Beware: Hola VPN turns your PC into an exit node and sells your traffic

Hola is a popular virtual private network (VPN) provider that is available for various web browsers including Google Chrome, Mozilla Firefox and Internet Explorer, as well as desktop and mobile operating systems.

It is free to use and if you check ratings and users on Chrome's Web Store alone, you will notice that it is used by more than 7.1 million Chrome users currently.

Hola uses a sophisticated system to offer its services for free. Instead of routing users solely (or at all) through company servers and raking up huge bandwidth bills in the process, it is utilizing user devices as endpoints.

This means basically that any user device that Hola is running on acts as an endpoint. An endpoint is a node that is communicating directly with a target website or service that Hola users access when the service is enabled.

Hola users have no control over endpoints which is problematic for several reasons. First, it increases the bandwidth usage on the device and reveals your device's IP address to the target service or website which you may not always want.

hola-unblocker

What's even more problematic than that is the fact that Hola seems to have started selling access to these exit nodes on the Luminati website.

If you check Whois records for both sites, you will notice that they are both owned by Hola.

Luminati provides its customers with access to an API that they can use to utilize Hola end points for various activities, for instance denial of service attacks but also load tests. This makes Hola an effective botnet, especially since it cannot be blocked easily as it uses IP addresses from around the world and not a set of larger IP ranges.

The admin of 8chan noticed denial of service attacks recently against the site and found out that the attack was utilizing Hola endpoints through Luminati.

Hola charges per Gigabyte of traffic starting at $20 per Gigabyte and going down to $2 per Gigabyte and lower depending on volume that you purchase.

This means: if you are using Hola, your connection may be used as an endpoint not only by other Hola users who try to access sites in the country you are in, but may also be sold to individuals and companies who may use it for questionable or outright illegal activities.

Update: Hola has posted a response to recent events. You can read it on the official company blog.

Closing Words

If your computer is being used as an exit node, it is your IP address that webmasters, law enforcement or rights holders see when they check server logs. If it is used in attacks or malicious activity, it is you who will be contacted by the authorities or site owners.

My personal recommendation is to uninstall Hola if it is installed on a system and stay away from the service for now.

Summary
Article Name
Beware: Hola VPN turns your PC into an exit node and sells your traffic
Description
Hola VPN turns any device it is run on in an exit node which anyone may purchase access to.
Author
Please share this article

Facebooktwittergoogle_plusredditlinkedinmail



Responses to Beware: Hola VPN turns your PC into an exit node and sells your traffic

  1. Night Fury May 28, 2015 at 9:21 am #

    I don't recommend free service like that.. you need fastest vpn service fastestvpn.net

  2. Ross Presser May 28, 2015 at 9:24 am #

    The Luminati owner as much as admitted this in Nov 2014.
    http://www.quora.com/I-need-to-do-some-massive-web-data-collection-does-anyone-know-how-Luminati-is-different-from-Tor-or-a-proxy-network

    • Martin Brinkmann May 28, 2015 at 10:55 am #

      Interesting Ross, thanks for the link!

    • what May 28, 2015 at 3:57 pm #

      Why do I need to register to quora to see the answer? No thanks.

  3. JHy56 May 28, 2015 at 11:36 am #

    Is this apply to the Android version as well?

    @Night Fury Most of the so-called fastest VPN services are 100% paid.

  4. Nebulus May 28, 2015 at 12:07 pm #

    This is disturbing. I hope it doesn't become a trend, though...

  5. Wybo May 28, 2015 at 12:38 pm #

    That doesn't surprise me. As more often than not there is a "price tag" for free services.

    I use ZenMate. Which still seems to have no strings attached so far, although a few days ago they dropped the UK as one of their IP locations. They used to offer Switzerland too. But that location has disappeared too. They used to offer 5 locations now only four.

  6. Dwight Stegall May 28, 2015 at 2:00 pm #

    Hola is a good site to gather info on blocked sites. But it's VPN is way too laggy for me. I like Zenmate. It runs like a rabbit.

  7. Dan82 May 28, 2015 at 3:09 pm #

    It's a good thing that this worrying fact receives some publicity. I knew about the basic exit node issue of Hola for a long while due to the technology being used, but that the operators are selling external traffic for these anonymous end-user connections is new to me. The disturbance liability a user leaves himself open for is nothing to sneeze at, you only need to look at open wireless connections in countries like Germany for example to get a picture of the problem. Since the service can and has apparently been used as a botnet already, active use of the Hola unblocker might be even more of a legal problem than I previously anticipated. With the burden of proof typically on your own shoulders once an accusation based on evidence supported by IP addresses has been made, how could you ever hope to conclusively prove your innocence? Granted, the limitation to HTTP-based connections relieves some of my biggest worries, but even so any exit node can be used to devastating effect, especially when the goal is the denial of service of dynamically created websites.

    • Ross Presser May 28, 2015 at 9:04 pm #

      The 8chan admin said that HTTP POST was his problem; but with all the REST APIs in the world, even a GET isn't safe.

  8. privacy rights May 28, 2015 at 3:12 pm #

    I stay away from free VPNs in general: they have to make their money somehow, so I assume it's from the user's data or resources.

  9. john_rik May 28, 2015 at 3:56 pm #

    That's why I don't use free stuffs! ;)

    • Halv September 9, 2015 at 6:16 am #

      chrome and firefox are free too you know .!
      Dont only judge bcause of it

  10. BR May 28, 2015 at 4:21 pm #

    This is no secret, although I guess only a few users are aware of it.

    From the Hola FAQ "Hola built a peer to peer overlay network for HTTP, which securely routes the sites you choose through other Hola users' devices and not through expensive servers. .... Hola generates revenue by selling a commercial version of the Hola VPN service to businesses (through our Luminati brand)."

    https://hola.org/faq#in_how_is_free

    • zentaurus21 May 29, 2015 at 4:53 am #

      prime directive #1: RTFM (or at least the FAQ ^_^)

      cheers!

    • Anonymous May 29, 2015 at 9:13 am #

      They updated their FAQ less than a week ago to cover their asses.

      • bruh May 30, 2015 at 4:16 pm #

        They even change their description of service on Luminati from "A better and more anonymous vpn than Tor" something like that to "It's simple and it's fast" LOL.

  11. Belga May 28, 2015 at 5:31 pm #

    Thank you for the warning. I'll stay with ZenVPN... until further notice !?

  12. interstellar May 28, 2015 at 8:57 pm #

    Excellent warning post, Martin!
    Hola? no..Adios!

    • some1 June 28, 2015 at 1:49 pm #

      I lol'd at "no... Adios!"

  13. Rick May 28, 2015 at 11:38 pm #

    Come on guys. You have to give the dude credit for turning his one american IP address into what Hola is today.

    And when you think about it, someone this ambitious we just had to know would be looking for ANYWAY to cash in.

    I have always thought that Hola was a sham in the making (from reading the EUA and privacy statements that have been vague at best). It appears that my guess was not unfounded.

  14. happysurf May 29, 2015 at 8:10 am #

    Thank you very much for the warning.

  15. Max May 29, 2015 at 9:43 am #

    What about Hola Premium do you have to worry about the same thing ?

    Guessing so.

    • Rick May 29, 2015 at 6:29 pm #

      Exact same with premium

      • Mehreen June 1, 2015 at 9:45 pm #

        Try Hotspot Shield if you want a free, trustworthy VPN. They own their own VPN server infrastructure, so there's no chance of them using their users as exit nodes, or taking advantage of them in any manner. They're pretty reliable, and one of the VPNs that have been around the longest.

  16. Rob Malcolm May 29, 2015 at 6:52 pm #

    Disclaimer: I work for a SmartDNS company called UnoTelly.

    As someone that uses the Internet, I value companies that keep my information secure. As an employee of a DNS service, I am proud to say that UnoTelly charges customers to provide a quality, secure service. We value our users and would never sell their data.

  17. billy May 31, 2015 at 6:04 am #

    Go to "adios hola", they show that your entire machine can easily be compromised by use of this vpn. Not good. Thank god ive never felt the urge to use anything like this.

  18. Mehreen June 1, 2015 at 9:34 pm #

    Not all free VPNs are bad though. Hotspot Shield owns their own servers and have been in the VPN business a LONG time, and thus know how to run a free VPN without taking advantage of consumers. They guarantee your safety and privacy completely. I can vouch for them since I work there. So if you're looking for a trustworthy free VPN, be sure to check them out!

  19. Matthuffy June 28, 2015 at 1:54 pm #

    They are still claiming that the Chrome extension is not a p2p. I quote them
    "This is NOT a peer to peer application. This extension does not link to nor encourages the download of any other products and is fully functional as is without requiring any additional download/component."

    So, anyone for a class action :)

    • Foo February 8, 2016 at 6:42 pm #

      Are there any information wether this is still true ? Has someone tested it ? I had it silently installed with a other package. I recognized the icon in the toolbar only after some hours. I didn't use it and when I saw that it is a p2p plugin I remove it. Any experiences wether there is a risk that it also silently routed traffic over my connection ?

      Is there way to make sure nothing from hola is now running or was running?

Leave a Reply