Hola is a VPN provider that purports to offer its users freedom from censorship, a way to access geoblocked content, and anonymous browsing. The service claims that more than 47 million people are part of its peer-to-peer network. But according to a group of researchers (calling themselves Adios), it's dangerously insecure: the client software has flaws that allow for remote code execution and features of the client enabled tracking. On top of that, critically, Hola sells access to its peer-to-peer network with little oversight, enabling it to be used maliciously. The nature and scale of problems with Hola has researchers now saying users should bid adieu to the software.
Since the initial reports, Hola has made some changes. One method of remote code execution was removed—though the Adios team says that others remain—and the tracking flaw has also been fixed. But the deeper problems remain, and they're fundamental to the way that Hola is built.
The company doesn't hide the fact that the Hola network is peer-to-peer. Users of the service form a large network, and Hola traffic is routed through this network, using the connections of other Hola users. This is great for Hola; it means that the company doesn't need to operate points of presence in different countries in order to make traffic appear to originate in these countries. But this is very risky for end users.