Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst / Photo: ©
-
Ruud keeps Barcelona Open defence on course
-
Trump tariffs could put US Fed in a bind, Powell warns
-
CONCACAF chief rejects 64-team World Cup plan for 2030
-
Putin praises Musk, compares him to Soviet space hero
-
Son to miss Spurs' Europa League trip to Frankfurt
-
US senator in El Salvador seeking release of wrongly deported migrant
-
Trump tariffs could put the US Fed in a bind, Powell warns
-
US judge says 'probable cause' to hold Trump admin in contempt
-
India opposition slams graft charges against Gandhis
-
Nate Bargatze to host Emmys: organizers
-
US Fed Chair warns of 'tension' between employment, inflation goals
-
Trump touts trade talks, China calls out tariff 'blackmail'
-
US judge says 'probable cause' to hold govt in contempt over deportations
-
US eliminates unit countering foreign disinformation
-
Germany sees 'worrying' record dry spell in early 2025
-
Israel says 30 percent of Gaza turned into buffer zone
-
TikTok tests letting users add informative 'Footnotes'
-
Global uncertainty will 'certainly' hit growth: World Bank president
-
EU lists seven 'safe' countries of origin, tightening asylum rules
-
Chelsea fans must 'trust' the process despite blip, says Maresca
-
Rebel rival government in Sudan 'not the answer': UK
-
Prague zoo breeds near-extinct Brazilian mergansers
-
Macron to meet Rubio, Witkoff amid transatlantic tensions
-
WTO chief says 'very concerned' as tariffs cut into global trade
-
Sports bodies have 'no excuses' on trans rules after court ruling: campaigners
-
Zverev joins Shelton in Munich ATP quarters
-
The Trump adviser who wants to rewrite the global financial system
-
US senator travels to El Salvador over wrongly deported migrant
-
UN watchdog chief says Iran 'not far' from nuclear bomb
-
Trump says 'joke' Harvard should be stripped of funds
-
Macron vows punishment for French prison attackers
-
Canada central bank holds interest rate steady amid tariffs chaos
-
Rubio headed to Paris for Ukraine war talks
-
Australian PM vows not to bow to Trump on national interest
-
New attacks target France prison guard cars, home
-
Global trade uncertainty could have 'severe negative consequences': WTO chief
-
Google facing £5 bn UK lawsuit over ad searches: firms
-
Onana to return in goal for Man Utd against Lyon: Amorim
-
Tiktok bans user behind Gisele Pelicot 'starter kit' meme
-
'Put it on': Dutch drive for bike helmets
-
China's Xi meets Malaysian leaders, vows to 'safeguard' Asia allies
-
France urges release of jailed Russian journalists who covered Navalny
-
Gabon striker Boupendza dies after 11th floor fall
-
UK top court rules definition of 'woman' based on sex at birth
-
PSG keep Champions League bid alive, despite old ghosts reappearing
-
Stocks retreat as US hits Nvidia chip export to China
-
China's Xi meets Malaysian leaders in diplomatic charm offensive
-
Israel says no humanitarian aid will enter Gaza
-
Anxiety clouds Easter for West Bank Christians
-
Pocket watch found on Titanic victim to go on sale in UK
NYSE - LSE
Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
An app all attendees of the upcoming Beijing Olympics must use has encryption flaws that could allow personal information to leak, a cyber security watchdog said Tuesday.
The "simple but devastating flaw" in the encryption of the MY2022 app, which is used to monitor Covid and is mandatory for athletes, journalists and other attendees of the games in China's capital, could allow health information, voice messages and other data to leak, warned Jeffrey Knockel, author of the report for Citizen Lab.
The International Olympic Committee responded to the report by saying users can disable the app's access to parts of their phones and that assessments from two unnamed cyber security organizations "confirmed that there are no critical vulnerabilities."
"The user is in control over what the... app can access on their device," the committee told AFP, adding that installing it on cellphones isn't required "as accredited personnel can log on to the health monitoring system on the web page instead."
The committee said it had asked Citizen Lab for its report "to understand their concerns better."
Citizen Lab said it notified the Chinese organizing committee for the Games of the issues in early December and gave them 15 days to respond and 45 days to fix the problem, but received no reply.
"China has a history of undermining encryption technology to perform political censorship and surveillance," Knockel wrote.
"As such, it is reasonable to ask whether the encryption in this app was intentionally sabotaged for surveillance purposes or whether the defect was born of developer negligence," he continued, adding that "the case for the Chinese government sabotaging MY2022's encryption is problematic."
The flaws affect SSL certificates, which allow online entities to communicate securely.
MY2022 doesn't authenticate SSL certificates, meaning other parties could access the app's data, while data is transmitted without the usual encryption SSL certificates have, Knockel wrote.
While the app is transparent about the medical information it collects as part of China's efforts to screen Covid-19 cases, he said "it is unclear with whom or which organization(s) it shares this information."
MY2022 also contains a list called "illegalwords.txt" of "politically sensitive" phrases in China, many of which relate to China's political situation or its Tibetan and Uighur Muslim minorities.
These include keywords like "CCP evil" and Xi Jinping, China's president, though Knockel said it was unclear if the list was being actively used for censorship purposes.
Because of these features, the app may violate both Google and Apple policies around smartphone software, and "also China's own laws and national standards pertaining to privacy protection, providing potential avenues for future redress," he wrote.
T.Bondarenko--BTB