Following an initial unproofed report that the software operates as a botnet, this weekend researchers published an advisory confirming serious problems with the tool.
“The Hola Unblocker Windows client, Firefox addon, Chrome extension and Android application contain multiple vulnerabilities which allow a remote or local attacker to gain code execution and potentially escalate privileges on a user’s system,” the advisory reads.
Yesterday and after several days of intense pressure, Hola published a response in which it quoted Steve Jobs and admitted that mistakes had been made. Hola said that it would now be making it “completely clear” to its users that their resources are being used elsewhere in exchange for a free product.
Hola also confirmed that two vulnerabilities found by the researchers at Adios-Hola had now been fixed, but the researchers quickly fired back.
“We know this to be false,” they wrote in an update. “The vulnerabilities are *still* there, they just broke our vulnerability checker and exploit demonstration. Not only that; there weren’t two vulnerabilities, there were six.”
With Hola saying it now intends to put things right (it says it has committed to an external audit with “one of the big 4 auditing companies”) the company stood by its claims that its software does not turn users’ computers into a botnet. Today, however, an analysis by cybersecurity firm Vectra is painting Hola in an even more unfavorable light.
In its report Vectra not only insists that Hola behaves like a botnet, but it’s possible it has malicious features by design.
“While analyzing Hola, Vectra Threat Labs researchers found that in addition to behaving like a botnet, Hola contains a variety of capabilities that almost appear to be designed to enable a targeted, human-driven cyber attack on the network in which an Hola user’s machine resides,” the company writes.
“First, the Hola software can download and install any additional software without the user’s knowledge. This is because in addition to being signed with a valid code-signing certificate, once Hola has been installed, the software installs its own code-signing certificate on the user’s system.”
If the implications of that aren’t entirely clear, Vectra assists on that front too. On Windows machines, the certificate is added to the Trusted Publishers Certificate Store which allows *any code* to be installed and run with no notification given to the user. That is frightening.
Furthermore, Vectra found that Hola contains a built-in console (“zconsole”) that is not only constantly active but also has powerful functions including the ability to kill running processes, download a file and run it whilst bypassing anti-virus software, plus read and write content to any IP address or device.
“These capabilities enable a competent attacker to accomplish almost anything. This shifts the discussion away from a leaky and unscrupulous anonymity network, and instead forces us to acknowledge the possibility that an attacker could easily use Hola as a platform to launch a targeted attack within any network containing the Hola software,” Vectra says.
Finally, Vectra says that while analyzing the protocol used by Hola, its researchers found five different malware samples on VirusTotal that contain the Hola protocol. Worryingly, they existed before the recent bad press.
“Unsurprisingly, this means that bad guys had realized the potential of Hola before the recent flurry of public reports by the good guys,” the company adds.
For now, Hola is making a big show of the updates being made to its FAQ as part of its efforts to be more transparent. However, items in the FAQ are still phrased in a manner that portrays criticized elements of the service as positive features, something that is likely to mislead non-tech oriented users.
“Since [Hola] uses real peers to route your traffic and not proxy servers, it makes you more anonymous and more secure than regular VPN services,” one item reads.
How Hola will respond to Vectra’s latest analysis remains to be seen, but at this point there appears little that the company can say or do to pacify much of the hardcore tech community. That being said, if Joe Public still can’t see the harm in a free “community” VPN operating a commercial division with full access to his computer, Hola might settle for that.
Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.