14 DAY TRIAL // Hola rushed out updates to fix serious security issues in its VPN software, pointed out by researchers over the past week, but users remain exposed to attacks.
Last week, a group of researchers calling themselves Adios Hola published an extensive advisory with vulnerabilities found in Hola VPN, which included risks like information disclosure, remote execution of arbitrary code, and privilege escalation.
An independent assessment conducted over the past several weeks by security company Vectra Networks was also published on Monday, exposing the presence of a console (“zconsole”) in the process that forwards peer traffic to the intended destination, which could be used for targeted attacks.
A threat actor gaining access to the console could view all running processes and terminate their activity, download files without passing through antivirus scrutiny, as well as execute them (either in the background or with the token of another process).
Some of the flaws have been corrected
Also on Monday, Hola CEO Ofer Vilenski declared the company’s commitment to user security and transparency of the business, announcing amendments and explaining how the VPN network worked.
A company representative has told Softpedia that the remote code execution bugs have been addressed, adding that the issue with starting the built-in VLC player with attacker-controlled arguments can no longer happen.
At the moment, mitigation consists in allowing the player to execute only if the command comes from hola.org. The representative also said that a limitation for arguments would be implemented by the end of the week.
The problem with “zconsole” is a more thorny one, as Oliver Tavakoli, CTO at Vectra Networks, told us that countering the risks it poses cannot be done “without significant redesign of the Hola software.”
A member of the Adios group, Slipstream, said that the console was still present in the software version he checked, although some changes occurred and the component was now more difficult to access.
He confirms that the glitches have been “at least partly patched,” drawing attention to the fact that some of them still present the potential to be exploited; Slipstream said that he tested with a release prior to the latest one.
Risks still exist
However, he added that the flaws in the design of Hola VPN represent a risk, referring to man-in-the-middle (MitM) attacks. These could be carried out by someone acting as an exit node for a Hola user and injecting malicious iFrames in the browsing session in order to direct exploit kits.
Alternatively, there is the risk that a bad exit node could direct Hola users passing through to phishing websites for popular video streaming services available in limited parts of the world, like Netflix.
Hola VPN has more than 46 million users and the company said that it received no abuse reports concerning any of them, despite Vectra offering evidence of five malware samples from VirusTotal containing the Hola protocol.
Hola is currently trying to repair the damage and restore user confidence in the service and has plans for future security improvements.
The company has announced that work has been started on launching a bug bounty program with monetary rewards for reported vulnerabilities. Furthermore, both an internal and external security audit have been initiated.
[UPDATE, June 4]: Hola says that "zconsole" and signing certificate are software components required by Hola's communication protocol and by the remote update mechanism.
"These two modules were accessible because of the vulnerabilities which were already fixed and patched up prior to the Vectra report being published," a company representative said via email.