The bandwidth of millions of users of a popular free VPN service is being sold without their knowledge in an attempt to cover the cost of its free service, which could result in a vast botnet-for-sale network.
"Hola," a free virtual private network, is designed to help people abroad watch region-restricted shows like American Netflix and other streaming U.S. media.
Hola Is Selling Users' Bandwidth
Hola is an easy-to-use browser plugin available in the Google Chrome Store, with more than 6 million downloads to date. But unfortunately, it could be used by hackers to maliciously attack websites, potentially putting its users at risk of being involved in illegal or abusive activities.
Hola uses a peer-to-peer system to route users' traffic. So if you are in Denmark and want to watch a show from America, you might be routed through a US-based user's internet connection.
However, Hola is not missing the chance to make money from a free service. It has been selling access to users' bandwidth for profit to a third-party service called Luminati, which then resells the connections, Hola founder Ofer Vilenski confirmed.
Luminati is one of the world's largest VPN networks, letting users buy access to the Hola network for a fee when they need a secure way to route commercial traffic without revealing their identity.
Giant Botnet
This means any user who runs the free version of Hola is having their connection sold without their knowledge, as Motherboard put it, "turning you and other Hola users into a node of what could be described as a voluntary botnet."
This wasn't widely known until 8chan administrator Fredrick Brennan posted about the service, claiming Luminati and Hola users' computers had been used in a botnet to attack and take down his website.
Using Hola and Luminati to Take Down Websites
Earlier that week, Brennan's website was hit by thousands of "legitimate-looking POST requests" within 30 seconds, "representing a 100x spike over peak traffic and crashing PHP-FPM," Brennan wrote in a blog post.
The denial-of-service (DoS) attack originated from a well-known spammer known as "Bui," who later told Brennan he had used Hola's Luminati service to carry out the attack against his website.
Here's What Hola Says
Hola's FAQ explains that the service may be used for "commercial" purposes, but it made no mention of Luminati, which had been working with the company since at least October 2014. Hola later updated its FAQ with a fuller explanation.
"Hola is a managed and supervised network, and thus any illegal activity, such as CP, etc., would be reported to the authorities with the real IP of the user," the company wrote.
Yet that wouldn't prevent users from being initially suspected as criminal hackers.
Vilenski said the explanation had actually been there in a "different form," pointing to the old FAQ, which read: "If you would like to use Hola for commercial use, contact us at business@hola.org for a quote."
Vilenski admitted, however, that most Hola users are probably not aware of this, not because the company is trying to hide it but because most simply don't care. "They want a good service, it works well, and it does not screw them up," he added.
This is another reminder that when something is free, there is often a catch. Free services appeal to everyone, but spending a few dollars a month on a VPN can protect you from various online threats. It is also good practice to read the details before installing any extension or service.
