It has not been a good week for Hola.
The Israeli company is behind a wildly popular browser plugin and app that disguises users’ identities online. Over the last few days, it has been hit with a deluge of negative press after it emerged that users of the service had had their computers hijacked and used as a giant “botnet” to attack a website.
A botnet is a network of (normally) unwitting computers hijacked by a third party, and used to launch some kind of malicious attack, or just to overwhelm a web site or server with fake requests or traffic.
Exacerbating the criticism is the fact that Hola is openly selling its users’ bandwidth via a commercial side project called Luminati, and researchers claim to have discovered a number of serious security vulnerabilities in the software.
After reports that users’ computers had been hijacked and the company was selling users’ bandwidth, Hola CEO Ofer Vilenski told Business Insider that the company “has been listening to the conversations about Hola… [and] have decided to provide more details about how this works.”
Then, following the publication of two highly critical reports from security researchers, one accusing the company of “negligence, plain and simple,” we reached out to Vilenski again. He told me the company has experienced some “growing pains,” but that the security issues have since been patched — and hopes to grow into a “great billion dollar company.”
What is Hola?
Based in Israel, Hola has 75 employees (around 35 of which are developers), and has received more than $US20 million in venture capital funding since its launch. Before the current firestorm it had enjoyed positive press coverage, including CNN Money and here on Business Insider. Its website says it has more than 47 million users around the world.
So what does it do?
Hola lets users access websites that are unavailable or censored on their connections. A user might want to circumvent a workplace’s block on Facebook, or to access a video streaming service not available in their country. To do this, Hola uses what is known as a VPN, or virtual private network.
Most commercial VPN services require users to pay to use them, but Hola is totally free (though offers a paid option). Why? Because while most companies like this own or rent dedicated servers to act as “exit nodes” through which the user accesses the internet, Hola pursues a different approach. Everyone is an exit node.
So, for example, when a British user sets their location on the tool as Norway, their internet traffic is being routed through the connection of a randon Norwegian user on the Hola network. And simultaneously, the British user’s connection may be used as the exit node for a South African user to connect to the web. It’s a peer-to-peer network that does away with the need for dedicated hardware — allowing it be offered as a free service.
Hola doesn’t hide the fact it works on a peer-to-peer system, although it wasn’t always immediately clear from the website that users will by default act as an exit node. (Users can also pay a premium subscription fee to opt out of this.)
Hola also sells its users’ bandwidth
Hola also operates a second service — one that sells Hola users’ bandwidth for profit. It’s called Luminati, and its customers can hire the Hola network for their own purposes. The company suggests it can be used for brand monitoring or anti ad-fraud checks, but a salesperson told security researchers that the company has “no idea what [customers] are doing on our platform.”
This can have dangerous implications — as Fredrik Brennan found out. He claims the Hola network was used to attack his website last week.
Brennan, often known by the online moniker “Hotwheels,” is the administrator of 8chan, a countercultural online messageboard. The site was targeted by thousands of “legitimate-looking” posts, he wrote in a blog post, “prompting a 100x spike over peak traffic.”
The Hola network — and the computers of users on it — had been used as a giant botnet, a network of hijacked machines intended to overwhelm the site, Brennan claims.
Before recent events, there was only a brief acknowledgement on Hola’s site that the network might be used for “commercial” purposes, and no mention at all of Luminati, which has been in operation since at least October 2014. (A fuller explanation has since been added.) As such, it’s doubtful that many users realise Hola is selling their bandwidth.
A Reddit thread from last week discussing the subject was filled users expressing their surprise and asking how to uninstall it. (And in an unscientific strawpoll of people I know who use Hola, none were aware that they were being used as an exit node on the network — much less that their bandwidth was being sold by Hola.)
“Even if they had said it all along in their FAQ,” wrote one commenter on news site Hacker News, “it’s still infuriatingly disingenuous for someone to act as if anyone ever browses to Hola’s site and reads their FAQ either before or after installing the Hola malware extension. No ordinary person will ever do this.”
Vilenski did not comment on how many clients Luminati has.
Security researchers pile on
Vilenski confirmed that Luminati had been used to mount the attack, though he told me last week that there was nothing uniquely vulnerable about Hola’s VPN — the hacker “could have used any commercial VPN network, but chose to do so with ours.” The attacker has since been blocked from the service.
Since then, however, security researchers have pointed out a number of further vulnerabilities in Hola’s software.
It began with a report entitled “Adios, Hola!” that urged users to “immediately uninstall” the service. It said that Hola:
- Lets users “be tracked across the internet, no matter what you do.”
- Makes users less secure by “[sending] traffic of strangers through your internet connection” — a reference to Hola’s peer-to-peer model where everyone is an exit node.
- “[Sells] access to third parties, and [doesn’t] care what it’s used for.” When a researcher asked the company how it enforces its terms of service for Luminati, the company responded “we don’t… we have no idea what you are doing on our platform.”
Lets “anybody execute code on your computer.” The researchers say they found a vulnerability in Hola that lets websites remotely execute code on a user’s computer. They built an example that opened a calculator on Windows users’ computers — but it could also be used for far more malicious purposes. Here’s a video of the demonstration:
Following the publication of the report, Hola moved to patch the vulnerabilities, and Vilenski told me that the security vulnerabilities have now been fully patched.
But an update to the Adios Hola post disputes this, saying that “many of the issues are ignored, and some claims [in a Hola statement] are simply false.”
It continues: “The vulnerabilities are *still* there, they just broke our vulnerability checker and exploit demonstration. Not only that; there weren’t two vulnerabilities, there were six.”
One of the researchers told Motherboard that “while some bugs were fixed, the most critical ones haven’t been, making it still possible to hack Hola users.”
Vilenski countered that he disagrees, and that he cares “more about my users than what that website says.” He invites the researchers behind Adios Hola to present details of the six vulnerabilities that are allegedly still in effect.
That’s not all: Vulnerabilties in Hola have allegedly been exploited in the past. A second security report, this time from Vectra, discovered 5 pieces of malware online “that contain the Hola protocol.”
If true, this means that anyone who has used Hola in the past may have been actively targeted by hackers..
“Unsurprisingly,” Vectra writes, “this means that bad guys had realised the potential of Hola before the recent flurry of public reports by the good guys.”
Vilenski confirmed to me Hola was not aware of its vulnerabilities until the publication of the first report.
Hola hasn’t alerted its users
Following an avalanche on negative publicity everywhere from the BBC to Motherboard, Hola updated its FAQ to explain more clearly the Luminati service, as well as a blog post in which the company says it fixed the vulnerabilities identified. The company’s website now has a banner across the top explaining clearly that users’ bandwidth may be used by others.
But Hola users may not understand the technical details of how their computers are being used by the company, and unless they visit the website again, they’re unlikely to find out — because as Vilenski told me, the company has made no attempt to contact existing users to explain how the tool works or that their bandwidth is being sold for profit. Hola can’t contact them. It apparently has no way to.
This also means Hola has not alerted users about the vulnerabilities on the platform either — vulnerabilities that have been used to target Hola users in the past (and according to some security researchers, are still active).
In theory, Hola could use its browser plugin to display a message explaining the peer-to-peer system, the nature of Luminati, and the vulnerabilities that may have compromised their computers. When I asked if he would commit to doing so, Vilenski told me that while it’s a “good idea,” but he “cannot make that promise.”
The company does not want to be “technically intrusive.”
Hola defends itself
Again, Vilenski claims that all the vulnerabilities Hola knows about have been patched, and says that researchers should explain exactly what they have found to the contrary, instead of accusing him of negligence.
Vilenski also says it’s important to keep this in proportion. He argues that the vulnerabilities amount to “growing pains,” similar to what has happened to other big companies in the past. If you put a “big enough bounty” on any product, vulnerability will be found, and Hola has “just become big enough to become attractive to this scrutiny.”
He also argues that Hola’s peer-to-peer system is analogous to Skype, which also uses a similar method to transmit data. But Skype will only route voice data through the computers of users on the network, while Hola uses web data — and also caches content on users’ machines, Vectra’s report says.
This means if you were being used as an exit node for someone browsing child pornography, then that illegal material would be being saved on your machine. Vilenski counters that it would be unwise to use Hola for illegal activity, as they keep a map of the traffic between nodes, and will cooperate fully with law enforcement.
Vilenski also says that, on average, a user will only give up 6 MB of bandwidth per day using Hola, and only when their device is idle. It will not use devices’ bandwidth when not plugged in so as not to waste battery power, for example. However, he couldn’t put a figure on what the maximum bandwidth usage might be.
The future of Hola?
Vilenski remains positive about the future of the platform. It has seen no meaningful decrease in users as a result of the recent news (though this may be at least in part because they haven’t been widely notified), and every developer at the company is currently working to improve security. Hola is also paying for a security audit from one of the “big 4 auditing companies’ cyber auditing team,” and launching a bounty program to encourage researchers to discover and declare more bugs.
Looking ahead, Hola plans to launch a B2B video product that could cut the cost of distributing video on the internet by 90%. The aim is to “build a great billion dollar company,” Vilenski told me.
It remains to be seen whether it can win back users’ trust, however — or convince security professionals that its services can be relied on. And there are more immediate hurdles to overcome: The company’s Google Chrome plugin, which once had more than 16 thousand positive reviews, has now been removed by Google from the Chrome Web Store.