New research has uncovered some damning vulnerabilities with the “My 2022” app, required for athletes, journalists, staff, and other individuals involved with the Beijing 2022 Winter Olympics.
The research comes from the Canadian group Citizen Lab, which claims that the app doesn’t validate SSL encryption certificates from hosts. This could potentially allow the spoofing of hostnames by malicious individuals and even redirect the sensitive data to unofficial servers.
Citizen Lab offers an example of “health.customsapp.com,” explaining how hackers could manipulate the app to steal data.
“For instance, since the app does not validate the SSL certificate for “health.customsapp.com”, an attacker, by interfering with the communication between MY2022 and “health.customsapp.com”, can spoof “health.customsapp.com”, enabling the attacker to read a victim’s sensitive demographic, passport, travel, and medical information sent in a customs health declaration or to send malicious instructions to a victim after completing a form,” the research firm said (via Android Police).
The My 2022 app contains a file called illegalwords.txt with more than 2,400 keywords
Moreover, the My 2022 app is mandatory for all participants of Beijing 2022, including the administrators. The app’s official purpose is to serve as a guide for people participating and covering the games. Participants of the games have to download the app at least 14 days before their arrival in Beijing. Additionally, individuals also had to submit health information such as the vaccination status and recent COVID-19 tests.
Citizen Lab found these vulnerabilities in versions 2.0.0 and 2.0.5 of the My 2022 app for iOS during mid-January. Meanwhile, the Android version of the My 2022 app included a file known as
“illegalwords.txt,” containing a list of 2,442 keywords “considered politically sensitive in China,” as per Citizen Lab. While most of these keywords are in simplified Chinese, it also includes keywords in traditional Chinese, Tibetan, Uyghur, and English.
It’s important to note that although the inclusion of this file does raise censorship concerns, the research firm said it couldn’t “find any functionality where these keywords were used to perform censorship.”
Citizen Lab couldn’t confirm whether this was inactive by accident or on purpose. One theory is that the organizers decided not to go ahead with the plan, given the criticisms of China’s censorship. Organizers of the Beijing 2022 Winter Olympics haven’t commented on these new revelations as of yet.
2022-02-07 15:05:27