Engadget Logo There is a security flaw in the essential application of Engadget Japan for the Beijing Olympic Games. Neither the Chinese government nor the IOC responded.

It is reported that a loophole that could disclose personal information has been found in mobile applications that all participants are obliged to use at the upcoming Beijing Winter Olympic Games.

The APP "My 2022" is not only obligated to be used by competitors, but also includes spectators and media figures, including all "participants in the Beijing Winter Olympic Games". Participants must download the app 14 days before leaving for China and submit the results through daily health monitoring and apps (to the Chinese authorities).

The analysis of the application is Citizen Lab of the Security Lab at the University of Toronto, Canada. It is understood that the organization has also played an important role in identifying smartphones infected with spyware "Pegasus".

According to Citizen Lab, My 2022 collects personal information such as passport details, medical data and travel resumes, but there are two security vulnerabilities that could be compromised.

The first is a vulnerability in which SSL certificate verification fails to send and receive highly confidential encrypted data. In other words, "an attacker can impersonate a reliable server by interfering with the communication between the application and the server," can connect to a malicious host to listen for personal information, and can display camouflaged content in the application.

The second vulnerability is that some confidential data is sent in a state where SSL encryption or security is not guaranteed at all. This includes sensitive metadata related to the message, such as the names of the sender and receiver of the message and the identifier of the user account.

In other words, the information that should be kept secret is sent in clear text, so everyone on the path, such as the operator of the Wi-Fi hotspot and the Internet service provider, is eavesdropping. These two vulnerabilities are thought to exist in iOS and Android versions.

It is reported that on December 3 last year (2021), Citizen Lab presented these issues to the Beijing Organizing Committee for the Olympic and Paralympic Games. However, as of January 18, the deadline, there was no answer, so it was clear that the decision was made public. In addition, on the 17th, because the iOS version 2.05 was released, it was analyzed and the problem reported was not corrected.

In addition, the US Reuters said that the International Olympic Committee (IOC) had implemented a third-party evaluation of the application and had not found "significant loopholes". In addition, he declared that "I have no obligation to install'My 2022'on my smartphone."

To sum up these reports, when writing the report, the Chinese authorities do not seem to intend to plug the loophole in the disclosure of personal information. In addition, IOC has no idea of asking the Chinese government to respond, in case something happens, you may also intend to implement the attitude that "the use of My 2022 is self-responsible."

BBC of the UK introduced comments from cyber security companies that it is best for participants in the Beijing Olympic Games to bring prepaid smartphones and set up an e-mail account that will be used only during their stay in China. If you participate as a contestant, or as a report or other relevant personnel, it is best to find out this kind of countermeasure worthy of reference first.

Source:Citizen Lab