Adios, Hola!

Or: Why You Should Immediately Uninstall Hola

Hola is harmful to the internet as a whole, and to its users in particular. You might know it as a free VPN or "unblocker", but in reality it operates like a poorly secured botnet - with serious consequences.

Are you vulnerable to...

being an exit node
Checking
This might take a while...
Yes
You are vulnerable!
No.
You are not vulnerable.
Maybe.
We're not sure.
being tracked
Checking
This might take a while...
Yes
You are vulnerable!
No.
You are not vulnerable.
Maybe.
We're not sure.
code execution
Checking
This might take a while...
Yes
You are vulnerable!
No.
You are not vulnerable.
Maybe.
We're not sure.
root code execution
Checking
This might take a while...
Yes
You are vulnerable!
No.
You are not vulnerable.
Maybe.
We're not sure.
We're still checking some things...
You are vulnerable. You should uninstall Hola right now. More details are below, but suffice to say it is putting your system at serious risk.
You might be vulnerable. We can't reliably check for Hola on every platform. If you have Hola installed, you should uninstall it right now. Read on for details.
You're probably not vulnerable. It looks like you haven't installed Hola. If that's the case, you should be fine. You can still read on for more information, of course.

UPDATE (June 1, 2015): Today, Hola has finally published a statement. Unfortunately, it doesn't quite address the issues - many of the issues are ignored, and some claims are simply false.

For example, their statement makes the following claim:

Two vulnerabilities were found in our product this past week. [...] In fact, we fixed both vulnerabilities within a few hours of them being published and pushed an update to all our community.

We know this to be false. The vulnerabilities are *still* there, they just broke our vulnerability checker and exploit demonstration. Not only that; there weren't two vulnerabilities, there were six.

Hola also claims that "[vulnerabilities happen] to everyone". As we have pointed out from the start, the security issues with Hola are of such a magnitude that it cannot be attributed to 'oversight'; rather, it's straight-out negligence. They are not comparable to the others mentioned - they are much worse.

We await a more transparent follow-up statement, and a real fix to the security issues.

UPDATE (May 31, 2015): Hola has pushed yet another update to their Windows version, that breaks the (harmless) method we use to determine whether you are vulnerable. This does remove the tracking vulnerability, but leaves the other issues intact.

Android remains vulnerable to tracking. All versions remain vulnerable to the code execution issues. You are still vulnerable if you are running Hola, we just can't do a (harmless) check for it anymore.

While Hola still hasn't put out a proper statement towards its users, they have updated their website and FAQ, which is a start. Unfortunately, both of these changes still do not explain the legal consequences.

We continue to suspect that today's 'patch' was primarily an attempt to break our vulnerability checker, and that fixing the tracking vulnerability was merely an unintended side-effect.

Here are some of the ways in which Hola puts you and everybody else at risk.

1. They allow for you to be tracked across the internet, no matter what you do

Hold on, we're checking whether you can be tracked...

For example, this is you:

UID

CID

Session key

...

...

...

These values are unique and always remain the same, even across reboots. They let sites track you like a cookie would - except you can't remove it like a cookie. There's nothing you can do about it.

And that's not even all...

  • Installation directory: ...
  • Operating system: ...
  • Device (on Android): ...
  • ... and much more.

This website isn't special - any website can see and collect this data.

Good news, it looks like you can't be tracked through (your version of) Hola!

Want to know what it would've looked like if you could? Click here!

2. They send traffic of strangers through your internet connection

Hola is a "peer-to-peer" VPN. This may sound nice, but what it actually means is that other people browse the web through your internet connection. To a website, it seems like it's you browsing the site.

Perhaps that doesn't seem bad to you. However, imagine that somebody uploaded child pornography through your connection, for example. To everybody else, it seems as if it was your computer that did it, and you can't really prove otherwise.

The operators of "exit nodes" for the Tor anonymity network have had similar issues. Being a Hola peer is more or less equivalent to running a Tor exit from home - something the EFF even explicitly recommends against.

And even if you can prove your innocence, you can still get raided and tangled up in a long legal process. And as a bonus, it'll use your bandwidth - not exactly desirable if you have a slow connection, or a low data cap.

This is an unfixable problem, that Hola doesn't disclose transparently. It's how Hola is designed to work, and it cannot function without it.

3. They sell access to third parties, and don't care what it's used for

Hola also runs another business, Luminati, that sells access to the Hola network to anybody who is willing to pay up to $20 per GB for it.

[14:13:19] Luminati Sales Person: Luminati is the commercial brand of Hola.org -- huge Peer to Peer network of consumers searching anonymously. This enables you to have almost unlimited number of real IP's for your use.

[14:13:51] Luminati Sales Person: Our pricing model is "pay as you go" per Gigabyte, with no setup fee & no per-IP cost ranging around $1.45 to $20 per GB.

Now according to Hola's founder, Ofer Vilenski, users of Luminati are 'screened' before they are allowed to use it, and the person who attacked a site named 8chan through it simply 'slipped through the net'.

"Adjustments" have been made, according to him.

We didn't find that to be true, however; we had no trouble signing up for a 'free trial', and it's obvious that they don't really care about what you do with it:

[14:28:29] us: I'm just wondering about one of the clauses

[14:28:31] us: of your TOS

[14:28:35] us: "you may not upload, post or otherwise transmit any User Content that: (i) violates any law or engage in activity that would constitute a criminal offense or give rise to a civil liability; (ii) violates or infringes in any way upon the rights of others, including any intellectual property rights or make statements which may defame, harass, stalk or threaten others; (iii) is offensive in any fashion, including blatant expressions, racism, abusiveness, vulgarity, profanity, pornography, pedophilia, incest, bestiality, or otherwise obscene; (iv) advocates or provides instruction on illegal activity or discuss illegal activities or encourage illegal activity; (envy) is soliciting terrorism; (vi) contains advertising, promotional materials or any solicitation with respect to products or services; (vii) is not generally related to the designated topic or theme; (viii) contains software or other materials which contain a virus or other harmful or disruptive component;"

[14:28:39] us: how do you enforce this?

[14:29:08] Luminati Sales Person: we dont

[14:29:18] Luminati Sales Person: we have no idea what you are doing on our platform

[14:39:31] us: can you say force desktop/tablet/mobile etc, or force a certain ISP?

[14:39:49] Luminati Sales Person: no

[14:40:01] Luminati Sales Person: why do you ask?

[14:40:12] Luminati Sales Person: the concept is simple

[14:40:13] us: I'm just wondering, such functionality may be useful for me

[14:40:18] us: in the future

[14:40:28] Luminati Sales Person: thats for you to figure out

[14:40:40] Luminati Sales Person: we simply offer you a proxy platform

[14:41:07] Luminati Sales Person: what you do with it, is up to you

4. They let anybody execute programs on your computer

If you don't believe it, just click the button below. It'll open the calculator application. If it doesn't work, here is a video of it in action.

Important note: This will permanently break the VLC functionality in Hola. While this shouldn't be a problem - you are uninstalling Hola after this, right? - we figured we should tell you about it anyway.

UPDATE (May 30, 2015): Hola has pushed an update that breaks the exploit method used by this button, by disabling the 'move' command entirely. You are still vulnerable through a second method (as described in the technical advisory), but this method is not demonstrated by the button below.

To our knowledge, no official statement has been put out by Hola, and there is a good chance that this update also breaks the 'real' Hola functionality. We suspect that this 'patch' was purely an attempt to hurt our credibility, not to actually fix any security issues.

You can also still watch the video to see how the exploit worked.

Preparing...
Something went wrong. We couldn't run the exploit on your system. Either your system isn't vulnerable, or there's something special about it that we didn't know about. You should still immediately uninstall Hola if you have it installed, as it's quite likely the exploit could still work in a modified form!

Done! The calculator application should have launched. It's possible that it started in the background; in that case, check your taskbar or application bar.

Calculator still didn't appear? On some systems, the calculator application starts invisibly; that is, it's running, but you can't see it at all. Check whether there's a 'calc.exe' process running on your system. This wouldn't matter for real malware, of course, as it tries to run invisibly anyway.

We're nice people, so we just made a button that opens a calculator for you. Somebody with more... malicious goals could have easily done the same, but invisibly, automatically, and with a piece of malware instead of a calculator. They could take over your entire computer, without you even knowing.

And on some systems, it gets worse; Hola will happily run whatever you feed it as the 'SYSTEM' user. What this means in simple terms, is that somebody can completely compromise your system, beyond any repair. It allows for installing things like a rootkit, for example.

In fact, you should assume that this has already happened. This security issue has been there for a while, at least since 2013. Even though we are not aware of this having been exploited "in the wild", it is certainly a possibility. You should run an anti-virus scan or, even better, reinstall your operating system as soon as possible.

This problem is not just an 'oversight'. It's not a thing where you say 'well, bugs can happen'. This kind of security issue can only happen if a developer is either grossly incompetent, or simply doesn't care about the security of their users. It's negligence, plain and simple, and there's no excuse for it.

5. They're trying to rewrite history

A few days ago, some of the problems with Hola and Luminati were disclosed by 8chan. As a result of that, they were contacted by a journalist to ask for a statement.

Rather than putting out an honest statement, Hola decided to try and rewrite history, quietly.

The Hola FAQ, what it looked like before the disclosure, and afterwards (click for the originals):

And the same for the Luminati website:

Suddenly, all claims of "anonymity" and "crawling" have vanished. The new version of the FAQ was presented to journalists as if it'd always been that way.

Evidently, Hola is more interested in weaseling their way out of the situation, than they are in properly informing their users.

So, what should I do?

If you have Hola installed on your system, uninstall it right now. The attacks that we have demonstrated and explained here, can be carried out by anybody, on any website, without your knowledge. Even visiting a single website can be dangerous.

We've made a set of uninstall guides for you, to make sure that Hola is removed correctly. It can be found here.

Disabling the extension is not enough! Several versions of the extension will keep the Hola process running in the background. You will still be vulnerable, even with the extension disabled!

If you do not have Hola installed at all, you should be fine.

So, what should I use instead?

If you need strong anonymity, Tor is the right option.

If you simply want to get around geo-restrictions, there are many other services that offer similar functionality to Hola, but safely. We do not make any particular recommendations.

Why did you publish this?

Hola have clearly shown through their actions that they do not care about the safety of their users, and that most likely they are not competent enough to develop this kind of software. Even if these issues were 'fixed', it'd only be a matter of time until new, similar issues arise.

For this reason, we have decided to immediately publish these issues to the public at large. Anything else would only lead to Hola trying to make it appear 'less bad' than it really is, as they have done before, and putting their users at a continued risk.

The architecture of Hola is most likely unfixable. The only reliable solution to the problem is to completely uninstall Hola, whether it is 'fixed' or not.

Who are behind this research?

The team:

We can be collectively contacted at hola@adios-hola.org.

Disclosure: We are not associated with Hola or any of its competitors. We do not stand to profit financially from this publication.