Hola VPN extension sells user traffic and contains remote code execution vulnerabilities
4 days ago, the 8chan board manager (the board / beast / of which is blocked in Russia) reported on a DDoS attack on a site that looked like a hundredfold influx of ordinary visitors. The biggest load increase was received by the script for posting post.php (there were no caps on the board); DDoS caused PHP-FPM to crash under which the script was executed. In the course of the traffic research, it turned out that the users' channels with Hola , a popular browser extension for accessing blocked websites, are popular both in Russia and in Russia, to carry out the attack.
The users of the extension, without knowing it, gave their Internet channels to the subsidiary Luminati , which, in fact, owned more than 9 million unique output nodes, due to the expansion and user channels. They earn, apparently, very well: the first 100 gigabytes of traffic cost customers $ 20 per gigabyte.
There was no mention of the use of user channels in the project’s FAQ, however, Hola quickly added a few points to that effect. Now, if you don’t want to give away your Limunati channel, you have to pay $ 5 per month.
Archive FAQ
Current FAQ Version
')
After the publication of this information by the 8chan administrator, a group of guys found 4 vulnerabilities in this extension :
All versions of Hola raise the JSON REST HTTP server to 127.0.0.1, but with the header
One of the remote code execution vulnerabilities associated with the lack of filtering of arguments in the launch line of the integrated VLC video player in Hola has already been patched, but the research team is confident that it was simply hidden away so that the exploit on the website of the researchers running the Windows calculator stopped working.
On the site “Adios, Hola!”, Dedicated to vulnerabilities in the extension, you can check whether you are an exit-node, can you identify, execute code from your and the privileged user SYSTEM. The site also contains detailed instructions for removing the entire complex for Chrome, Firefox, Internet Explorer and Android version.
At the moment, the Hola extension has been removed from the Firefox Addons, but it is in the Chrome Web Store, although it is not in search. I urge all authors of software lists to circumvent censorship or remove Hola from the list of options, or write warnings about the fact of using the channel. I have updated my list , which, by the way, is still very popular.
This company was represented on Habré , but did not renew the account.
UPD: The official answer is Hola
TL; DR: We are an innovative company. Skype also used your traffic. We sell Luminati only to decent customers (and not like Tor). Everyone has vulnerabilities: Apple iCloud, Snapchat, Skype, Sony, Evernote, Microsoft.
Information from the admin 8chan
Technical information from researchers
The biggest thread on Reddit
News on Vice
News on TJournal
The users of the extension, without knowing it, gave their Internet channels to the subsidiary Luminati , which, in fact, owned more than 9 million unique output nodes, due to the expansion and user channels. They earn, apparently, very well: the first 100 gigabytes of traffic cost customers $ 20 per gigabyte.
There was no mention of the use of user channels in the project’s FAQ, however, Hola quickly added a few points to that effect. Now, if you don’t want to give away your Limunati channel, you have to pay $ 5 per month.
Archive FAQ
Current FAQ Version
')
After the publication of this information by the 8chan administrator, a group of guys found 4 vulnerabilities in this extension :
- Reading arbitrary files up to NULL-byte (/file_read.json)
- Disclosure of the unique user ID (/callback.json)
- Addressing addresses of certain functions (/ procinfo / ps, for later bypassing the ASLR)
- Remote code execution (/vlc_mv.json and /vlc_start.json)
- Privilege escalation to SYSTEM under Windows
All versions of Hola raise the JSON REST HTTP server to 127.0.0.1, but with the header
Access-Control-Allow-Origin: * , which allows you to access it from any page on the Internet. Windows versions that install not only the extension into the browser, but also the service are executed on behalf of SYSTEM.One of the remote code execution vulnerabilities associated with the lack of filtering of arguments in the launch line of the integrated VLC video player in Hola has already been patched, but the research team is confident that it was simply hidden away so that the exploit on the website of the researchers running the Windows calculator stopped working.
On the site “Adios, Hola!”, Dedicated to vulnerabilities in the extension, you can check whether you are an exit-node, can you identify, execute code from your and the privileged user SYSTEM. The site also contains detailed instructions for removing the entire complex for Chrome, Firefox, Internet Explorer and Android version.
At the moment, the Hola extension has been removed from the Firefox Addons, but it is in the Chrome Web Store, although it is not in search. I urge all authors of software lists to circumvent censorship or remove Hola from the list of options, or write warnings about the fact of using the channel. I have updated my list , which, by the way, is still very popular.
This company was represented on Habré , but did not renew the account.
UPD: The official answer is Hola
TL; DR: We are an innovative company. Skype also used your traffic. We sell Luminati only to decent customers (and not like Tor). Everyone has vulnerabilities: Apple iCloud, Snapchat, Skype, Sony, Evernote, Microsoft.
Information from the admin 8chan
Technical information from researchers
The biggest thread on Reddit
News on Vice
News on TJournal
Source: https://habr.com/ru/post/259177/
All Articles