The truth behind Hola Unblocker!
Beware This post is more than 3 years old, it may be outdated or incorrect! Please check elsewhere for accurate information!
Please note: This is an updated version of the post. It has been last updated on May the 29th, 2015.
Hola Better Internet, also known as Hola Unblocker, is a very popular extension created by Hola Networks Ltd. It allows you to access blocked content by changing your IP so the website thinks you’re from the U.S. (for example) and allows you to watch the content.
Hola has a user base of around 10 million, and it is very useful. I wrote about it in 2012, but after they started injecting ads into web pages, I removed the post.
Hola started in 2012, and I was intrigued by it. I wanted to start a similar service so I wanted to see how Hola worked. I installed their extension in Firefox and unpacked it. Back in 2012, the extension was very simple and it was easy to discover what they were doing.
They had a bunch of VPS’, often by DigitalOcean in the U.S. and The Netherlands, which were named zagentXX.hola.org. They ran Squid on port 22222 with a predefined user-name.
At first I couldn’t find the password in the extension’s files (later I learned that’s because they used a .pac (Proxy Auto-Config) file), so I used Wireshark to discover what URLs were they accessing and discovered the username and password (back then “proxy” and “E4QZSecBKSz48XxqjK6H”) that were sent to the server.
I didn’t share this information with anyone, because I wanted to keep it for myself and abuse their servers.
I didn’t do anything illegal, except that I used it as a proxy for clicking on ads, and for my (now no longer active) YouTube video downloader service (since YouTube blocked my server’s IP).
Recently, 8chan was attacked by a user using Hola’s (exactly Luminati’s) network and flooding their post.php script with POST requests that caused PHP-FPM (PHP process used by Nginx and similar web servers). 8chan had to introduce a mandatory captcha for all users and posted a web page about Hola.
The page got to Hacker News, and I was mad at Hola. They were abusing their users and not only putting them at risk of persecution, but were actually selling their bandwidth (at the incredibly high price of $20 per GB) with Luminati.
I was aware that Hola was not to be trusted, but I was only aware that they injected ads into pages, not that they were using the users as the proxies.
I posted a web page here that exposed their internal mechanisms so that other users can abuse their network, simply because it was not fair what they were doing.
They did vaguely acknowledge that they were selling the users’ bandwidth on their FAQ page, but that was after the post by 8chan, and besides, who reads FAQs anyway?
This is much worse than you think. Anybody could be using your IP and accessing illegal materials, like child pornography, or buying illegal substances, or DDoS-ing websites. You couldn’t prove that it wasn’t you (okay, maybe you could, I’m not a forensics expert) and the FBI would be happy to arrest you because cops are lazy and you’re the most obvious target.
Anyways, back at the beginning of 2015, they removed the old proxy configuration, totally re-done their extension and would now require every user to authenticate with a unique UUID and a automatically generated password. This made thing a little bit more difficult, but I once again managed to catch their auto configuration URL, get the proxy password (since they aren’t using HTTPS) and the zagent scheme. I have shown some examples on the page here.
Now, I’m not claiming this is an amazing hack, nor that I’m such a master 1337 h4x0r and that you should kneel before me. I’m aware that Hola just happened not to care about security, and I got a little publicity when I published my findings.
I recommend that Hola insert a warning the first time you install the extension, that asks for permission to route traffic through your computer, and to spell out all the risks for you that doing that involves. Being a part of a botnet is not fun, people!
Peace, and don’t sue me.