A severe scandal broke recently around a popular free p2p service Hola, whose\u00a0main purpose is enabling anonymous surfing. Aside from a number of vulnerabilities which directly put Hola users at risk, researchers also blamed Hola for selling the users\u2019 bandwidth without notifying them properly; also there has been at least one report of abuse of Hola\u2019s capabilities to launch a DDoS-attack. This serves to show that even when something is \u201cfree,\u201d there may still be a cost.<\/p>\n
Hola and adios<\/strong><\/p>\n Hola is a free service that redirects traffic in the fashion of any other p2p network, thus enabling both anonymous surfing and access to online resources blocked for whatever reason \u2013 from censorship to regional restrictions by media companies.<\/p>\n Misadventures with #Hola service, or A lot of strings attached<\/p>Tweet<\/a><\/blockquote>\n Free and capable, Hola offers a Windows standalone client, plugins for Firefox and Chrome, as well as an Android app. Unsurprisingly, it is quite popular \u2013 Hola\u2019s website boasts 46 million users of its service. The popularity makes Hola\u2019s network strong and vast. And prone to abuse as well, unfortunately.<\/p>\n \u201cHolander\u201d: full of holes<\/strong><\/p>\n According to Threatpost<\/a>, late in May security researchers published a highly critical report<\/a> on Hola, discovering a large number of possible fatal vulnerabilities which expose users to information disclosure, local file read, and remote code execution.<\/p>\n The researchers also revealed that Hola runs another business, Luminati, which sells access to the Hola network to anyone who is willing to pay up to $20 per GB for it. Hola\u2019s founder Ofer Vilenski essentially confirmed\u00a0<\/a>that claim.<\/p>\n \u201cThe Hola Unblocker Windows client, Firefox addon, Chrome extension and Android application contain multiple vulnerabilities which allow a remote or local attacker to gain code execution and potentially escalate privileges on a user\u2019s system. Additional design flaws allow a Hola user to be tracked across the internet via a persistent ID. Furthermore, as Hola users \u2013 wittingly, or otherwise \u2013 act as exit-nodes for the overlay network, each is capable of acting as a Man-in-the-Middle for other users of the free or premium Hola network, or its commercial \u2018bandwidth\u2019 service, Luminati, and thereby compromising the privacy and anonymity of their browsing and exposing them to further attacks<\/em>,\u201d said researchers in their advisory<\/a>, claiming that no solution for these problems exists other than a prompt uninstallation of Hola software with manual removal of C:Program FilesHola folder.<\/p>\n Researchers also said that the half dozen vulnerabilities discovered are of such a magnitude that they can be only described as \u201cnegligence, plain and simple\u201d.<\/p>\n Some of their other findings on Hola are also quite disturbing:<\/p>\n \u201cHola is a \u201cpeer-to-peer\u201d VPN. This may sound nice, but what it actually means is that other people browse the web through your internet connection. To a website, it seems like it\u2019s you browsing the site. Perhaps that doesn\u2019t seem bad to you. However, imagine that somebody uploaded child pornography through your connection, for example. To everybody else, it seems as if it was your computer that did it, and you can\u2019t really prove otherwise.\u201d<\/em><\/p>\n The investigation<\/strong><\/p>\n In fact, it looks like the security scrutiny of Hola had been launched after the story of a DDoS attack directed at a highly controversial message board 8chan; according to 8chan founder Frederick Brennan, the attacks originated from the Luminati\/Hola network<\/a>.<\/p>\n #Hola is actually a sort of #botnet and can be used for malicious purposes, say researchers<\/p>Tweet<\/a><\/blockquote>\n An attacker, Brennan said, used the Luminati network to send thousands of legitimate-looking POST requests to 8chan\u2019s post.php in 30 seconds, representing a 100x spike over peak traffic and crashing PHP-FPM. The legitimate-looking POST requests also meant that countering such an attack would be a big deal.<\/p>\n The attacks were reportedly carried out by someone using the handle BUI, who appears to be a renowned spammer<\/a>. Hola\u2019s founder Ofer Vilenski claims that since terminating BUI\u2019s account, 8Chan has had no further problems<\/em>.<\/p>\n Vilenski himself said later that Luminati screens<\/a> the commercial users before letting them use the Hola network, and that the aforementioned BUI just slipped through the net, which is an isolated cause. Ostensibly.<\/p>\n He also acknowledged that the users are most likely unaware of the Luminati business \u2013 because they don\u2019t care. Hola\u2019s old FAQ only vaguely mentioned the possibility of commercial use of Hola; later it was\u00a0updated with a fuller explanation of \u201ccommercial purposes\u201d claiming that \u201cHola is a managed and supervised network and thus any illegal activity such as CP, etc. would be reported to the authorities with the real IP of the user<\/em>\u201c.<\/p>\n The researchers, however, pointed at their exchange with Luminati unnamed sales person<\/a> who claimed outright that the rules aren\u2019t exactly enforced on the network: \u201cWe have no idea what you are doing on our platform<\/em>\u201c.<\/p>\n This stance makes the platform not unlike the notorious \u201cbullet-proof hosting\u201d services used by criminals. \u201cIn reality, it operates like a poorly secured botnet\u201d, said the researchers. \u201cA voluntary botnet\u201d, specifies<\/a> Lorenzo Franceschi-Bicchierai, a staff writer with Motherboard.<\/p>\n As for Hola\u2019s overall reaction, it is questionable at best. They claim<\/a>\u00a0everyone make errors \u2013 and this is true; but they acknowledged just two vulnerabilities, while the researchers claim they discovered six. Besides, the researchers said, the flaws are still present and all Hola did was break a harmless vulnerability checker proof-of-concept tool developed by the researchers.<\/p>\n The prosecution rests.<\/p>\n You get what you pay for<\/strong><\/p>\n Of course, this story leaves at least some room for some doubts and extra questions. For instance, who are the researchers and how credible is their investigation?<\/p>\n The researchers list a number of their names\/monikers and web contacts (twitter, mostly), and it seems that they are as they claimed: active researchers and pentesters.<\/p>\n How substantiated are their claims? They have a technical advisory<\/a> and a video<\/a> demonstrating their PoC exploit launching a Calculator in Windows. How convincing they are? You be a judge. For now, there are a lot of reports about Hola\u2019s problem in the industry media, and Hola itself \u2013 at least partially \u2013 acknowledged the problems, although it looks like they prefer to keep them under wraps. Still, the company said it will be hiring a chief security officer in the coming weeks to improve their security.<\/p>\n The primary issue here is, again, the real cost of free offers. Hola\u2019s stance here is almost honest<\/em>: you want free services? You have something that is of use to us \u2013 your idle or not-so-idle resources. If you don\u2019t want them to be used by us, there is a paid tier for you.<\/p>\n So essentially there are strings attached, and probably even more than anyone was bargaining for.<\/p>\n That\u2019s\u00a0not uncommon with anything offered \u201cfor free\u201d.<\/p>\n","protected":false},"excerpt":{"rendered":" The primary issue here is the real cost of free offers. Hola\u2019s stance is almost honest: You want free services? You have something that is of use to us \u2013 your idle or not-so-idle resources. If you don\u2019t want them to be used by us, there is a paid tier for you.<\/p>\n","protected":false},"author":209,"featured_media":15664,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[759,2311,2312,97,268],"class_list":{"0":"post-4048","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-free","10":"tag-hola","11":"tag-p2p","12":"tag-security-2","13":"tag-vulnerabilities"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/misadventures-with-hola-service-or-a-lot-of-strings-attached\/4048\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/misadventures-with-hola-service-or-a-lot-of-strings-attached\/4048\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/misadventures-with-hola-service-or-a-lot-of-strings-attached\/4048\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/free\/","name":"free"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/4048","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=4048"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/4048\/revisions"}],"predecessor-version":[{"id":30470,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/4048\/revisions\/30470"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/15664"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=4048"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=4048"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=4048"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}