One of the most popular free VPN and geo-unblocking services, Hola, has been uncovered as exhibiting malware-like behavior after its founder, Ofer Vilenski, confirmed that company resells the idle bandwidth of anyone who has installed the service.
Hola is most commonly downloaded as a browser extension to bypass the geo-blocks implemented by services such as Netflix and Hulu. It works as a peer-to-peer VPN; anyone who installs Hola acts as a VPN exit for another user. For example, if someone from Australia wanted to watch US Netflix, they would use the IP address of a US Hola user. If that US Hola user wanted to use an Australian service, they could borrow the Australian user's IP.
While this has always been how Hola has operated its free service, it turns out the company also sells users' connections to a third-party service called Luminati. Anyone can then buy bandwidth from Luminati's "Super Proxies" to route traffic through millions of free Hola users' idle internet connections.
As Luminati essentially functions as a Tor-like network, buyers of the service's bandwidth could end up hijacking a Hola user's connection to traffic child porn, access illegal marketplaces or perform other malicious activities. The Luminati network anonymizes their users in such a way that to authorities, the people seen to be accessing illegal sites are the 'innocent' Hola users.
According to the operator of online message board website 8chan, people have already used the Luminati network, hijacking thousands of Hola user's internet connections, to perform a denial of service attack on the website.
The recently-updated Hola FAQ does state exactly how the user's internet connection will be used, and claims that criminals won't be able to access the service as "Hola is a managed and supervised network and thus any illegal activity such as CP, etc. would be reported to the authorities with the real IP of the user."
However that doesn't stop the service from being dodgy. While Hola does function as intended, there is the real possibility that someone with malicious intent could hijack a user's connection through the service, access illegal material, and then let the blame fall squarely on the unprotected Hola user (at least initially).
Unless you are willing to take this risk, we strongly advise that the 46 million users of Hola uninstall the service to prevent their connection from being hijacked. If you are looking for a way to bypass geo-blocks, there are plenty of great, cheap VPN services that offer far greater privacy and security to their users.