Beware: Hola VPN turns your PC into an exit node and sells your traffic

Martin Brinkmann
May 28, 2015
Updated • Aug 27, 2019
Security
|
32

Hola is a popular virtual private network (VPN) provider that is available for various web browsers including Google Chrome, Mozilla Firefox and Internet Explorer, as well as desktop and mobile operating systems.

It is free to use and if you check ratings and users on Chrome's Web Store alone, you will notice that it is used by more than 7.1 million Chrome users currently.

Hola uses a sophisticated system to offer its services for free. Instead of routing users solely (or at all) through company servers and raking up huge bandwidth bills in the process, it is utilizing user devices as endpoints.

This means basically that any user device that Hola is running on acts as an endpoint. An endpoint is a node that is communicating directly with a target website or service that Hola users access when the service is enabled.

Hola users have no control over endpoints which is problematic for several reasons. First, it increases the bandwidth usage on the device and reveals your device's IP address to the target service or website which you may not always want.

What's even more problematic than that is the fact that Hola seems to have started selling access to these exit nodes on the Luminati website.

If you check Whois records for both sites, you will notice that they are both owned by Hola.

Luminati provides its customers with access to an API that they can use to utilize Hola end points for various activities, for instance denial of service attacks but also load tests. This makes Hola an effective botnet, especially since it cannot be blocked easily as it uses IP addresses from around the world and not a set of larger IP ranges.

The admin of 8chan noticed denial of service attacks recently against the site and found out that the attack was utilizing Hola endpoints through Luminati.

Hola charges per Gigabyte of traffic starting at $20 per Gigabyte and going down to $2 per Gigabyte and lower depending on volume that you purchase.

This means: if you are using Hola, your connection may be used as an endpoint not only by other Hola users who try to access sites in the country you are in, but may also be sold to individuals and companies who may use it for questionable or outright illegal activities.

Update: Hola has posted a response to recent events. You can read it on the official company blog.

Update 2: The blog post is no longer available.

Closing Words

If your computer is being used as an exit node, it is your IP address that webmasters, law enforcement or rights holders see when they check server logs. If it is used in attacks or malicious activity, it is you who will be contacted by the authorities or site owners.

My personal recommendation is to uninstall Hola if it is installed on a system and stay away from the service for now.

Summary
Beware: Hola VPN turns your PC into an exit node and sells your traffic
Article Name
Beware: Hola VPN turns your PC into an exit node and sells your traffic
Description
Hola VPN turns any device it is run on in an exit node which anyone may purchase access to.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Matthuffy said on June 28, 2015 at 1:54 pm
    Reply

    They are still claiming that the Chrome extension is not a p2p. I quote them
    “This is NOT a peer to peer application. This extension does not link to nor encourages the download of any other products and is fully functional as is without requiring any additional download/component.”

    So, anyone for a class action :)

    1. Foo said on February 8, 2016 at 6:42 pm
      Reply

      Are there any information wether this is still true ? Has someone tested it ? I had it silently installed with a other package. I recognized the icon in the toolbar only after some hours. I didn’t use it and when I saw that it is a p2p plugin I remove it. Any experiences wether there is a risk that it also silently routed traffic over my connection ?

      Is there way to make sure nothing from hola is now running or was running?

  2. Mehreen said on June 1, 2015 at 9:34 pm
    Reply

    Not all free VPNs are bad though. Hotspot Shield owns their own servers and have been in the VPN business a LONG time, and thus know how to run a free VPN without taking advantage of consumers. They guarantee your safety and privacy completely. I can vouch for them since I work there. So if you’re looking for a trustworthy free VPN, be sure to check them out!

    1. surgeon said on June 9, 2016 at 7:42 pm
      Reply

      You are probably not aware who owns hotspotshield: It is the NSA and affiliates.

  3. billy said on May 31, 2015 at 6:04 am
    Reply

    Go to “adios hola”, they show that your entire machine can easily be compromised by use of this vpn. Not good. Thank god ive never felt the urge to use anything like this.

  4. Rob Malcolm said on May 29, 2015 at 6:52 pm
    Reply

    Disclaimer: I work for a SmartDNS company called UnoTelly.

    As someone that uses the Internet, I value companies that keep my information secure. As an employee of a DNS service, I am proud to say that UnoTelly charges customers to provide a quality, secure service. We value our users and would never sell their data.

  5. Max said on May 29, 2015 at 9:43 am
    Reply

    What about Hola Premium do you have to worry about the same thing ?

    Guessing so.

    1. Rick said on May 29, 2015 at 6:29 pm
      Reply

      Exact same with premium

      1. Mehreen said on June 1, 2015 at 9:45 pm
        Reply

        Try Hotspot Shield if you want a free, trustworthy VPN. They own their own VPN server infrastructure, so there’s no chance of them using their users as exit nodes, or taking advantage of them in any manner. They’re pretty reliable, and one of the VPNs that have been around the longest.

  6. happysurf said on May 29, 2015 at 8:10 am
    Reply

    Thank you very much for the warning.

  7. Rick said on May 28, 2015 at 11:38 pm
    Reply

    Come on guys. You have to give the dude credit for turning his one american IP address into what Hola is today.

    And when you think about it, someone this ambitious we just had to know would be looking for ANYWAY to cash in.

    I have always thought that Hola was a sham in the making (from reading the EUA and privacy statements that have been vague at best). It appears that my guess was not unfounded.

  8. interstellar said on May 28, 2015 at 8:57 pm
    Reply

    Excellent warning post, Martin!
    Hola? no..Adios!

    1. some1 said on June 28, 2015 at 1:49 pm
      Reply

      I lol’d at “no… Adios!”

  9. Belga said on May 28, 2015 at 5:31 pm
    Reply

    Thank you for the warning. I’ll stay with ZenVPN… until further notice !?

  10. BR said on May 28, 2015 at 4:21 pm
    Reply

    This is no secret, although I guess only a few users are aware of it.

    From the Hola FAQ “Hola built a peer to peer overlay network for HTTP, which securely routes the sites you choose through other Hola users’ devices and not through expensive servers. …. Hola generates revenue by selling a commercial version of the Hola VPN service to businesses (through our Luminati brand).”

    https://hola.org/faq#in_how_is_free

    1. Anonymous said on May 29, 2015 at 9:13 am
      Reply

      They updated their FAQ less than a week ago to cover their asses.

      1. bruh said on May 30, 2015 at 4:16 pm
        Reply

        They even change their description of service on Luminati from “A better and more anonymous vpn than Tor” something like that to “It’s simple and it’s fast” LOL.

    2. zentaurus21 said on May 29, 2015 at 4:53 am
      Reply

      prime directive #1: RTFM (or at least the FAQ ^_^)

      cheers!

  11. john_rik said on May 28, 2015 at 3:56 pm
    Reply

    That’s why I don’t use free stuffs! ;)

    1. Halv said on September 9, 2015 at 6:16 am
      Reply

      chrome and firefox are free too you know .!
      Dont only judge bcause of it

  12. privacy rights said on May 28, 2015 at 3:12 pm
    Reply

    I stay away from free VPNs in general: they have to make their money somehow, so I assume it’s from the user’s data or resources.

  13. Dan82 said on May 28, 2015 at 3:09 pm
    Reply

    It’s a good thing that this worrying fact receives some publicity. I knew about the basic exit node issue of Hola for a long while due to the technology being used, but that the operators are selling external traffic for these anonymous end-user connections is new to me. The disturbance liability a user leaves himself open for is nothing to sneeze at, you only need to look at open wireless connections in countries like Germany for example to get a picture of the problem. Since the service can and has apparently been used as a botnet already, active use of the Hola unblocker might be even more of a legal problem than I previously anticipated. With the burden of proof typically on your own shoulders once an accusation based on evidence supported by IP addresses has been made, how could you ever hope to conclusively prove your innocence? Granted, the limitation to HTTP-based connections relieves some of my biggest worries, but even so any exit node can be used to devastating effect, especially when the goal is the denial of service of dynamically created websites.

    1. Ross Presser said on May 28, 2015 at 9:04 pm
      Reply

      The 8chan admin said that HTTP POST was his problem; but with all the REST APIs in the world, even a GET isn’t safe.

  14. Dwight Stegall said on May 28, 2015 at 2:00 pm
    Reply

    Hola is a good site to gather info on blocked sites. But it’s VPN is way too laggy for me. I like Zenmate. It runs like a rabbit.

  15. Wybo said on May 28, 2015 at 12:38 pm
    Reply

    That doesn’t surprise me. As more often than not there is a “price tag” for free services.

    I use ZenMate. Which still seems to have no strings attached so far, although a few days ago they dropped the UK as one of their IP locations. They used to offer Switzerland too. But that location has disappeared too. They used to offer 5 locations now only four.

  16. Nebulus said on May 28, 2015 at 12:07 pm
    Reply

    This is disturbing. I hope it doesn’t become a trend, though…

  17. JHy56 said on May 28, 2015 at 11:36 am
    Reply

    Is this apply to the Android version as well?

    @Night Fury Most of the so-called fastest VPN services are 100% paid.

  18. Ross Presser said on May 28, 2015 at 9:24 am
    Reply
    1. what said on May 28, 2015 at 3:57 pm
      Reply

      Why do I need to register to quora to see the answer? No thanks.

      1. Ross Presser said on May 28, 2015 at 9:03 pm
        Reply

        Sorry about that. Quora is stupid. Here’s a screenshot:
        http://screencast.com/t/plLmsLEcy

    2. Martin Brinkmann said on May 28, 2015 at 10:55 am
      Reply

      Interesting Ross, thanks for the link!

  19. Night Fury said on May 28, 2015 at 9:21 am
    Reply

    I don’t recommend free service like that.. you need fastest vpn service fastestvpn.net

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.