The Privacy BlogPrivacy, Security, Cryptography, and Anonymity



Hola VPN Service Security Train Wreck

Hola logo unhappy

The Hola peer to peer VPN service suffered a number of very damaging security revelations today. Hola claims that there are (or were) about 45 million active users of the service.

The first problem is that Hola sells a service called Luminati which allows anyone to pay to use all the other users’ computers like a giant botnet. It looks like the website 8chan was recently attacked using this capability. Researchers have demonstrated that Hola does not screen the people to whom it sells this service, nor do they monitor or enforce any kind of terms of service. To me this is recklessly irresponsible behavior.

In addition researchers found a number of major vulnerabilities in the Hola client (some of which have now been fixed). Vulnerabilities allowed attackers to exploit the client and take full control of the user’s computer. There was also a console which would allow attackers to download software, move files on the user’s computer, and more. This is basically an open back door to take over the machine.

Worst of all is that Hola installed its own code signing key into the windows operating system. Any software signed by that key would be treated as completely legitimate by the computer. This is a gigantic failure in security architecture. Either they did not know what they were doing (which is not at all good), or they did (which is even worse).

Finally, the basic peer to peer nature of Hola inherently puts their users at risk. By design your web traffic goes out through some other user’s computer, and someone’s traffic is exiting through yours. So let’s look at each of those situations.

Your traffic it going out through some random person’s computer. That person has the ability to capture all your web traffic, monitor your activities, and insert trackers and malware. This is similar to the problem with Tor nodes, but here there are even fewer checks and balances, and much less barrier to entry.

If someone is doing something bad on the web, like publishing child pornography, it could appear to be coming from your internet connection. While you might be able to prove that you were not the source, you might get roughed up by the SWAT team and spend a few months in jail first.

The only safe course of action is to completely un-install Hola immediately (instructions HERE).

This shows once again the importance of selecting a privacy service provider based on reputation and track record. The operators of the service should be known and public. The service must have a track record of strong security, product design, and proven record of resisting attacks and legal pressures.

Learn more Here, HereHere, and read the original alert at

You might be interested in these other related blog posts:

What Hand Sanitizer Can Teach Us About Cybersecurity

SuperFish – worst case certificate abuse

Security Implications of Lizard Squad Attack on Tor


· · · · ·


  • Matt · July 28, 2015 at 5:29 pm

    I lost contact with this blog since the site was going through new site designs and the previous version didn’t really show a button or link to this blog. The new design has it so, at last, I’m a returning reader!


  • Blue Cirrus · September 7, 2015 at 5:04 am

    Hi Lance,

    I have become scared after reading this article, as I’m planning to use Hola VPN service for my firm. Is it really risky If I use it for my small firm? Any way, thanks for this awesome review.


    • Author comment by Lance Cottrell · September 8, 2015 at 11:46 am

      I really depends on why you want to use it. If you need to rely on the security, then I would avoid it. If you just need to use an IP somewhere else, then it might be ok.


  • Jafar · August 17, 2016 at 5:33 am

    Hola is a P2P network and free users are required to share their resources to use the IP disguising service. The flaws could not only lead to arbitrary code execution


  • Tim T · January 18, 2017 at 6:54 pm

    Wow. That’s just horrible. Especially disturbing is the part about potentially getting blamed for someone else’s illegal online activities. Getting malware on your computer is one thing, but in my mind that takes it to a whole other level. Underlines the importance of always doing your due diligence. Thanks for the great read!


Leave a Reply