Hola / Luminati.io VPN

Encouraging best practices in the VPN industry via independent, community-certified verification of clean installers and clean basic service operations. Let's reward the good, and make the bad a little bit less tempting 〰 github repo#cleanVPN
User avatar
Posts: 6
Joined: Mon Jun 01, 2015 4:55 am

Hola / Luminati.io VPN

Post by sin » Mon Jun 01, 2015 5:57 am

Forgive me if this is the wrong section.

HOLA extension selling users as private network via http://www.Luminati.io

Stop using the Hola VPN right now
By Selena Larson
May 29, 2015, 5:40pm CT

If you’re using Hola, a free virtual private network (VPN) that lets you stream things like Netflix abroad, you need to stop immediately. The company behind Hola is turning your computer into a node on a botnet, and selling your network to anyone who is willing to pay.

Security researchers discovered multiple security flaws in Hola and published their findings on a site called “Adios Hola.”

“Hola is harmful to the internet as a whole, and to its users in particular,” researchers wrote.

So what’s the big deal? By using Hola as a VPN, you can view any content that might otherwise be blocked in your location by routing your traffic through the U.S. or whatever country you want your content to be in. But Hola turns your computer into an exit node without your permission, essentially letting anyone browse the Web through your network. Any malicious activity could then be traced back to you.

As the researchers note, it’s the same problem people have on the Tor browser—but on Tor, you can opt out.

Hola is going even further, by selling access to the network through a site called Luminati from $1.45 to $20 per GB. On Adios Hola, researchers published chat logs between them and the company explaining that they don’t enforce rules that say people shouldn’t be engaging in illegal activity because the company has “no idea what you are doing on our platform.”

Additionally, Hola can let someone take over programs on your computer. The researchers explain:

And on some systems, it gets worse; Hola will happily run whatever you feed it as the 'SYSTEM' user. What this means in simple terms, is that somebody can completely compromise your system, beyond any repair. It allows for installing things like a rootkit, for example.

This problem is not just an 'oversight'. It's not a thing where you say 'well, bugs can happen'. This kind of security issue can only happen if a developer is either grossly incompetent, or simply doesn't care about the security of their users. It's negligence, plain and simple, and there's no excuse for it.

If you haven’t already, uninstall Hola right now. And if you’re not sure whether or not you’re vulnerable thanks to Hola, you can visit http://adios-hola.org/ to find out.

The Hola FAQ before and after Luminati disclosure;


Luminati.io before and after disclosure;


http://www.dailydot.com/technology/hola ... ity/?tw=dd - Article first published to masses
http://adios-hola.org/ - Security research and fix
http://luminati.io/ - VPN service by Hola OVER 9 MILLION exits! (bots)
- reddit thread bringing light to this situation.

Has anyone seen worse? It's hard to beat.



User avatar
Posts: 6
Joined: Mon Jun 01, 2015 4:55 am

Re: Hola / Luminati.io VPN

Post by sin » Wed Jun 03, 2015 6:32 am

Classic, hahaha..


src: https://hola.org/blog/the-recent-events ... la-network

Full text for non-clickers;

June 1st, 2015
By: Ofer Vilenski, Hola CEO
Steve Jobs' quote
Hola is all about innovation. And freedom. We created the first P2P network for HTTP to accelerate and open the Internet. The network that allows anyone in any country to access any site. Facebook from Iran. Twitter from Turkey. Watch your favorite shows back home when travelling. No more discrimination.

For the past two years, Hola has been growing steadily - purely via word of mouth and stellar reviews. Our marketing budget was zero $. We grew organically. People simply love Hola and made it the number one VPN in the world.

Which is why the last week has been so difficult for us. There have been some terrible accusations against Hola which we feel are unjustified. We innovated quickly, but it looks like Steve Jobs was right. We made some mistakes, and now we’re going to fix them, fast. Since May 28, our people have been working literally 24/7. I want to share with you what happened and what we’re doing about it.

There are three issues:

1. Hola is about sharing resources

We assumed that by stating that Hola is a P2P network, it was clear that people were sharing their bandwidth with the community network in return for their free service. After all, people have been doing that for years with services like Skype. It was not clear to all our users, and we want it to be completely clear.

We have changed our site and product installation flows to make it crystal clear that Hola is P2P, and that you are sharing your resources with others. This information is now “in your face” - and no longer appears only in the FAQ.

Now, we understand some members of our community prefer not to share their resources - and that’s fine. That’s why we offer Hola Premium. To make it even easier, new Hola Premium users can purchase one month of Hola premium until end of June, and get 2 months free (send email to billing@hola.org after activation with your user name).

In 2009 as Skype was growing, it was accused of ‘stealing your bandwidth’ for being a P2P technology - see http://tech.blorge.com/Structure:%20/20 ... -using-it/

2. Does Hola make you part of a botnet?

No! Hola makes its money by selling its VPN service to businesses for legitimate commercial purposes, such as brand monitoring (checking the prices of their products in various stores), self test (checking how their corporate site looks from multiple countries), anti ad fraud (ensuring that the adverts are not inserted enroute to use), etc.

So how much bandwidth is this really “costing” you? On average about 6MB per day now, which is like an additional 3 web page loads per day or 15 seconds of a YouTube clip. You can choose this “value exchange” model, or opt out with the Hola premium ($5 per month).

Luminati is the commercial name we chose for “Hola for business”. We did not make this clear enough to our community. Therefore, we have now clarified this on hola.org, luminati.io and in our Hola FAQ. To ensure full transparency, any change to our documentation is highlighted, and includes a link to all previous versions.

There was some concern that by selling our VPN services to enterprise customers, we were possibly exposing our users to cyber criminal traffic that could get them in trouble (Thus the ‘botnet’ accusation). The reality is that we have a record of the real identification and traffic of the Luminati users, such that if a crime is committed, we can report this to the authorities, and thus the criminal is immediately identified. This makes the Hola/Luminati network unattractive to criminals - as opposed to Tor for example, which provides them complete anonymity for free.

Last week a spammer used Luminati by posing as a corporation. He passed through our filters and was able to take advantage of our network. We analyzed the incident, and built the necessary measures in our processes to ensure that such incidents do not occur, and deactivated his service. We will cooperate with any investigation of the incident to ensure that he will be punished to the fullest extent.

In 2011 a hacker paid Amazon and used their servers to attack the Sony Playstation network. Following such attacks, Amazon required additional proof of identity from customers for use of their network. At Hola we learned the same lesson this past week, and will be developing technological monitoring solutions to minimize the risk of abuse.

We will be boosting our security team with the appointment of a Chief Security Officer in the coming weeks.

3. Vulnerability of the Hola client

Part of the growing pains of creating a new service can be vulnerability to attack. It has happened to everyone (Apple iCloud, Snapchat, Skype, Sony, Evernote, Microsoft…), and now, to Hola. Two vulnerabilities were found in our product this past week. This means that there was a risk of a hacker being able to operate remote code on some devices that Hola is installed on. The hackers who identified these issues did their job, and we did our job by fixing them. In fact, we fixed both vulnerabilities within a few hours of them being published and pushed an update to all our community. We are now undergoing an internal security review, as well as an external audit we have committed to with one of the big 4 auditing companies’ cyber auditing team.

We will soon announce a bug bounty program for anyone that finds additional vulnerabilities in our products.

Hola was built for you, the user. We want to do what’s right for our community. We will continue to serve you. We have experienced the growing pains of our large network now, and are implementing these lessons.


Their FAQ/Privacy Policy/Terms of service keep getting better and better too!