<- Back to Blog

Penetration Test Report: Cinemata

Alexander Alasjö ·
Penetration Test Report: Cinemata

We’re proud to share that a recent penetration test we conducted has now been publicly released by the Open Technology Fund (OTF) as part of the OTF Security Lab audit program — this time focusing on the Cinemata project, a video platform for user-contributed films from the Asia-Pacific region.

The OTF Security Lab funds independent security audits for projects that support journalists, human rights defenders and civil society organizations operating in high-risk environments. Cinemata serves communities operating in politically sensitive environments. In such contexts, vulnerabilities can have direct safety implications.

Cinemata provides an open source video platform for filmmakers, activists and educators to publish and share socially relevant films that repressive or commercial platforms might censor. Platforms like Cinemata play an important societal role: enabling documentation, distribution and long-term accessibility of material that might otherwise be suppressed.

Results from the penetration test

The penetration test covered the Cinemata web application, its backend APIs as well as server configuration and deployment hardening.

Given Cinemata’s user base (activists, journalists, and human rights advocates) and their privacy-centric threat model, explicit focus was placed on privacy risks and deanonymization vectors in addition to classic web application vulnerabilities. Therefore, logging practices, IP masking, view history storage, and metadata exposure were evaluated not just from a technical risk perspective, but from a real-world adversarial standpoint.

The initial assessment identified 26 security issues of which one Critical and five High risk. As of publication, all reported findings have been fixed and verified across multiple verification rounds.

Key issues included:

  • Stored XSS and upload-based XSS enabling potential account takeover
  • Missing MFA and weak password policy
  • Authorization flaws exposing private media and metadata
  • An SSRF/file exfiltration vector via crafted media uploads
  • Privacy-impacting logging of IP addresses and user activity
  • Infrastructure hardening gaps (HSTS, SSH configuration, logging)

For full details and a link to the report which includes findings and recommendations for remediation, we encourage you to read OTF’s Cinemata blog post.

Also, feel free to read our other published penetration test reports.

Are you building technology that requires an independent security assessment? Whether you operate in high-risk environments or simply want assurance that your platform stands up to real-world threats, we’re here to help. Explore our penetration testing services and contact us with your inquiries.

See All Blog Posts ->