‘My 2022,’ the original app for the Beijing 2022 Winter Olympics, was discovered to be un-secure when it came to securing its users’ critical data. The app’s encryption method, in particular, has a serious hole that allows middlemen to view documents, audio, and files in cleartext form.
Researchers investigated the ‘My 2022’ app for possible privacy and security vulnerabilities in a comprehensive examination by Citizen Lab and discovered that the program captures the following sensitive material: Model and device identifiers, Information on cellular service providers, Apps on the device that have been installed, The current state of WLAN, Location in real-time, Information on audio, Access to the device’s storage, and Access to a certain location.
‘My 2022’ gathers names, national identity numbers, phone numbers, email addresses, profile images, and employment records from domestic users and transmits data to the Beijing Olympic Organizing Committee. ‘My 2022’ gathers comprehensive passport details, daily health status, COVID-19 vaccination status, demographic information, and the company for which they work for foreigners.
The app’s SSL-based encryption weaknesses, which enable unauthorized connections due to certification validation concerns, are far more alarming. According to Citizen Lab’s research, an adversary may fake at least five servers and intercept data transferred from the app, fooling it into trusting a malicious site.
As a result, all of the sensitive information stated in the preceding section can be gathered by third parties who are not under the jurisdiction of the Chinese government. Aside from the server spoofing issue, the researchers discovered that sent data is sometimes not encrypted, which means that some transmissions containing important metadata could be captured and read in clear text by simple network packet sniffing.
On December 3, 2021, Citizen Labs notified the significant privacy and security vulnerabilities uncovered to the Beijing Organizing Committee for the 2022 Olympic and Paralympic Winter Games. Nobody has reacted as of today (January 18, 2022), so the faults have been publicly exposed by the researchers.
The app creators released version 2.0.5 of ‘My 2022’ yesterday, and a new round of investigation revealed that the reported flaws are still unsolved. Citizen Labs believes it’s highly improbable that China put the faults in the app on purpose, given that the data’s receiver is the Chinese government, and there’s no motivation to construct extra backdoors for anybody else.