Vulnerabilities discovered in mandatory Olympic Games app

Citizen Lab researchers have discovered serious vulnerabilities in the MY2022 app. This is an app that will be mandatory for all attendees of the Winter Olympics in China. These are vulnerabilities that allow the encryption of the app to be bypassed. Citizen Lab researchers call the flaws “simple, but devastating.”

Mandatory app for attendees Play

All attendees at the Beijing Olympics must have the MY2022 app installed. This applies to athletes, but also to spectators and journalists. The app is multifunctional; you can chat with it in real-time, voice audio chat and share files, among other things. The app also contains news and weather reports about the Olympic Games.

In addition, the app allows users to submit the information required when visiting China from abroad, such as passport details, demographic information, travel history, and medical history.

The latter is one of the reasons why the app is mandatory. MY2022 is part of a closed-loop management system to prevent the spread of the coronavirus. Attendees must be tested daily during the Games. 14 days before their departure to China, they must download MY2022 and monitor their health status daily and submit it in the app.

Critical Vulnerabilities

The Citizen Lab found two vulnerabilities in the app related to the security of user data transfer. First of all, the researchers found that MY2022 does not validate SSL certificates. This means that the app does not validate to who the sensitive, encrypted information is sent.

The vulnerability could allow an attacker to impersonate trusted servers to disrupt communication between the app and the servers. In this way, he gains access to sensitive demographic, passport, travel and medical information of an app user. It is also possible to send a user malicious instructions via a form, send voice messages and read files from the user, according to the Citizen Lab. According to the researchers, not all connections are unsafe. In the report, they list a number of vulnerable servers.

The second vulnerability relates to the encryption of sensitive data. The Citizen Lab researchers discovered that some of the sensitive data is sent without encryption of any kind. For example, unencrypted data has been sent to a mail server.

This allows attackers to read sensitive metadata, including the names of message senders and recipients and their user account IDs. Any passive eavesdropper can read this data, according to the researchers; for example, someone on the same Wi-Fi hotspot, an Internet service provider, or other telecommunications company.

Censorship and Privacy Policy

In addition to the vulnerabilities, the Citizen Lab also discovered that the app shares medical information with, among others, the Chinese government. This is not stated in MY2022’s privacy policy. The official script for the Olympic Games does state that personal data will be shared with various parties, including the International Olympic Committee (IOC), the Beijing 2022 Organizing Committee, Chinese authorities (including the government and local authorities), and others.

Finally, the researchers found that MY2022 allows users to report, among other things, “politically sensitive content”. The app also includes a list of censorship words: banned terms in various languages ​​on political topics such as Xinjian and Tibet, and references to Chinese government agencies.

The Citizen Lab researchers say in the report that they shared the vulnerabilities with the Chinese Olympic organization in December last year. To date, the Citizen Lab has not received a response. The Olympic Games will take place from 4 to 20 February 2022.

Catch up on more articles here

Follow us on Twitter here

Popular

Must read

MORE ON THIS TOPIC:

Related Posts