Hola VPN - Your Website Unblocker
Version 1.249.511 View in Chrome Web Store
Last scanned: about 4 hours ago
Extension Details
Developer:
https://hola.org/
Rating:
4.8 ★
(368K ratings)
Users:
5,000,000
Context-Aware Verdict
This section provides a Claude-based AI analysis that applies additional context to the risk. Results are not guaranteed to be accurate.
CRITICAL
Overall Risk
Trust Factors:
Hola VPN has significant market presence with 5 million users and a high 4.8-star rating from 368,000 reviews, suggesting widespread adoption. However, Hola has a controversial history in the VPN industry, having previously operated a peer-to-peer network model that used users' devices as exit nodes for other users' traffic, raising serious privacy and security concerns. The company has faced criticism for potentially exposing users to legal liability and security risks.
Concerns:
The extension's permission set is extremely invasive and goes beyond what's necessary for basic VPN functionality. The proxy permission combined with webRequest allows complete traffic interception and modification. The broad host permissions grant access to all websites, enabling comprehensive browsing surveillance. The cookies permission allows manipulation of authentication tokens across all sites. The extensive list of content script domains suggests a complex infrastructure that could be used for tracking or data collection beyond VPN services.
Recommendations:
Given the critical risk level, run this extension in a completely isolated Chrome profile with no access to personal accounts or sensitive data. Consider using established VPN providers with better privacy track records instead. If you must use Hola, regularly audit what data is being collected and transmitted. Be aware that free VPN services often monetize user data or bandwidth. Monitor your network traffic for unexpected connections and disable the extension when not actively needed for unblocking content.
Findings
This section provides a detailed analysis of the extension's security posture, without broader context. Assumes worst-case impact.
HIGH
Broad Host Permissions
This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.
HIGH
High-Risk Permission: cookies
This extension has the cookies permission. Can access and modify browser cookies. This could potentially be used maliciously to compromise security or privacy.
HIGH
High-Risk Permission: proxy
This extension has the proxy permission. Can control proxy settings. This could potentially be used maliciously to compromise security or privacy.
HIGH
High-Risk Permission: tabs
This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.
HIGH
High-Risk Permission: webNavigation
This extension has the webNavigation permission. Can track your web navigation. This could potentially be used maliciously to compromise security or privacy.
HIGH
High-Risk Permission: webRequest
This extension has the webRequest permission. Can intercept and modify web requests. This could potentially be used maliciously to compromise security or privacy.
MEDIUM
Medium-Risk Permission: storage
This extension has the storage permission. Can store data locally.
Security Analysis Details
Required Permissions:
- proxy
- webRequest
- storage
- tabs
- webNavigation
- cookies
- scripting
- webRequestAuthProvider
- declarativeNetRequest
Optional Permissions:
- management
Host Permissions:
- *://*/*
Content Security Policy:
- extension_pages: connect-src *; img-src *; style-src 'self' 'unsafe-inline'; default-src 'self';
Embedded URLs (68 total):
| https://client.hola.org/client_cgi | http://www.w3.org/2000/svg | |
| http://www.w3.org/1999/xlink | https://hola.org/be_source_map/1.249.511/bg.881.bundle.js.map?build=nopeer_v3 | |
| https://hola.org/be_source_map/1.249.511/ui.bundle.js.map?build=nopeer_v3 | https://github.com/js-cookie/js-cookie | |
| https://underscorejs.org | https://hola.org/be_source_map/1.249.511/bg.vendors.bundle.js.map?build=nopeer_v3 | |
| https://client.zspeed-cdn.com/client_cgi/background_init | https://perr.hola.org/background_init | |
| http://208.68.38.214:22222/myip | http://web.hola.org/vpn_debug?id= | |
| https://hola.org/blog/article/slug/important-information-regarding-country-availability-on-hola | https://hola.org/blog/article/slug/india-and-vpns-an-uneasy-relationship | |
| https://mediaplayer.itv.com/flash/playlists/ukonly/itv1.xml | https://www.cwtv.com/ | |
| https://www.netflix.com | https://www.netflix.com/watch/0?origId= | |
| https://www.southparkstudios.nu/ | https://www.google.com/sorry/ | |
| https://disney.com/ | https://www.globaltv.com/favicon.ico | |
| https://edge.api.brightcove.com/playback/ | https://edge.api.brightcove.com/playback/v1/accounts/618566855001/videos/6096502206001 | |
| https://www.ondemandkorea.com/ | https://www.sprint.com/ | |
| https://www.bet365.com/defaultapi/sports-configuration | https://play.hbonow.com/ | |
| https://live.bleacherreport.com/ | https://www.dropbox.com/s/jemizcvpmf2qb9v/cloud_failover.conf?dl=1 | |
| https://vdkd6nz8qr.s3.amazonaws.com/cloud_failover.conf | https://www.trustpilot.com/evaluate/hola.org | |
| https://cdn4.hola.org/access/siteicon/ | https://hola-sitepic.b-cdn.net/ | |
| https://support.kaspersky.com/KESWin/12.5/ru-RU/175124.htm#:~:text=%D0%9D%D0%B5%20%D0%BF%D1%80%D0%BE%D0%B2%D0%B5%D1%80%D1%8F%D1%82%D1%8C%20%D0%B7%D0%B0%D1%89%D0%B8%D1%89%D0%B5%D0%BD%D0%BD%D1%8B%D0%B5%20%D1%81%D0%BE%D0%B5%D0%B4%D0%B8%D0%BD%D0%B5%D0%BD%D0%B8%D1%8F | https://support.kaspersky.com/KESWin/12.5/en-US/175124.htm#:~:text=Do%20not%20scan%20encrypted%20connections | |
| http://__hola__.pac_get_last_proxied_hosts.local.hola/ | http://__hola__.pac_get_init_ts.local.hola/?rnd= | |
| http://__hola__.set. | https://chromewebstore.google.com/detail/ | |
| https://addons.opera.com/en/extensions/details/ | https://addons.mozilla.org/en-US/firefox/addon/ | |
| https://microsoftedge.microsoft.com/addons/detail/ | https://localhost.h-local.org | |
| http://127.0.0.1 | https://hola.org/be_source_map/1.249.511/bg.bg.bundle.js.map?build=nopeer_v3 | |
| https://hola.org/be_source_map/1.249.511/bg.824.bundle.js.map?build=nopeer_v3 | https://google.com/search?q= | |
| https://hola.org/be_source_map/1.249.511/509.bundle.js.map?build=nopeer_v3 | https://hola.org/be_source_map/1.249.511/971.bundle.js.map?build=nopeer_v3 | |
| https://hola.org/be_source_map/1.249.511/530.bundle.js.map?build=nopeer_v3 | https://client-cdn4.hola.org/client_cgi | |
| https://perr.hola.org/client_cgi | https://hola.org | |
| https://client.hola.org/bext | https://hola.org/be_source_map/1.249.511/mitm.bundle.js.map?build=nopeer_v3 | |
| http://www.opensource.org/licenses/mit-license.php | http://browserhacks.com/#hack-e71d8692f65334173fee715c222cb805 | |
| https://github.com/webpack-contrib/style-loader/issues/177 | http://www.w3.org/XML/1998/namespace | |
| http://jedwatson.github.io/classnames | http://fb.me/use-check-prop-types | |
| https://reactjs.org/docs/error-decoder.html?invariant= | http://www.w3.org/1998/Math/MathML | |
| http://www.w3.org/1999/xhtml | https://fb.me/react-async-component-lifecycle-hooks | |
| https://hola.org/be_source_map/1.249.511/vendors.bundle.js.map?build=nopeer_v3 | https://clients2.google.com/service/update2/crx |
Raw Manifest
{ "name": "__MSG_appNameChrome__", "icons": { "16": "js/bext/vpn/ui/img/icon16_new.png", "48": "js/bext/vpn/ui/img/icon48_new.png", "128": "js/bext/vpn/ui/img/icon128_new.png" }, "action": { "default_icon": "js/bext/vpn/ui/img/icon16_new.png", "default_popup": "js/popup.html", "default_title": "__MSG_appNameChrome__" }, "version": "1.249.511", "incognito": "split", "background": { "service_worker": "js/bg.bg.bundle.js" }, "short_name": "Hola VPN", "update_url": "https://clients2.google.com/service/update2/crx", "description": "__MSG_appDescChrome__", "permissions": [ "proxy", "webRequest", "storage", "tabs", "webNavigation", "cookies", "scripting", "webRequestAuthProvider", "declarativeNetRequest" ], "homepage_url": "https://hola.org", "default_locale": "en", "content_scripts": [ { "js": [ "js/bext/vpn/bg/cs_hola.js" ], "run_at": "document_start", "matches": [ "https://*.hola.org/*", "https://*.zspeed-cdn.com/*", "https://*.h-vpn.org/*", "https://*.holavpn.com/*", "https://*.holavpnworld.com/*", "https://*.holavpnextension.com/*", "https://*.holavpninstaller.com/*", "https://*.holasof.com/*", "https://*.holabrowser.com/*", "https://*.holafreevpn.com/*", "https://*.holavpnrussia.com/*", "https://*.hola-vpn.com/*", "https://*.holax.io/*", "https://*.holavpn.net/*", "https://*.holavpnandroid.com/*", "https://*.c6gj-static.net/*", "https://*.su89-cdn.net/*", "https://*.yd6n63ptky.com/*", "https://*.yg5sjx5kzy.com/*", "https://*.kbz0pwvxmv.com/*", "https://*.wbzby2a2k9.com/*", "https://*.hola-compat.com/*", "https://*.x-cdn-static.com/*", "https://*.mc5smy5d7h.com/*", "https://*.tszbegfdw9.com/*", "*://new-tab-page/*", "*://hola-new-tab-page/*", "*://hola-diagnostics/*", "*://hola-settings/*", "*://settings/*" ] } ], "host_permissions": [ "*://*/*" ], "manifest_version": 3, "optional_permissions": [ "management" ], "externally_connectable": { "ids": [] }, "minimum_chrome_version": "88", "content_security_policy": { "extension_pages": "connect-src *; img-src *; style-src 'self' 'unsafe-inline'; default-src 'self';" }, "web_accessible_resources": [ { "matches": [ "*://*/*" ], "resources": [ "/js/popup.html" ] }, { "matches": [ "*://*/*" ], "resources": [ "/js/login_done.html" ] } ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
Loading Secure Annex data...
Unable to load Secure Annex data.
This extension may not yet be analyzed by Secure Annex.
Detections
0Critical
0
High
0
Medium
0
Low
0
Has Verdicts
Yes
Manifest Findings
0Critical
0
High
0
Medium
0
Low
0
Secure Annex analyzed version: -