Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
-
Koeman steps down as Netherlands coach after World Cup exit
-
Valiant Serena beaten on Wimbledon return, Swiatek survives scare
-
Nasdaq ends best quarter in 6 years as yen extends drop against dollar
-
Serena beaten at Wimbledon in first singles match in four years
-
Zverev says Wimbledon hopes 'about me' despite open draw
-
Dutch football chiefs condemn online racism after World Cup exit
-
Lionel Scaloni: Argentina's mastermind marks 100 games in charge
-
Police hunt for Monaco bomber after Ukraine-born tycoon wounded
-
Mourinho's Real Madrid host Real Sociedad in La Liga opener
-
CIA boss compares cutting-edge AI to nuclear weapons
-
Football brings joy to Venezuelan kids displaced by quakes
-
'Any team can beat you', warns Ruiz as Spain seek end to World Cup woe
-
Haaland fires Norway into last 16 as France, Mexico look to advance
-
Venezuela quake survivors seek food, shelter as toll rises to nearly 2,000
-
Merkel unveils official portrait for German chancellery
-
Haaland scores winner to send Norway into last-16 Brazil clash
-
Canada crews battle northern wildfire after crash kills 3
-
US Treasury sanctions target alleged drug cartel-linked fuel smuggling ring
-
Portugal's Silva bides his time after being benched at World Cup
-
LeBron James to leave Lakers to play 24th NBA season
-
US stars relish soccer's primetime moment against Bosnia
-
Zverev wins in four sets to reach Wimbledon round two
-
Lampard extends Coventry stay after promotion to Premier League
-
Grimaldo realises goal of Atletico Madrid move from Leverkusen
-
Djokovic, Sinner aim to step up Wimbledon title chase
-
US Supreme Court lifts campaign spending restrictions ahead of midterms
-
Brook ready for "great honour" of succeeding Stokes as Test skipper
-
LeBron James to leave Lakers to play 24th NBA career
-
Taps run dry in Hungarian village as heatwave bites
-
Tens of millions swelter as heat wave blasts US
-
Venezuela quake survivors seek food, shelter amid risk of disease outbreaks
-
US Supreme Court rejects Trump bid to limit birthright citizenship
-
LeBron James to leave Lakers, continue NBA career - media reports
-
Gardner stars as Australia thrash the West Indies in Women's T20 World Cup semi-final
-
'Where is she?' The desperate search for Venezuela's missing
-
Former Barca teen star Fati seals permanent Monaco switch
-
No business as usual after shock World Cup exit, say German FA
-
German rail regulator backs Italian firm in competition spat
-
Pope appeals to Catholic traditionalists to avoid schism
-
Ancelotti shows Brazil his worth at World Cup but concerns remain
-
US Supreme Court upholds transgender sports bans
-
Stocks rise, yen at 40-year low against dollar
-
US Supreme Court rejects Trump bid to restrict birthright citizenship
-
Australia hold West Indies to 125-7 in World Cup semi-final
-
Serena set for remarkable Wimbledon return, Swiatek survives scare
-
Defending champ Swiatek survives scare to reach Wimbledon second round
-
Africa EV firm Spiro accused of torturing Uganda employees
-
US Supreme Court upholds state bans on transgender athletes in school
-
PSG's Portugal forward Ramos signs five-year AC Milan deal
-
Tourists soldier on in Rome despite heatwave
Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
An app all attendees of the upcoming Beijing Olympics must use has encryption flaws that could allow personal information to leak, a cyber security watchdog said Tuesday.
The "simple but devastating flaw" in the encryption of the MY2022 app, which is used to monitor Covid and is mandatory for athletes, journalists and other attendees of the games in China's capital, could allow health information, voice messages and other data to leak, warned Jeffrey Knockel, author of the report for Citizen Lab.
The International Olympic Committee responded to the report by saying users can disable the app's access to parts of their phones and that assessments from two unnamed cyber security organizations "confirmed that there are no critical vulnerabilities."
"The user is in control over what the... app can access on their device," the committee told AFP, adding that installing it on cellphones isn't required "as accredited personnel can log on to the health monitoring system on the web page instead."
The committee said it had asked Citizen Lab for its report "to understand their concerns better."
Citizen Lab said it notified the Chinese organizing committee for the Games of the issues in early December and gave them 15 days to respond and 45 days to fix the problem, but received no reply.
"China has a history of undermining encryption technology to perform political censorship and surveillance," Knockel wrote.
"As such, it is reasonable to ask whether the encryption in this app was intentionally sabotaged for surveillance purposes or whether the defect was born of developer negligence," he continued, adding that "the case for the Chinese government sabotaging MY2022's encryption is problematic."
The flaws affect SSL certificates, which allow online entities to communicate securely.
MY2022 doesn't authenticate SSL certificates, meaning other parties could access the app's data, while data is transmitted without the usual encryption SSL certificates have, Knockel wrote.
While the app is transparent about the medical information it collects as part of China's efforts to screen Covid-19 cases, he said "it is unclear with whom or which organization(s) it shares this information."
MY2022 also contains a list called "illegalwords.txt" of "politically sensitive" phrases in China, many of which relate to China's political situation or its Tibetan and Uighur Muslim minorities.
These include keywords like "CCP evil" and Xi Jinping, China's president, though Knockel said it was unclear if the list was being actively used for censorship purposes.
Because of these features, the app may violate both Google and Apple policies around smartphone software, and "also China's own laws and national standards pertaining to privacy protection, providing potential avenues for future redress," he wrote.
Q.Bulbul--SF-PST