Hola VPN under fire: Hola VPN Selling users’ bandwidth as botnet


What is Hola VPN “Free”?

You might have heard about Hola VPN, a decentralized system that allows its users to bypass geolocation blocks (I personally use and advocate for unblock-us).

It’s not unusual for Internet users to want to watch services that are blocked in their countries: spotify, Netflix, Amazon Instant Video, sometimes even youtube videos… Hola VPN offers the solution for “free” and lets its users bypass the IP restrictions.

Hola VPN is selling your bandwidth, potentially for illegal activity

But as always when something is free, there is a hidden cost. In the case of Hola, the cost was that the network connection of “free” users was being resold to paid users. Namely, if you’re a free Hola user, paid users are using your connection to do whatever they need to do. (You in general don’t get that kind of problem on paid services such as unblock-us or unotelly)

This was apparently not specified very clearly in their FAQ, and came under heavy criticism a few days ago, when 8chan was attacked with a DDoS through Hola VPN. Yes, if you’re a Free Hola VPN user, it is possible that your computer was used in a DDoS attack last week.

From 8chan:

Hola “Better Internet” is an extremely popular free VPN. How it works is not very clear to all its users though, as I quickly became aware in the past week when 8chan was hit by multiple denial of service attacks from their network.

When a user installs Hola, he becomes a VPN endpoint, and other users of the Hola network may exit through his internet connection and take on his IP. This is what makes it free: Hola does not pay for the bandwidth that its VPN uses at all, and there is no user opt out for this. On the other hand, with the Tor onion router, users must specifically opt in to be exit nodes and are aware that completely anonymous traffic can pass through their connections, which means they should be ready for abuse reports for child porn, spam, copyrighted content and other ills that come with the territory.

Hola was created by the Israeli corporation Hola Networks Limited at the end of 2012, and at first was just the VPN service. However, Hola has gotten greedy. They recently (late 2014) realized that they basically have a 9 million IP strong botnet on their hands, and they began selling access to this botnet (right now, for HTTP requests only) at https://luminati.io .

Luminati boasts of having “More than 9,761,015 exit nodes” on their website, and based on what I saw in the past week I have no reason to doubt it. The only silver lining is their greed: they charge $20/GB to use lines that cost them nothing, their software simply mooches off of the unfortunate users who have installed the proprietary Hola software.

Hola is the most unethical VPN I have ever seen.

So far as I can tell, there is no way to tell if an IP has the Hola VPN software installed or not: no tell tale open port, no special header from Luminati, and no specific range.

This is a huge issue for 8ch, which allows posters to post completely anonymously, and has some protections in place for typically abused ranges (like Tor and VPN ranges) but still allows posts through. An attacker used the Luminati network to send thousands of legitimate-looking POST requests to 8chan’s post.php in 30 seconds, representing a 100x spike over peak traffic and crashing PHP-FPM.

I have had to regretfully turn on the 24 hour CAPTCHA for all users until a solution can be found, but I’m not sure how quickly that will happen. I hope that Luminati takes my advice and rejects POST requests through their service, or allows domains to pay them off for such a rejection.

The issue has been round the internet and back, with issues reported on Slashgear (“Hola selling users’ bandwidth as botnet“), and security researchers created a site dedicated to documenting the vulnerabilities found in the Hola network: adios-hola.org. The issues, security researchers claim, are worse than what 8chan have found so far, and much worse than what the Hola owners are willing to admit. From adios-hola.org:

UPDATE (June 1, 2015): Today, Hola has finally published a statement. Unfortunately, it doesn’t quite address the issues – many of the issues are ignored, and some claims are simply false.

For example, their statement makes the following claim:

Two vulnerabilities were found in our product this past week. […] In fact, we fixed both vulnerabilities within a few hours of them being published and pushed an update to all our community.We know this to be false. The vulnerabilities are *still* there, they just broke our vulnerability checker and exploit demonstration. Not only that; there weren’t two vulnerabilities, there were six.

Hola also claims that “[vulnerabilities happen] to everyone”. As we have pointed out from the start, the security issues with Hola are of such a magnitude that it cannot be attributed to ‘oversight’; rather, it’s straight-out negligence. They are not comparable to the others mentioned – they are much worse.

We await a more transparent follow-up statement, and a real fix to the security issues.

What alternatives for Hola VPN users?

We often talk on this blog about ways to bypass geolocation restrictions, and hola is often suggested in comments on the blog. I have myself never been a huge fan of free VPN offers, one could say I was seeing the writing on the wall. Free VPNs are either of bad quality, or will become a paid service sooner than later, or are simply using you as the product, as was the case here with Hola.

Most people who use Hola do it in order to watch Netflix abroad. It is strongly recommended at this point that you switch to a more ethical service. For Movies/Music, services like unblock-us or UnoTelly offer a great support, and both have a free trial for you to get convinced (here for unblock-us, here for unotelly). You can read our comparison of UnoTelly and Unblock-us here.

No matter what you choose to do, it is probably wise to stop using Hola VPN for now.

Disclaimer: the unblock-us links in this article are affiliate links. If you choose to use unblock-us, I get paid a commission, at no additional cost for you. Independently of you using my affiliate link or not, I have been an unblock-us user for year and can totally vouch for their service!