CDR Link Penetration Tests Sponsored by OTF Security Lab

We’re proud to share that two recent penetration tests we conducted of CDR Link have now been publicly released by the Open Technology Fund (OTF) as part of the OTF Security Lab audit program.

The OTF Security Lab funds independent security audits for internet freedom projects that support journalists, human rights defenders and civil society organizations operating in high-risk environments and repressive contexts. These are systems where security failures can have direct consequences for individuals relying on them.

CDR Link is a secure, open source help desk platform designed for organizations assisting users exposed to censorship, surveillance, and digital threats. It integrates with messaging platforms such as Signal, Telegram, and WhatsApp, enabling support teams to handle sensitive requests through a centralized interface. In practice, it acts as critical infrastructure for digital security support — often serving users who cannot safely rely on traditional communication channels.

Results from the penetration tests

The audits were conducted as white-box penetration tests, with access to source code, documentation, and deployment environments. The scope included the CDR Link application itself, as well as its integrations and typical deployment configurations. Given the nature of the platform, testing focused not only on common web vulnerabilities, but also on protection of sensitive user data and operational security of help desk workflows.

Key issues that were identified included:

• A critical vulnerability allowing full system compromise via malicious ticket submission
• Abuse of API passthrough functionality to perform unauthorized account actions
• Weaknesses in session handling and authentication flows
• Logging and visibility limitations impacting detection of suspicious activity
• Lower-severity issues enabling spoofing and inconsistent access control behavior
• Unauthenticated administrative access to OpenSearch dashboard, exposing sensitive data and allowing potential further attacks on the underlying infrastructure

CDR Link’s development team responded promptly to the findings, implementing fixes for the majority of the identified vulnerabilities. Our team verified the effectiveness of the remediations and helped ensure that no critical issues remain.

Improvements beyond code fixes

In addition to remediating vulnerabilities, CDR Link implemented significant architectural improvements to strengthen their security posture:

• Migration from Debian to Rocky Linux to enable easier OS-level controls and longer support cycles
• Transition from Docker to Podman, removing the need for privileged containers and reducing attack surface

These changes directly address findings from the audit and improve both security and long-term maintainability.

Security in high-risk support systems

CDR Link operates in environments where confidentiality and integrity are essential — not only for the organizations running help desks, but for the individuals seeking assistance. This makes security testing fundamentally different from standard enterprise assessments: privacy, traceability, and misuse resistance must be evaluated in the context of real adversaries.

We’re proud to contribute to this work together with OTF’s Security Lab and the CDR team, helping strengthen tools that support some of the most exposed communities online.

For full details and access to the published reports, we encourage you to read OTF’s write-ups.

• CDR Link Penetration Test Report
• CDR Link and OpenSearch Integration Penetration Test Report

Are you building technology that requires an independent security assessment? Whether you operate in high-risk environments or simply want assurance that your platform stands up to real-world threats, we’re here to help. Explore our penetration testing services and contact us with your inquiries.