse the web through your internet connection. To a website, it seems like it’s you browsing the site. Perhaps that doesn’t seem bad to you. However, imagine that somebody uploaded child pornography through your connection, for example. To everybody else, it seems as if it was your computer that did it, and you can’t really prove otherwise.”

The investigation

In fact, it looks like the security scrutiny of Hola had been launched after the story of a DDoS attack directed at a highly controversial message board 8chan; according to 8chan founder Frederick Brennan, the attacks originated from the Luminati/Hola network.

An attacker, Brennan said, used the Luminati network to send thousands of legitimate-looking POST requests to 8chan’s post.php in 30 seconds, representing a 100x spike over peak traffic and crashing PHP-FPM. The legitimate-looking POST requests also meant that countering such an attack would be a big deal.

The attacks were reportedly carried out by someone using the handle BUI, who appears to be a renowned spammer. Hola’s founder Ofer Vilenski claims that since terminating BUI’s account, 8Chan has had no further problems.

Vilenski himself said later that Luminati screens the commercial users before letting them use the Hola network, and that the aforementioned BUI just slipped through the net, which is an isolated cause. Ostensibly.

He also acknowledged that the users are most likely unaware of the Luminati business – because they don’t care. Hola’s old FAQ only vaguely mentioned the possibility of commercial use of Hola; later it was updated with a fuller explanation of “commercial purposes” claiming that “Hola is a managed and supervised network and thus any illegal activity such as CP, etc. would be reported to the authorities with the real IP of the user“.

The researchers, however, pointed at their exchange with Luminati unnamed sales person who claimed outright that the rules aren’t exactly enforced on the network: “We have no idea what you are doing on our platform“.

This stance makes the platform not unlike the notorious “bullet-proof hosting” services used by criminals. “In reality, it operates like a poorly secured botnet”, said the researchers. “A voluntary botnet”, specifies Lorenzo Franceschi-Bicchierai, a staff writer with Motherboard.

As for Hola’s overall reaction, it is questionable at best. They claim everyone make errors – and this is true; but they acknowledged just two vulnerabilities, while the researchers claim they discovered six. Besides, the researchers said, the flaws are still present and all Hola did was break a harmless vulnerability checker proof-of-concept tool developed by the researchers.

The prosecution rests.

You get what you pay for

Of course, this story leaves at least some room for some doubts and extra questions. For instance, who are the researchers and how credible is their investigation?

The researchers list a number of their names/monikers and web contacts (twitter, mostly), and it seems that they are as they claimed: active researchers and pentesters.

How substantiated are their claims? They have a technical advisory and a video demonstrating their PoC exploit launching a Calculator in Windows. How convincing they are? You be a judge. For now, there are a lot of reports about Hola’s problem in the industry media, and Hola itself – at least partially – acknowledged the problems, although it looks like they prefer to keep them under wraps. Still, the company said it will be hiring a chief security officer in the coming weeks to improve their security.

The primary issue here is, again, the real cost of free offers. Hola’s stance here is almost honest: you want free services? You have something that is of use to us – your idle or not-so-idle resources. If you don’t want them to be used by us, there is a paid tier for you.

So essentially there are strings attached, and probably even more than anyone was bargaining for.

That’s not uncommon with anything offered “for free”.