Participants of the upcoming Beijing Winter Olympics are required to use a mobile app marred with security flaws, researchers have claimed.
The My 2022 mobile app for iOS and Android devices is required by all participants of the upcoming games (including athletes, visitors, journalists, and others) for a number of functions, including chat messaging, translation, transport, competition information, as well as health data.
All users must share their passport details and their travel plans with the app, and add personal health information, such as body temperature, any respiratory difficulties, or any medications used, two weeks before arriving in the country, and make sure they keep using it while they’re in China.
However the app can apparently be tricked into visiting a malicious website, according to researchers from CitizenLab. The team explained (opens in new tab) how the app fails to validate SSL certificates used to authenticate a website’s identity (opens in new tab) and make sure the connection is secure. Visitors could end up sharing login information with a fake website, or even downloading malware (opens in new tab).
The chat service is also flawed, the researchers added, failing to properly encrypt metadata transferred through the service, which means that certain metadata going through public Wi-Fi could be intercepted. That metadata includes the chat participants’ names, and account identifiers.
The researchers found these flaws primarily in the iOS version, as they weren’t able to create an account on the Android version. However, they claim to have found similar vulnerabilities in publicly available features.
They’re also saying that these vulnerabilities are probably not deliberate, but rather a consequence of China’s “lax enforcement of cybersecurity standards”. Finding the flaws wasn’t that big of a surprise for them.
“While we found glaring and easily discoverable security issues with the way that My 2022 performs encryption, we have also observed similar issues in Chinese-developed Zoom, as well as the most popular Chinese web browsers,” the report said.
The researchers also said they found a list of some 2,400 politically sensitive keywords in the Android version. Although the list is inactive at the moment, it could be used to censor communications through the app.
Most of the terms were in simplified Chinese, with others being in Tibetan, Uyghur, traditional Chinese and English.
- You might also want to check out our list of the best firewalls right now