Advertisement

We need your help now

Support from readers like you keeps The Journal open.

You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.

If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.

This hugely popular Chrome extension could use your computer to hack websites

Hola is selling its users’ bandwidth.

ONE OF THE most popular Google Chrome extensions is selling its users’ bandwidth, largely without their knowledge — and it can be used by hackers to maliciously attack websites.

Hola is a VPN — a “virtual private network”.  As streaming platforms like Netflix have risen in popularity, there has been a corresponding boom in VPNs, which help users circumvent the regional restrictions that forbid Americans from watching certain BBC shows, or people in Ireland from watching some shows on Comedy Central in the US.

One of the most popular of these is Hola.

Unlike most VPNs, it’s free to download as an easy-to-use browser plugin in the Google Chrome store. It currently has more than 6 million users. CNN Money said, “Hola is changing the way we use the internet”.

To avoid the need for fees, Hola uses a peer-to-peer system, routing users’ traffic through other users’ connections. Someone in Ireland trying to watch an American-only service, for example, might be routed through an American user’s internet connection.

But it is also selling access to users’ bandwidth for a profit, via the service Luminati, Hola discloses on a little-read FAQ page.

PastedImage-50290 Screengrab from Hola on the Chrome Web Store.

Luminati lets users buy access to the Hola network for a fee, for instance if users need a secure way to route commercial traffic anonymously. This revenue keeps Hola free for users.

But in the wrong hands this same function can transform its networked users into an unwitting botnet, defined as “a number of Internet computers that, although their owners are unaware of it, have been set up to forward transmissions to other computers on the internet”.

Frederick Brennan found that out when Hola was used to attack his website earlier this week.

Brennan, often known by the online moniker “Hotwheels,” is the administrator of 8chan, a countercultural online messageboard. Earlier this week Brennan was targeted by thousands of “legitimate-looking” posts, “prompting a 100x spike over peak traffic,” he wrote in a blogpost.

The attack originated with a user called “Bui” (who has attacked 8chan before), who later told Brennan he had used Hola’s Luminati service to carry it out.

‘It got through our screening process’

Hola’s founder Ofer Vilenski confirmed to Business Insider that Bui had “got through our screening process.” he also said that the attack had been ended and Bui banned from the network.

Hola’s site explains in an FAQ how the peer-to-peer network works. But before Brennan reached out following the attack, there was only a brief acknowledgement that it might be used for “commercial” purposes, and no mention at all of Luminati, which has been in operation since at least October 2014. (A fuller explanation has since been added.)

With no indication on the homepage, it’s doubtful that many users realise that Hola is selling their bandwidth. A Reddit thread discussing the subject is filled users expressing their surprise and asking how to uninstall it (and in a strawpoll of people I know who use Hola, none were aware of this).

“Even if they had said it all along in their FAQ,” wrote one commenter on news site Hacker News, “it’s still infuriatingly disingenuous for someone to act as if anyone ever browses to Hola’s site and reads their FAQ either before or after installing the Hola malware extension.

No ordinary person will ever do this.

The peer-to-peer nature of the site also potentially puts users at risk. On the anonymising Tor network, which works in a similar way, users have to opt-in to become an “exit node” — a point at which traffic can come and go, in and out of the network. But everyone using Hola is an exit node. This implies that if someone is using the plugin to conduct illegal activity through your connection, law enforcement might suspect you’re to blame.

Brennan believes that the company is “acting extremely irresponsibly,” and wants to “help users learn that others are using their internet connections without their knowledge or express permission”.

Hola’s Vilenski told Business Insider that there was nothing uniquely vulnerable about Hola’s VPN — the hacker “could have used any commercial VPN network, but chose to do so with ours.”

Furthermore, the company has been “listening to the conversations about Hola and while we think we’ve been clear about what we are doing, we have decided to provide more details about how this works, and thus the changes [to the website] in the past 24 hours.”

- Rob Price

Read: The Government is thinking up new ways to stop you from being hacked >

Readers like you are keeping these stories free for everyone...
A mix of advertising and supporting contributions helps keep paywalls away from valuable information like this article. Over 5,000 readers like you have already stepped up and support us with a monthly payment or a once-off donation.

Published with permission from
View 23 comments
Close
23 Comments
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.
    JournalTv
    News in 60 seconds