Mandatory app for Olympic Games visitors contains critical vulnerabilities
The MY2022 app, an app that all attendees of the Winter Olympics in China should use, contains two critical vulnerabilities that could allow the app’s encryption to be bypassed. As a result, data can be viewed and stolen.
This was discovered by researchers at the Citizen Lab at the University of Toronto. The app is intended for visitors and athletes attending the Beijing Winter Olympics, as well as journalists and the public. The app is required to have installed, and is intended for chatting, voice chat, file sharing, and uploading Covid-19 health statements and passport details, among other things. All visitors must also keep track of their health status in the app every day from two weeks before visiting the Games.
The Citizen Lab discovered that there are two critical vulnerabilities in the app. First of all, the MY2022 app does not validate SSL certificates, leaving the app vulnerable to attacks where an attacker can impersonate a trusted server and thus intercept encrypted information sent to the server. This does not happen on all connections, but it does for some specific servers. This allows an attacker to view, among other things, a user’s passport information, travel information and medical information, or send malicious instructions to a user via a form, the Citizen Lab said.
In addition, some of the sensitive information is sent without any form of encryption. For example, unencrypted data is sent to a mail server, where metadata can be intercepted, including names of senders and recipients, and account information. This can be read if, for example, someone is on the same WiFi hotspot.
Apart from these vulnerabilities, the Citizen Lab also discovered that all kinds of sensitive information is shared without the consent of the end user with, among others, the Chinese government, local authorities and the International Olympic Committee. According to the Citizen Lab, the privacy statement of the app does not state that this personal information, as well as medical information, is shared with this list of parties. That is stated in the official Olympic Games Playbook, but not in the privacy statement of the app itself.
The Citizen Lab shared the vulnerabilities with the Chinese Olympic organization behind the app in December. To date, the Citizen Lab has not yet received a response from the organization, which is why it is now coming out with a responsible disclosure. Separately, the Citizen Lab conducted an analysis of in-app censorship and discovered several banned terms in the app, in different languages.