Beijing Olympics App 'My2022' has 'devastating' security flaws, says Canada's Citizen Lab

Researchers at a Toronto-based tech laboratory on Tuesday discovered the security vulnerabilities and censorship frameworks in an app related to the 2022 Beijing Olympics games scheduled for the upcoming month of February. Canadian researchers detected spyware, which they stated was a "simple but devastating" flaw in the ‘MY2022’ app developed by Beijing Financial Holdings Group. The vulnerability makes audio files, health, and customs forms transmitting passport details, and medical and travel history for the players insecure and at risk of being compromised. The app is vulnerable to hackers, the researchers found, according to the Canadian broadcaster CBC. 

The lab also found that MY2022 did not validate some SSL certificates, the digital infrastructure that used encryption to secure apps. This also posed a threat to security as it could allow unauthorised people to access information whilst it is transmitted on the server. The vulnerability was found at the Citizen Lab, an institute at the University of Toronto's Munk School of Global Affairs and Public Policy school. 

Details to be accessed by Beijing 2022, International Olympic and Paralympic committees

The app is designed to conduct various other functions such as GPS navigation and text, video, and audio chat functions and the ability to transfer files and provide news and weather updates. It remains unclear with whom the sensitive medical information and personal details would be shared once it is entered on the app. But it is being assumed that the details will be accessed by Beijing 2022, International Olympic and Paralympic committees, Chinese authorities, and "others involved in the implementation of the [COVID-19] countermeasures."

“This failure to validate means the app can be deceived into connecting with malicious hosts it mistakes as being trusted, allowing information the app transmits to servers to be intercepted and attackers to display fake instructions to users,” reports CBC. 

Meanwhile, Knockel, a research associate, who investigated the app after a journalist approached him, suspecting the security functions, told CBC: "The worst-case scenario is that someone is intercepting all the traffic and recording all the passport details, all the medical details.” He added, “MY2022 outlines several scenarios where it will disclose personal information without user consent, which include but are not limited to national security matters, public health incidents, and criminal investigations.” 

The Olympics organisers had asked all the games attendees, including athletes, spectators, and media members, to download and start using the MY2022 app and enter all their information in the app, including the information related to the health and customs such as the COVID-19 test results and vaccination status. It remains unclear if they had sought court orders to gain access to this information and who will be eligible to receive data.