VPN provider Hola is among the most popular extensions for web users, with over 47 million people being a part of its peer-to-peer network for its free and easy-to-use service.
According to a group of researchers, however, the company has been using bandwidth from users for illegal DDoS attacks. In addition, the client software’s insecure design gives way for remote code execution as well as the tracking of client enabled features. What’s more, the company is also selling access to its network through an affiliate business known as Luminati. The business is involved in selling bandwidth through a large number of real IPs.
Hola VPN was using bandwidth from users for illegal DDoS attacks
Multiple DDoS attacks were first reported by image board 8chan, which claimed that huge traffic spikes were sent its way by Luminati. As per Hola, stealing bandwidth from users to sell to others is perfectly legal. Users of the service become part of a larger network, and VPN traffic is routed through this network, using the connections of Hola users themselves.
It’s a predicament that certainly favors Hola, but one that presents a huge risk to the end users. Other VPN services like Hotspot Shield typically set up dedicated servers worldwide, which users jump on in order to avoid geo-location blocks.
The researchers, who go by the name Adios, advise that users should halt the use of Hola immediately, as it could put them under the radar of law enforcement agencies. For example, if someone uses Hola to distribute illegal content on the web, and you happen to be one of the Hola users whose internet connection is used in the process, investigation could lead to you getting in serious trouble.
We suggest immediately moving to VPNs which own their servers and don’t deal with third parties
Instead, they recommend that web users looking for anonymity and bypassing of geo-location blocks should turn towards one of the several server-based VPN services.
Since the initial reports, Hola has disabled one method of remote code execution, although the researchers claim that several other methods still exist.
Meanwhile, the tracking issue has been completely resolved. However, the primary concern still remains as Hola’s core network infrastructure is peer-to-peer-based. Eliminating it would mean that Hola would need to rethink its VPN business and rebuild its service from the ground up.