This story is over 5 years old.

Hola Claims to Have Fixed Holes, But Security Researchers Disagree

The popular free VPN says it has improved security and transparency.

Last week, a group of researchers showed that the popular Hola VPN, a free tool to watch Netflix abroad and unblock other internet content restricted based on your location, made its users vulnerable to hacking.

Malicious hackers could potentially exploit a bug in Hola to serve malware to a victim, hacking into his or her computer, the researchers warned. Initially, Hola's CEO and co-founder Ofer Vilenski told Motherboard that there was "absolutely no way that we know of to do that, nor have we ever heard such a claim."


Over the weekend, however, Vilenski backtracked.

"The hackers who identified these issues did their job," Vilenski wrote in a lengthy statement. "and we did our job by fixing them."

Vilenski explained that Hola fixed two vulnerabilities "within a few hours of them being published," and added that Hola is now undergoing an internal security review, and an external audit.

But the researchers who exposed the flaws on the "Adios Hola" website aren't sold.

"We know this to be false. The vulnerabilities are *still* there."

"We know this to be false," they wrote in an update on the site. "The vulnerabilities are *still* there. […] Not only that; there weren't two vulnerabilities, there were six."

Sven Slootweg, an open-source software developer that participated in the research, told Motherboard that while some bugs were fixed, the most critical ones haven't been, making it still possible to hack Hola users.

In a new analysis of Hola, however, security firm Vectra Networks came to the same conclusions of the independent researchers, and also found the Hola protocol inside five different samples of malware, proving that Hola might have been exploited even before the recent media attention.

"This means that bad guys had realized the potential of Hola before the recent flurry of public reports by the good guys," the company wrote.

"Bad guys had realized the potential of Hola before the recent flurry of public reports by the good guys."


Hola did not respond to a request for comment by the time of publication.

Last week, a spam attack on the imageboard 8chan revealed that Hola owned another service called Luminati, through which Hola users are sold as exit nodes in a network of proxies. In other words, if you are a Hola user, your bandwidth and internet connection can be sold to others.

While calling some of the accusations "terrible" and "unjustified," Vilenski also acknowledged that they failed at making it "clear enough" that Hola was a peer-to-peer service, and that Luminati sold Hola users' bandwidth to businesses. To improve this, Hola added a disclaimer at the top of its homepage explaining how the service works.

In any case, Vilenski repeated that it'd be a bad idea to use Hola or Luminati for criminal purposes, given that the company has "a record of the real identification and traffic of the Luminati users," which allows it to report any misconduct to the authorities.

Slootweg was skeptical of Vilenski's statement, given he didn't explain the risks of being an exit node, such as facing arrest for what others do with your internet connection, as Motherboard reported recently.

"In essence, the blog post is a marketing post, not a transparency post," Slootweg told Motherboard over chat. "Damage control."