Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
-
Cummins hails teen wonder Sooryavanshi as 'my new favourite player'
-
New fighting in Mali's Kidal between army and rebels
-
Chernobyl refugee town welcomes Ukraine's conflict displaced
-
World leaders react to Washington gala shooting
-
Zelensky accuses Russia of 'nuclear terrorism' on Chernobyl anniversary
-
Coach says 'glimmer of hope' for imperilled Moana Pasifika
-
'I've studied assassinations': Trump muses on reasons for latest shooting
-
What we know about the Trump press gala shooting
-
Al Ahli made to 'suffer' in winning Asian Champions League: coach
-
India plugs oil gap as Middle East supplies sink
-
Trump evacuated as shooter opens fire at Washington gala
-
'Get down!' Panic and chaos at glitzy media gala
-
Timberwolves' Edwards, DiVincenzo injured in playoff win over Nuggets
-
T'Wolves shake off key injuries to beat Nuggets for 3-1 series lead
-
Japan's Machida had 'mental pressure' in Champions League final loss
-
US Fed set to hold rates steady again on cost hikes from Mideast war
-
Trump evacuated as shooter opens fire at Washington gala event
-
Exiled Tibetans to elect government in vote condemned by China
-
Exiled Tibetans elect government in vote condemned by China
-
Japan inflation cools demand for vending machine drinks
-
Badminton eyes 'next generation' with new scoring system
-
Acid attacks highlight growing danger for Indonesian activists
-
Loud bangs and a Trump evacuation: chaos at correspondents' dinner
-
Shots fired, Trump evacuated unhurt from press dinner in Washington
-
TotalEnergies refinery working full tilt to keep France fuelled
-
Eurovision, venerable institution where art meets politics
-
Rampant Gilgeous-Alexander fuels Thunder, Magic and Knicks win
-
Shots reportedly fired, Trump evacuated from press dinner in Washington
-
East Jerusalem residents anguished as homes demolished to make way for biblical park
-
The rescuers of Khartoum: How to keep a city alive in war
-
Hurricanes lament looming loss of four-try winger Fineanganofo
-
Bomb attack on Colombia highway kills 14 ahead of election
-
Boston Red Sox fire coach Alex Cora
-
Highway bomb attack kills 10 ahead of Colombia election
-
Rampant Gilgeous-Alexander fuels Thunder win, Magic hold off Pistons
-
Korda's lead shrinks to five at LPGA Chevron
-
Favored Renegade draws inside post for Kentucky Derby
-
Barcelona on brink of La Liga triumph, Atletico build confidence
-
Trump cancels Pakistan talks trip, says Iran war on hold
-
Atletico build confidence before Arsenal but Barrios hurt
-
Reiss edges Wiley for Drake title in year's best outdoor mile
-
Swiatek laid low by illness, Sabalenka into Madrid Open last 16
-
Magic hold off Pistons for 2-1 series lead
-
Trump orders new, blue surface for Washington's Reflecting Pool
-
Guardiola hails 'extraordinary' Man City reaction to make FA Cup history
-
Arteta in red card rant after Arsenal regain top spot
-
Jihadists, Tuareg rebels, claim attacks across Mali
-
Cummins back as Hyderabad overcome Sooryavanshi's IPL century
-
Man City late show sinks Southampton to reach FA Cup final
-
PSG shrug off Angers to edge closer to Ligue 1 title
Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
An app all attendees of the upcoming Beijing Olympics must use has encryption flaws that could allow personal information to leak, a cyber security watchdog said Tuesday.
The "simple but devastating flaw" in the encryption of the MY2022 app, which is used to monitor Covid and is mandatory for athletes, journalists and other attendees of the games in China's capital, could allow health information, voice messages and other data to leak, warned Jeffrey Knockel, author of the report for Citizen Lab.
The International Olympic Committee responded to the report by saying users can disable the app's access to parts of their phones and that assessments from two unnamed cyber security organizations "confirmed that there are no critical vulnerabilities."
"The user is in control over what the... app can access on their device," the committee told AFP, adding that installing it on cellphones isn't required "as accredited personnel can log on to the health monitoring system on the web page instead."
The committee said it had asked Citizen Lab for its report "to understand their concerns better."
Citizen Lab said it notified the Chinese organizing committee for the Games of the issues in early December and gave them 15 days to respond and 45 days to fix the problem, but received no reply.
"China has a history of undermining encryption technology to perform political censorship and surveillance," Knockel wrote.
"As such, it is reasonable to ask whether the encryption in this app was intentionally sabotaged for surveillance purposes or whether the defect was born of developer negligence," he continued, adding that "the case for the Chinese government sabotaging MY2022's encryption is problematic."
The flaws affect SSL certificates, which allow online entities to communicate securely.
MY2022 doesn't authenticate SSL certificates, meaning other parties could access the app's data, while data is transmitted without the usual encryption SSL certificates have, Knockel wrote.
While the app is transparent about the medical information it collects as part of China's efforts to screen Covid-19 cases, he said "it is unclear with whom or which organization(s) it shares this information."
MY2022 also contains a list called "illegalwords.txt" of "politically sensitive" phrases in China, many of which relate to China's political situation or its Tibetan and Uighur Muslim minorities.
These include keywords like "CCP evil" and Xi Jinping, China's president, though Knockel said it was unclear if the list was being actively used for censorship purposes.
Because of these features, the app may violate both Google and Apple policies around smartphone software, and "also China's own laws and national standards pertaining to privacy protection, providing potential avenues for future redress," he wrote.
Q.Bulbul--SF-PST