Ouinet audit by 7ASecurity

Posted on by Admin

About Ouinet

Ouinet is a suite of free, open source software tools and infrastructure that provides access to the open internet in repressive information contexts with limited or no connectivity. Ouinet works through a network of cooperating nodes or servers, using peer-to-peer routing, and the distributed data storage of users’ internet activity. Ouinet is a core technology created for and integrated by the Ceno Browser.

Audit Description

OTF’s Security Lab partner 7ASecurity conducted a penetration test and “whitebox” audit of the Ouinet platform in July and August 2025. A whitebox audit is a form of testing in which the auditors have complete knowledge of the item being tested. In this case, 7ASecurity had access to the staging environment (a replica of the configurations of hardware, software, and data of the publicly available tool); as well as documentation, test users, and source code — this allowed for a deep and detailed test.

Scope

The audit included the following:

  • Whitebox desktop app tests against Ouinet C++ Client
  • Whitebox tests against Ouinet Android Library
  • Privacy audit of Ouinet Clients and Backend
  • Whitebox tests against Ouinet Protocol implementations
  • Ouinet & asio-utp fuzzing and fuzzing test-case creation
  • Mobile security tests against Ceno Browser Android app
  • Security tests against Ceno Web Extension on Android and Windows
  • Ouinet Lightweight Threat Model documentation
  • Whitebox tests against Ouinet Distributed Infrastructure

Findings

The audit identified 26 vulnerabilities: six critical, eight high-level, eight medium-level, four low-level, and one informational issue. Auditors also presented 25 hardening recommendations. 

The vulnerabilities identified as “critical” encompassed multiple scenarios for denial-of-service (DoS) — whereby resources, services or webpages are rendered inaccessible to legitimate users — as well as weaknesses in caching processes (the mechanisms by which users’ internet activity data is stored). Other vulnerabilities included possible phishing via Task Hijacking on Android, sensitive information access via memory leaks, and potential endpoint poisoning of the Ouinet injector bootstrap process which attackers could exploit to intercept client traffic. Access the full report to learn more.

Remediation

Upon retesting auditors verified that all of the critical and high-level vulnerabilities have been resolved, as have six of the medium and one of the low-level issues. The informational issue was later found to be mitigated by design.

You can read the Audit Report HERE

You can read OTF’s Blog HERE

Email this article
Share on Facebook
Share on Twitter
Share on LinkedIn
, , , , , , , , , , , , , , Blog