Serious Vulnerability Discovered in Beijing Olympics App

The official mobile application of the winter Olympic Games in Beijing was picked apart by security researchers and the discoveries were troubling.

A research team with Canadian Citizen Lab published a post on the MY2022 app and discovered a "devastating" vulnerability. According to the research, the application has a flaw that renders the encryption of data transferred over the app practically null and void.

MY2022 is the official app that has been made obligatory for all participants in the Beijing Olympics, including athletes and accompanying teams and entourage. The app is going to be used by members of the press covering the event as well.

SSL Encryption Flaws

The research team discovered a very significant vulnerability in the method that the application uses to transmit data across devices. The communication itself is encrypted, but the vulnerability allows a potential malicious actor to circumvent that encryption and execute man-in-the-middle attacks, as well as access sensitive information.

The app was found unable to validate SSL certificates. This allows a potential attacker to spoof trusted server communication and make the app connect to a malicious node.

In addition to the poor SSL implementation, researchers discovered that the app was transmitting bits of "sensitive" data without any encryption. This means that any "passive" eavesdropper could tap into this transmission through a wi-fi access point and see the names of message senders and recipients, as well as user account IDs.

No Response from Dev

The team over at Citizen Lab disclosed their findings to the Beijing Organising Committee first, as is customary, with 15 days for a response and 45 days provided for a fix. In late January the app was updated but the research team found the reported issues were still in the latest build and Citizen Lab received no response to their original query.

The research document published by Citizen Lab concludes with strong hints that the MY2022 app doesn't meet the security requirements of either the Google Play Store or the Apple App Store, due to the poor handling of sensitive data and bad security implementation, and as such may be delisted from those app marketplaces.

By Zaib
January 20, 2022
Computer Security
English
January 20, 2022
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

5 years ago

What is the OperaGXSetup.exe File and is it Malicious?

11 months ago

Eporner.com And Why Its Excessive Pop-Ups Are Risky

11 days ago

HackTool:Win32/Crack: a Malicious Threat That Can Seriously...

7 months ago

Take Note: Someone Added You As Their Recovery Email Scam

10 months ago

A Potentially Serious Threat: Trojan:Win32/Suschil!rfn

18 days ago

Related Posts

News

A Newly Discovered LTE Vulnerability Makes It Possible to Impersonate Mobile Devices and Their Owners

Onе of the key roles of IT security specialists and researchers nowadays is not only to develop countermeasures to existing threats and attacks but to discover weaknesses in essential IT systems and to take measures... Read more

March 31, 2020
Malware

A Vulnerability in Xiaomi's Guard Provider App Could Expose Devices to Malware

Many people assume that the only thing they need to do to protect their devices is to install some sort of security software. They tend to view anti-malware products as a panacea that can guarantee the safety of their... Read more

April 5, 2019
Scam

Track-app.fun Pop-Ups

Track-app.fun is a misleading and potentially dangerous website. It may show up in your browser while you are looking for pirated media and software to download. In other cases, the Track-app.fun pop-up may appear... Read more

September 8, 2021
English
Loading...

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2025 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.