Looks like Hola - the free VPN service for unblocking the likes of Netflix, exposes an API on your localhost. This can be access by JS, and it seems the API lets anyone who knows this read arbitrary files from your filesystem (oh noez, our wallets), run completely arbitrary code on your machine, and to boot, they have a unique ID for each Hola installation meaning you can be tracked across the net.
They also have some shocking practices as to how they monetize this huge VPN - the lease access to a 40 million machine botnet.
Details here:
http://adios-hola.org