Researchers say the Chinese game app has security flaws

Advertisement

A woman takes her picture in front of a facility in Beijing 2022 near the closed “bubble” surrounding the venues for the Beijing 2022 Winter Olympics in Beijing, China, January 18, 2022. REUTERS/Thomas Peter

Register now to get free unlimited access to Reuters.com

Jan 18 (Reuters) – A smartphone app built by China to monitor the health of attendees at next month’s Beijing Winter Olympics contains security flaws that make it vulnerable to privacy breaches and hackers, a report by Canadian researchers showed on Tuesday.

The MY2022 app is designed by the Beijing Organizing Committee mainly to track and share COVID-19 related medical information among athletes during the Games.

Researchers at the Citizen Lab project in Toronto said MY2022 failed to properly encrypt the transmission of personal data, leaving it vulnerable to hackers. They also found that MY2022’s privacy policy does not specify which organizations it will share users’ information with.

Register now to get free unlimited access to Reuters.com

The International Olympic Committee (IOC) said it had conducted independent evaluations of the app and found no “serious weaknesses”.

“It is not necessary to install ‘My 2022’ on mobile phones,” the IOC said in a statement.

Yu Hong, director general of the commission’s technology division, said on Wednesday that the app’s main function is to monitor people’s health and that the country follows strict data protection rules.

At a briefing hosted by the Chinese Embassy in the United States, the Beijing 2022 official said that all technological aspects of the MY2022 application have been verified by relevant app stores. She was speaking via video link from Beijing.

Yu also said that technology gaps were normal when developing this type of app, which her department was constantly updating to eliminate such issues.

Citizen Lab researchers said they found flaws in the iOS version of the app after creating an account with it. They couldn’t create an account in the Android version but they said vulnerabilities exist in both versions of MY2022.

The report said MY2022 failed to validate the SSL certificates needed to authenticate a website’s identity and enable encrypted communication. This can be exploited by hackers to transfer data to malicious websites.

The unencrypted data is sent to “tmail.beijing2022.cn” by MY2022.

“Such data could be read by any passive eavesdropper, such as someone within range of an unsecured WiFi access point, someone operating a WiFi hotspot, an Internet service provider or another carrier,” the report said.

Citizen Lab said it notified the Beijing Winter Olympic Organizing Committee on December 3 of its security concerns, but received no response.

The Winter Olympics are scheduled to begin on February 4. Several countries, including the United States, Britain, Japan and Australia, have announced diplomatic boycotts of the Games due to concerns about human rights in China.

Register now to get free unlimited access to Reuters.com

Additional reporting by Anne Maria Shipu in Bengaluru and Martin Pollard in Shanghai and the Beijing Newsroom. Editing by Ed Osmond and Michael Berry

Our Standards: Thomson Reuters Trust Principles.

.

Advertisement

Leave a Comment