(New York) Canadian research lab Citizen Lab has identified several security flaws in the app that all participants in the Beijing Winter Olympics must download and use, according to a study published Tuesday.
Posted at 11:34 a.m.
According to Citizen Lab findings, the MY2022 app, which was created and managed for the games that will open on February 4 by Beijing Financial Holdings Group (BFHG), a subsidiary of the city of Beijing, has two major flaws.
China is notorious for undermining encryption technologies in order to exercise political censorship and surveillance. Therefore, it is reasonable to wonder if the data encryption of this app was not deliberately sabotaged for monitoring purposes or if it was the result of developers’ negligence.
Study author Jeffrey Nokel of Citizen Lab.
The first drawback relates to so-called SSL certificates, which allow two entities to communicate securely over the Internet.
According to Citizen Lab, which is based on the Canadian University of Toronto, MY2022 does not authenticate the SSL certificates submitted to it, which means that unrecognized entities can access the application data.
No response from the Chinese authorities
The second drawback is that some information is sent without proper encryption, usually SSL certificates, which makes them more vulnerable to hijacking.
For foreign users of the platform, personal data such as passport number, organization and country of origin, as well as vaccination status and COVID-19 test results are collected.
Citizen Lab notes that it flagged the flaws to Chinese authorities in early December, asking them to respond within 15 days and process them within 45. But at the end of the lab’s deadline, Beijing had not responded to the request. .
Pre-programmed for control
During its work, Citizen Lab says it also identified a file called “legalwords.txt,” many of which are “politically sensitive,” according to the study. We particularly find the terms “CCP evil” (CCP for the Chinese Communist Party and “evil” for bad), or Xi Jinping from the name of the Chinese president.
If lines of code are included in the app for you to censor these terms, they won’t activate as is, according to Citizen Lab.