One of the most popular Chrome extensions is selling its users’ bandwidth, largely without their knowledge — and it can be used by hackers to maliciously attack websites.
Hola is a VPN — a “virtual private network.” As streaming platforms like Netflix have risen in popularity, there has been a corresponding boom in VPNs, which help users circumvent the regional restrictions that forbid Americans from watching certain BBC shows, or British people from watching some shows on Comedy Central in the US.
One of the most popular of these is Hola. Unlike most VPNs, it’s free to download as an easy-to-use browser plugin in the Google Chrome store. It currently has more than 6 million users. CNN Money said, “Hola is changing the way we use the internet” (we’ve also written about it warmly).
To avoid the need for fees, Hola uses a peer-to-peer system, routing users’ traffic through other users’ connections. A Brit trying to watch an American-only service, for example, might be routed through an American user’s internet connection.
But it is also selling access to users’ bandwidth for a profit, via the service Luminati, Hola discloses on a little-read FAQ page. Luminati lets users buy access to the Hola network for a fee, for instance if users need a secure way to route commercial traffic anonymously. This revenue keeps Hola free for users. But in the wrong hands this same function can transform its networked
users into an unwitting botnet.
Frederick Brennan found that out when Hola was used to attack his website earlier this week.
Brennan, often known by the online moniker “Hotwheels,” is the administrator of 8chan, a countercultural online messageboard. Earlier this week Brennan was targeted by thousands of “legitimate-looking” posts, “prompting a 100x spike over peak traffic,” he wrote in a blogpost.
The attack originated with a user called “Bui” (who has attacked 8chan before), who later told Brennan he had used Hola’s Luminati service to carry it out.
Hola’s founder Ofer Vilenski confirmed to Business Insider that Bui had “got through our screening process.” he also said that the attack had been ended and Bui banned from the network.
Hola’s site explains in an FAQ how the peer-to-peer network works. But before Brennan reached out following the attack, there was only a brief acknowledgement that it might be used for “commercial” purposes, and no mention at all of Luminati, which has been in operation since at least October 2014. (A fuller explanation has since been added.)
With no indication on the homepage, it’s doubtful that many users realise that Hola is selling their bandwidth. A Reddit thread discussing the subject is filled users expressing their surprise and asking how to uninstall it (and in a strawpoll of people I know who use Hola, none were aware of this). “Even if they had said it all along in their FAQ,” wrote one commenter on news site Hacker News, “it’s still infuriatingly disingenuous for someone to act as if anyone ever browses to Hola’s site and reads their FAQ either before or after installing the Hola malware extension. No ordinary person will ever do this.”
The peer-to-peer nature of the site also potentially puts users at risk. On the anonymising Tor network, which works in a similar way, users have to opt-in to become an “exit node” — a point at which traffic can come and go, in and out of the network. But everyone using Hola is an exit node. This implies that if someone is using the plugin to conduct illegal activity through your connection, law enforcement might suspect you’re to blame.
Brennan believes that the company is “acting extremely responsible,” and wants to “help users learn that others are using their internet connections without their knowledge or express permission.”
Hola’s Vilenski told Business Insider that there was nothing uniquely vulnerable about Hola’s VPN — the hacker “could have used any commercial VPN network, but chose to do so with ours.” Furthermore, the company has been “listening to the conversations about Hola and while we think we’ve been clear about what we are doing, we have decided to provide more details about how this works, and thus the changes [to the website] in the past 24 hours.”