Adios, Hola: Researchers say it's time to nix the 'poorly secured' service
Millions of people worldwide use Hola, but the virtual private network provider has come under fire for allegedly selling its users' bandwidth and opening them up to serious security risks.
- Webby Award Winner (Best Video Host, 2021), Webby Nominee (Podcasts, 2021), Gold Telly (Documentary Series, 2021), Silver Telly (Video Writing, 2021), W3 Award (Best Host, 2020), Australian IT Journalism Awards (Best Journalist, Best News Journalist 2017)
A group of coders and security researchers has claimed that one of the world's most popular free VPN services is an insecure network that has been on-selling users' bandwidth and opening up their devices, giving "anybody" easy access.
Hola offers a Virtual Private Network service to a claimed 47 million users worldwide, allowing them to disguise their online location with a quick install of the free app or browser plug-in. Common outside the US, a VPN allows internet users to access geo-blocked content that they would otherwise be unable to access in their region, including some YouTube clips and streaming services such as the US version of Netflix.
The VPN provider is now facing allegations from a group of researchers that it "operates like a poorly secured botnet" -- an online network of computers that can be used by a third party to share spam or malware without their owners' knowledge.
"Hola is a 'peer-to-peer' VPN," the group writes on its 'Adios, Hola!' website. "This may sound nice, but what it actually means is that other people browse the web through your internet connection.
"To a website, it seems like it's you browsing the site...imagine that somebody uploaded child pornography through your connection, for example. To everybody else, it seems as if it was your computer that did it, and you can't really prove otherwise."
The group argues that Hola's VPN service features "vulnerabilities" which allows third parties to execute code on a user's system, track them online and ultimately "take over your entire computer, without you even knowing."
Furthermore, Adios alleges that Hola runs a secondary business, known as Luminati, which on-sells Hola users' bandwidth for up to $20 per GB. The Adios Hola website claims to have chat logs that show Luminati sales staff offering "pay as you go" access to Hola users' bandwidth, but that these staff "have no idea" what those buyers are doing with the platform.
Since the allegations were first revealed, Hola has updated its website to emphasise that its business model has not changed, and that users access the service by "helping others" -- offering up their computer to be part of a larger peer-to-peer network.
Hola contests that customers can "use the network but not be a part of it" by signing up to a "premium" subscription service, paying for their VPN. However the Adios Hola researchers claim that these updates do nothing to clarify the legal consequences of participating in such a peer-to-peer network.
"This is an unfixable problem, that Hola doesn't disclose transparently," the Adios Hola site reads. "It's how Hola is designed to work, and it cannot function without it."
While the group notes that other VPN services, such as Tor, have faced similar security issues, they argue that Hola has not been upfront about its service and has subsequently attempted to "rewrite history" through its website updates. For its part, Hola says previously published versions of its FAQs are available for users to read on the Internet Archive, though a comparison shows significant updates to details on pricing and the nature of its network.
The writers behind the Adios Hola post are self-identified coders, InfoSec and vulnerability researchers and reverse engineers who claim not to be associated with Hola or its competitors, and who offer the disclosure that they "do not stand to profit financially" from publishing their findings.
Hola appears to have removed its Chrome extension and Firefox add-on from the Chrome and Firefox stores.
Update Tuesday June 2 at 3:55 p.m. AEST: Adios Hola said in an email that it has not heard from Hola itself since making the allegations, other than the updates the company had made to its website and software, and that Luminati "broke off contact when they realised".
Hola has also taken to its blog to post a statement in which company CEO Ofer Vilenski denies the company is operating a botnet, admits that vulnerabilities in the service have now be fixed and reiterates that the company is now hoping to be "crystal clear" to customers about how the P2P network works.
There have been some terrible accusations against Hola which we feel are unjustified. We innovated quickly, but it looks like Steve Jobs was right. We made some mistakes, and now we're going to fix them, fast.
...
We assumed that by stating that Hola is a P2P network, it was clear that people were sharing their bandwidth with the community network in return for their free service. After all, people have been doing that for years with services like Skype. It was not clear to all our users, and we want it to be completely clear.
We have changed our site and product installation flows to make it crystal clear that Hola is P2P, and that you are sharing your resources with others.
The full statement can be read on Hola's website.