Editor’s note: An earlier version of this story inaccurately stated that Hola users did not have a means of opting out of having their web connects turned into access points for other users. In a statement to Fusion, Hola clarified that subscribers to their $5 monthly premium service could opt-out and use Hola like a regular VPN. This post has been updated throughout to reflect more recent information.
Hola, an Israeli peer-to-peer VPN service, has been outed by a cohort of coders, hackers, and privacy advocates calling themselves Adios for selling access to users’ internet connections and IP addresses. Taken at face value, Hola enables people to access websites that might be geo-restricted or blocked by allowing them to route their web requests through other users’ IP addresses in different physical locations. For example, if you were trying to access Gmail from mainland China (where Google’s services are blocked), Hola would enable you to direct your traffic through an IP address in a country with open access to Google.
The issue at hand is that many of Hola’s subscribers were not aware that their connections could be turned into access points for users who might want to do more than access restricted websites unless they subscribed to Hola’s $5 monthly premium plan. Hola users are at risk of having their IP addresses co-opted in ways that could enable other users to view child pornography or share copyrighted material, which would technically put them at risk.
“We assumed that by stating that Hola is a P2P network, it was clear that people were sharing their bandwidth with the community network in return for their free service,” Hola said in a blogpost dated June 1 addressing users’ concerns. “After all, people have been doing that for years with services like Skype. It was not clear to all our users, and we want it to be completely clear.”
Skype did, in fact, once operate on a peer to peer infrastructure before it was acquired by MIcrosoft in 2011. In 2013 Skype’s lead architect Michael Kaufman explained in a public e-mail that Skype had been in the process of moving its backend infrastructure onto its own centrally controlled servers long before Microsoft officially planned to take over the company.
Skype wanted to move to its network onto its own serves in order to avoid the kind of massive outages caused by weaknesses in its old the P2P structure that had knocked Skype offline globally in the past.
But there’s more: Adios alleges that Luminati, an Hola subsidiary, is known to have sold access to Hola’s userbase, allowing anyone with the right amount of cash to turn large groups of Hola users into a makeshift botnet or, at the very least, give people unauthorized access to each other's computers.
A Hola representative told Fusion that all of the previously identified weaknesses in its system have been addressed and that Hola has never given away access to a user’s computer for malicious uses. Hola has also stated that their process for reviewing Luminati users have been strengthened.
In an effort to substantiate their claims, Adios published a video on May 30th purportedly demonstrating the vulnerabilities that Hola posed to its users:
Adios also published a series of screenshots of a purported conversation they had with an Hola sales representative who stated that Hola had no way of knowing what Luminati subscribers were doing on their platform:
Botnets are networks of compromised computers that have been hacked using malware that gives a single user the ability to command multiple computers to carry out malicious attacks (like denial of service) on targeted servers. A series of denial of service attacks were recently launched against the popular imageboard 8chan, severely affecting the site’s ability to run. 8chan founder Frederick Brennan believes the attacks were carried out using Hola’s platforms.
(Use the slider bar to compare)
“When a user installs Hola, he becomes a VPN endpoint, and other users of the Hola network may exit through his internet connection and take on his IP,” 8chan founder Frederick Brennan explained in a critical blog post dated May 26. “This is what makes it free: Hola does not pay for the bandwidth that its VPN uses at all, and there is no user opt out for this.”
Tor, a popular browser that allows its users to browse the internet anonymously using a system similar to Hola’s, makes a point of requiring that its users opt-in to becoming VPN endpoints. Following the swift backlash against the apparent weaknesses in its service, Hola published a lengthy blog post detailing its missteps. Hola’s biggest mistake, CEO Ofer Vilenski insisted, was merely trying to keep pace with its rapidly growing userbase.
Currently Hola has some 47 million users across the globe using its Chrome plug-ins and applications for Android (which Google has since pulled) and Windows. Part of what made the Hola so successful, VIlenski said in an interview with Startup Camel, was his team's constant iteration on the product. Rather than advertising to new users, Hola focused on making the product "good enough," which apparently was reason enough.
“There have been some terrible accusations against Hola which we feel are unjustified,” Vilenski wrote in a recent post to Hola's official blog. “We innovated quickly, but it looks like Steve Jobs was right.”
Jobs, you’ll remember, was a champion of the philosophy “innovating fast,” even at the cost of making crucial mistakes.
Vilenski went on to outline the changes to Hola that he insists are addressing the bulk of the public’s concerns. Hola’s website has been updated to more explicitly detail the ways in which its users are connected to one another. Previously, Hola’s vulnerabilities were only mentioned in the service’s FAQ section. Vilenski also addressed the 8chan attack that Brennan alleges was orchestrated using a botnet built upon Hola, stating that the “spammer” responsible for it slipped through Hola’s security measures by “posing as a corporation.”
“He passed through our filters and was able to take advantage of our network,” he wrote. “We analyzed the incident, and built the necessary measures in our processes to ensure that such incidents do not occur, and deactivated his service.” He went on:
Two vulnerabilities were found in our product this past week. This means that there was a risk of a hacker being able to operate remote code on some devices that Hola is installed on. The hackers who identified these issues did their job, and we did our job by fixing them. In fact, we fixed both vulnerabilities within a few hours of them being published and pushed an update to all our community.
According to Adios, though, that’s simply not the case.
“We know this to be false,” Adios asserted in an update to its original blog post. “The vulnerabilities are still there, they just broke our vulnerability checker and exploit demonstration. Not only that; there weren't two vulnerabilities, there were six.” They continued:
Hola also claims that "[vulnerabilities happen] to everyone". As we have pointed out from the start, the security issues with Hola are of such a magnitude that it cannot be attributed to 'oversight'; rather, it's straight-out negligence. They are not comparable to the others mentioned - they are much worse.
Going forward, Hola plans to launch a “bug bounty program” meant to encourage people to seek out and discover future weaknesses in the service. Adios has not responded to requests for comment about Hola’s insistence that it has sufficiently addressed all of its criticisms.