14 DAY TRIAL // A recent post from the owner of anonymous image board 8Chan about abusing the free Hola VPN service for distributed denial-of-service (DDoS) purposes determined researchers to take an in-depth look at the platform, revealing much more serious risks looming on the users.
Hola VPN functions as a peer-to-peer service, meaning someone who wants to access a resource that is restricted in their region routes the connection through the computers (at idle time) of users who have access to the content.
Every free Hola user is an endpoint for paying clients
The model adopted allows the service to be free, because there is no proxy infrastructure maintained by the company, and users’ systems act as exit nodes for the connections, something that has been in the license agreement.
Hola is easy-to-use and works by installing a browser extension, which can be turned on or off and allows choosing the country the connection should be routed through. At the moment, the network touts 47 million users around the world, making it probably one of the largest VPN services.
However, some revenue needs to be generated to pay for improving the service, and this is not obtained through advertising, but via the Luminati VPN, the commercial brand of the consumer peer-to-peer VPN network.
Simply put, anyone in the Luminati network can run traffic through the computers of free Hola VPN users, which are viewed as the originators of the connection and could suffer legal consequences if malicious activity is carried out by the paying customers.
Users can do whatever they want on the network
According to the owner of 8Chan, someone “used the Luminati network to send thousands of legitimate-looking POST requests to 8chan's post.php in 30 seconds, representing a 100x spike over peak traffic and crashing PHP-FPM,” basically turning the network into a botnet that can be accessed legally.
Once someone gets to use the Luminati service (accounts are verified, according to the terms), they can use the network for whatever reasons they want, including accessing illegal online locations or exchanging illicit content, and the trace points to Hola users that enabled the connection.
A group of security researchers (hackers included) found that although Luminati stipulates in its terms of service that members are not allowed to use the network for nefarious activity, there is no mechanism for enforcing this.
A salesperson has said that Luminati is just a proxy platform and that user activity is not restricted in any way; “we have no idea what you are doing on our platform,” they told one of the researchers.
Multiple security issues uncovered
More than this, several issues have been found with the software, creating risks ranging from unauthorized reading of local files to identifying Hola users across the web, remote code execution (two) and privilege escalation.
The researchers determined that the affected Hola versions include the client for Windows, the Firefox add-on, the Chrome extension and the variant for Android. They say that there is no solution available and the recommendation is to remove the Hola service from the system altogether.
A proof-of-concept (PoC) exploit that triggers the launch of Windows Calculator has been created, to demonstrate the remote code execution (RCE) vulnerability. The demo has been captured in the video embedded below.
Hola takes mitigation action, but RCE is still possible
Following the disclosure of the glitches, Hola took some steps to mitigate some of the risks and broke the exploit method developed by the researchers, but they said in an update on Saturday that the second RCE still worked.
On Sunday, the researchers updated their post again, informing that Hola deployed another update for the Windows version, which no longer allowed them to check in a “harmless” manner if a system running the product was vulnerable or not.
As such, the security flaws exposed (except for user tracking) can no longer be verified reliably on every platform.
One benefit of this second patch is that tracking is no longer possible on desktop platforms. “Android remains vulnerable to tracking. All versions remain vulnerable to the code execution issues,” the researchers said, adding that the fix may have been an attempt to break their vulnerability checker.
Video demonstrating one of the two remote code execution glitches:
