Why is Hola VPN bad

Hola: Ask your hacker about side effects


Read on one side

Whether music videos on YouTube, TV series from the USA or the football broadcast at the holiday resort - Internet users repeatedly come across error messages of the kind: "This video is not available in your country." The reason is so-called geo-locks, which only make content available in certain countries.

Numerous companies promise a solution to this annoying problem by providing users with IP addresses from other countries and thus outsmarting geoblocks. A particularly popular service is Hola. According to its own information, the company currently has 47 million users. No wonder: While other providers charge monthly fees of 5 to 15 euros, Hola is free.

This special offer is no coincidence: As hackers have now revealed, the software was teeming with security holes that enabled attackers to play all kinds of mischief on users' computers. The campaign page Adios Hola compares the service with a huge botnet and asks all users to uninstall the program.

Gift horse

The problems are partly due to sloppiness, but partly due to the system. The free offer is only possible because Hola does not operate its own servers through which videos are sent to the user. Instead, Hola relies on a peer-to-peer network: For example, if a user wants to access a video from a US provider, Hola connects them to an American Hola user.

In practice it just works, if anything but perfect. Sometimes connections break off, sometimes transmission stalls. But with a free offer, users tolerate such errors.



Be there live online when our podcasts are created and meet your favorite hosts at the first ZEIT ONLINE podcast festival on Sunday, June 20, 2021.

With your registration you take note of the data protection regulations.

Many Thanks! We have sent you an email.

Check your mailbox and confirm the newsletter subscription.

Hola is not a non-profit organization. The Israeli company finances its service by marketing its users' internet connection. Under the name Luminati, Hola offers customers willing to pay access to the "world's largest VPN network". The Hola customers are marketed here as "exit nodes", whose computers do everything the paying companies want. To make this worthwhile, the plugin works even when the user is not watching any videos about Hola.

Spammer customer causes trouble

At the request of ZEIT ONLINE, a company spokeswoman said that Luminati had serious customers. Companies used the service to check the prices at which their products would be offered or where their online advertising would be delivered. However, at least one dubious customer has also made it into the Hola user network. Frederick Brennan, operator of the 8chan forum, was able to trace a current attack back to the Hola network.

The unknown attacker hid behind IP addresses of Hola users in order to flood the forum with seemingly legitimate inquiries and to crash the server. Hola confirms the attack, but assures that customers will be checked more carefully in the future. It is not known whether there were any more cases. Recordings of online sales calls suggest that Hola is not actually verifying what Luminati customers are up to on the network.

Customer computers become servers

Brennan's revelation brought other hackers to the scene. They analyzed the software and found numerous holes within a day that left attackers completely free.

The technical background: Hola sets up a server on the users' computers that retrieves, temporarily stores and forwards information on request. But the programmers gave this server too many rights and sloppy security. The result: Anyone who wanted to, could access the user's hard drive, start programs unnoticed and launch attacks on other servers via the Internet connection. In addition, the browser plug-in modified every data query so that server operators could track users. The plugin that promised users to hide their identities from the target server didn't do just that.