Hola hits back at ‘terrible accusations’ of selling bandwidth

2 Jun 2015

After a weekend to forget, virtual private network (VPN) provider Hola has said “terrible accusations” suggesting it sold users’ bandwidth to be part of a botnet are unjustified.

With nearly 50m people downloading the browser extension, Hola exploded in popularity two years ago by allowing users by-pass regional-only services such as Netflix, allowing them to access content they otherwise wouldn’t have been able to.

Over the weekend, however, it became apparent that the company’s offer of a free VPN service was a little too good to be true, with 8chan message board operator Frederick Brennan alerting people that his website was being targeted by a distributed denial of service (DDoS) attack.

In his post he described Hola as the “most unethical VPN I’ve ever seen”,  describing Hola’s methods of routing IPs through other people’s computers rather than servers, and also accused it of selling this bandwidth to anyone willing to buy it through another company, Luminati.

“An attacker used the Luminati network to send thousands of legitimate-looking POST requests to 8chan’s post.php in 30 seconds, representing a 100x spike over peak traffic and crashing PHP-FPM,” Brennan said.

‘Terrible accusations’

Having now been removed from many browsers, the company has responded, describing these claims as “terrible accusations” in its latest blog post.

It goes on to list out three of the claims made by security researchers against Hola, with the Israeli-based company citing miscommunication as the biggest issue, but also some major security flaws.

“Two vulnerabilities were found in our product this past week,” Hola’s statement said. “This means that there was a risk of a hacker being able to operate remote code on some devices that Hola is installed on. The hackers who identified these issues did their job, and we did our job by fixing them.”

‘Straight-out negligence’

Responding, a group of researchers on the newly-created website adios-hola.org, claimed Hola’s statement is largely untrue.

“We know [the vulnerability claims] to be false,” they said. “The vulnerabilities are *still* there, they just broke our vulnerability checker… Not only that, there weren’t two vulnerabilities, there were six.

“Hola also claims that [vulnerabilities happen] to everyone. As we have pointed out from the start, the security issues with Hola are of such a magnitude that it cannot be attributed to ‘oversight’; rather, it’s straight-out negligence. They are not comparable to the others mentioned — they are much worse.”

Hola written on a fence image via Shutterstock

Colm Gorey was a senior journalist with Silicon Republic

editorial@siliconrepublic.com