The 2022 Beijing Olympics athlete app turns out to have a serious security flaw, and a keyword censorship list is also discovered
At the Beijing Olympics to be held in February 2022, the health management application 'MY2022', which is required to be installed by all participants, has a security flaw that makes it easy to hack sensitive information. An analysis by a Canadian security researcher has revealed that there is. It is said that MY2022 was loaded with data related to censorship of political keywords as well as encryption defects.
Cross-country Exposure: Analysis of the MY2022 Olympics app --The Citizen Lab
China's app for Olympic athletes has security flaws, study finds --Axios
https://www.axios.com/beijing-winter-olympics-app-security-flaws-0a51a256-00b7-4cca-94ab-0b87a8acf1d4.html
Report: Chinese Olympic app has serious security flaws | AP News
https://apnews.com/article/coronavirus-pandemic-winter-olympics-sports-technology-health-69ea8d5a5e5e51e898bf2f867358214f
MY2022 is an app developed by a Chinese state-owned company called Beijing Financial Holdings Group for the purpose of collecting information on new coronavirus vaccinations by Olympic athletes. All participants in China and abroad who participate in the competition are required to download MY2022 to their device 14 days before entering China, monitor their health condition every day, and submit the information in the app.
Regarding this app, Citizen Lab, an interdisciplinary research institute at the University of Toronto, said on January 18th, 'The 2022 Beijing Olympics health management app'MY2022'is easy to encrypt to protect users' voices and file transfers. There is a simple but fatal flaw that can be avoided. '
There are two security flaws in MY2022 pointed out by Citizen Lab this time. One of them is
Another flaw is that MY2022 sends some sensitive data unencrypted. Unencrypted data includes highly private data such as the names of senders and recipients of messages, user account identifiers, and those connected to insecure wireless LANs and the Internet. It was in a state where it could be easily stolen by a provider or the like.
These issues with MY2022 have been confirmed for both Android and iOS. Citizen Lab also noted that the privacy policy does not specify with which organization MY2022 will share user information, 'because it may violate Google Play policies and App Store guidelines. , I think there is a possibility that some measures will be taken by both companies in the future. '
In addition, the Android version of MY2022 was accompanied by a list of 2442 keywords considered political in China, 'illegalwords.txt'. Most of the keywords were Simplified Chinese, and the rest were Traditional Chinese, Tibetan, Uighur, and English. The keyword is a Jintao of China Xi Jinping is the name of Mr. and '习近flat', 'Communist China Yokoshima恶' meaning 'Chinese Communist Party is evil', Tiananmen Square protests of 1989 in addition, such as a plurality of words that shows, crime and pornography , Religious terms were listed.
According to Citizen Lab, MY2022 contains code that references this censorship word list, but it doesn't work in the current version of the app. However, it's unclear if it's been completely abolished or if it's just intentionally turned off. 'Illegalwords.txt' is published on GitHub and can be viewed from this link.
Citizen Lab reported the results of this analysis to the Beijing Olympic Games Organizing Committee in December 2021, but did not receive a response. Meanwhile, the International Olympic Committee (IOC) told overseas news media Axios that 'as a result of conducting two independent third-party evaluations of the app, no serious vulnerabilities were included.' 'We requested further reports to better understand Citizen Lab's concerns,' he said.
Related Posts:
