Adios, Hola! - Why you should immediately uninstall Hola
Not that the author of the website should be worried or anything, but expect legal threats from Ofer incoming soon.
I authored a small anti-adware/malware extension called “Extension Defender” and I had Hola VPN listed as Adware inside of it, this was when they were injecting JS ads into all the pages you visited. I immediately had 2-3 legal threats in my inbox from the CEO/Founder. I didn’t know how serious it was so I ended up just removing it as it wasn’t worth the hassle… Guess I was right all along.
Here is a small excerpt just for the LULZ, he actually called my own extension malware, how fucking hilarious:
"Please let me know your decision ASAP – as far as I can see we are still listed as adware. Your email below proves that you are just reading blogs and marking extensions as adware/malware accordingly. This is also called defamation and slander. If you don’t rely on facts I will do all that I can to make it clear that your extension is actually spam, malware, and will also explore the legal side of this.
Ofer"
As evil as this is it’s also kinda cool. Anyone know of a similar extension without the RCE/tracking and maybe an X-Not-Really-Me HTTP header for proxied traffic?
/u/joepie91 : as I understand you’re part of the team, I want to say:
You, sir, did a commendable job with the finding of the vulns, but even more with this disclosure !
Really well executed and documented, thanks.
also: regarding being an exit node, did they really not make it clear to the user ?
Personally, I don’t see an issue with the peer-to-peer nature of their service. It seems to be the only way to do what they’re doing gratis, and I love the concept of peer-to-peer things. I also had the impression that the consensus was that an IP address does not equal a person, and if that isn’t the case, that’s a problem with laws and the legal system, not with technology, in my opinion.
However, I will now uninstall Hola from all my computers. While I don’t have anything against their service being P2P, I am against them not being open about the ramifications of it. The security issues demonstrated, in addition to shady business practices, is also enough of a reason in and of itself.
EDIT: I just uninstalled it, and was taken to this page. I like how it claims that Hola gives you a safer internet experience, despite not giving a damn about security.
Multiple Critical Vulnerabilities in Hola Overlay Network Client. . http://pastebin.com/raw.php?i=Rcp8iY8z
It looks like they removed it from the Chrome store and their main website…
Is the RCE there by design and/or available to Luminati customers? Or is it just available because of really poor design on the part of the Hola developers?
Not surprised. But anyway i find freedome much easier to use.
If you want to find out if Hola vpn is in your network.
Here’s a link to two files: a Snort rule to find Hola on your network, and a Yara rule to find it on your computer:
Snort rule: Snort rules for Hola - Pastebin.com
Yara rule: Yara rules for Hola - Pastebin.com
For a more detailed technical analysis on Hola, please check out our blog at Technical Analysis of Hola by Vectra AI Security Research team
It was one years ago when I first know about hola, thanks for the geek characteristic inside me, I was eager to know how it works. And after some investigate, decided to not run a relay after all.
Everyone should also read their “privacy policy”, in particular the “anonymous information” : browser history, OS, location, browser type, hardware, among others.
Wouldn’t fixing the CORS policy provide an effective way to fix the access to the local API ? Doesn’t the app have a fixed origin ?
Does removing Hola actually protect me or is too late now since I have been using it for a while?
Hehehe, their founder is a funny guy. Claims they spent zero dollars on marketing. That is usually about the same amount of money any underhanded crook spends on marketing.
I always keep the Hola extension disabled. I only enable it when i need to bypass country restrictions on a website.
I’ve mentioned before to people how hola would hijack my internal router IP address (192.168…)
It took me to a “support” page for one of those phone scam sites.
TBH all you should really see when you go to that website is “Checking, this might take a while”. Yeah, it’s going to take forever because I won’t be enabling JS, or java or anything else on that page any time soon (thanks NoScript).
Also, everyone has to think really very carefully before they double-click an .exe. Because right after you do that you’ve essentially handed over a windows computer to that software.
Serious legal threats do not come by e-mail from a CEO or founder, they come by mail from a lawyer.
“so I ended up just removing it as it wasn’t worth the hassle…”
Just deleting the e-mails would have worked as well.
“This is also called defamation and slander.”
Hah. Slander is spoken. Liabel is the written form. Unless your blog played an audio recording of you reading out what you wanted people to know, it can’t be slander.
Further, defamation is the overall arch encompassing slander and libel. He basically said that it’s called “defamation and defamation”.
" I will do all that I can to make it clear that your extension is actually spam, malware, and will also explore the legal side of this."
This is great for you if he ever did it. This is liable, would pass the three tests and would also be useful as evidence it was mediated. While you would be unable to claim malice (in most cases, and I’m not your lawyer, etc), a reasonable lawyer would walk this one home.