Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
-
UNESCO recognition inspires hope in Afghan artist's city
-
Ukraine, Russia, US negotiators gather in Abu Dhabi for war talks
-
WTO must 'reform or die': talks facilitator
-
Doctors hope UK archive can solve under-50s bowel cancer mystery
-
Stocks swing following latest AI-fuelled sell-off on Wall St
-
Demanding Dupont set to fire France in Ireland opener
-
Britain's ex-prince Andrew leaves Windsor home: BBC
-
Coach plots first South Africa World Cup win after Test triumph
-
Spin-heavy Pakistan hit form, but India boycott risks early T20 exit
-
Japan eyes Premier League parity by aligning calendar with Europe
-
Whack-a-mole: US academic fights to purge his AI deepfakes
-
Love in a time of war for journalist and activist in new documentary
-
'Unprecedented mass killing': NGOs battle to quantify Iran crackdown scale
-
Seahawks kid Cooper Kupp seeks new Super Bowl memories
-
Thousands of Venezuelans march to demand Maduro's release
-
AI, manipulated images falsely link some US politicians with Epstein
-
Move on, says Trump as Epstein files trigger probe into British politician
-
Arteta backs Arsenal to build on 'magical' place in League Cup final
-
Evil Empire to underdogs: Patriots eye 7th Super Bowl
-
UBS grilled on Capitol Hill over Nazi-era probe
-
Guardiola 'hurt' by suffering caused in global conflicts
-
Marseille do their work early to beat Rennes in French Cup
-
Colombia's Petro, Trump hail talks after bitter rift
-
Trump signs spending bill ending US government shutdown
-
Arsenal sink Chelsea to reach League Cup final
-
Leverkusen sink St Pauli to book spot in German Cup semis
-
'We just need something positive' - Monks' peace walk across US draws large crowds
-
Milan close gap on Inter with 3-0 win over Bologna
-
No US immigration agents at Super Bowl: security chief
-
NASA Moon mission launch delayed to March after test
-
'You are great': Trump makes up with Colombia's Petro in fireworks-free meeting
-
Spain to seek social media ban for under-16s
-
X hits back after France summons Musk, raids offices in deepfake probe
-
LIV Golf events to receive world ranking points: official
-
Russia resumes large-scale Ukraine strikes in glacial weather
-
US House passes spending bill ending government shutdown
-
US jet downs Iran drone but talks still on course
-
UK police launching criminal probe into ex-envoy Mandelson
-
US-Iran talks 'still scheduled' after drone shot down: White House
-
Chomsky sympathized with Epstein over 'horrible' press treatment
-
French prosecutors stick to demand for five-year ban for Le Pen
-
Russia's economic growth slowed to 1% in 2025: Putin
-
Bethell spins England to 3-0 sweep over Sri Lanka in World Cup warm-up
-
Nagelsmann backs Ter Stegen for World Cup despite 'cruel' injury
-
Homage or propaganda? Carnival parade stars Brazil's Lula
-
EU must be 'less naive' in COP climate talks: French ministry
-
Colombia's Petro meets Trump after months of tensions
-
Air India inspects Boeing 787 fuel switches after grounding
-
US envoy evokes transition to 'democratic' Venezuela
-
Syria govt forces enter Qamishli under agreement with Kurds
NYSE - LSE
Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
An app all attendees of the upcoming Beijing Olympics must use has encryption flaws that could allow personal information to leak, a cyber security watchdog said Tuesday.
The "simple but devastating flaw" in the encryption of the MY2022 app, which is used to monitor Covid and is mandatory for athletes, journalists and other attendees of the games in China's capital, could allow health information, voice messages and other data to leak, warned Jeffrey Knockel, author of the report for Citizen Lab.
The International Olympic Committee responded to the report by saying users can disable the app's access to parts of their phones and that assessments from two unnamed cyber security organizations "confirmed that there are no critical vulnerabilities."
"The user is in control over what the... app can access on their device," the committee told AFP, adding that installing it on cellphones isn't required "as accredited personnel can log on to the health monitoring system on the web page instead."
The committee said it had asked Citizen Lab for its report "to understand their concerns better."
Citizen Lab said it notified the Chinese organizing committee for the Games of the issues in early December and gave them 15 days to respond and 45 days to fix the problem, but received no reply.
"China has a history of undermining encryption technology to perform political censorship and surveillance," Knockel wrote.
"As such, it is reasonable to ask whether the encryption in this app was intentionally sabotaged for surveillance purposes or whether the defect was born of developer negligence," he continued, adding that "the case for the Chinese government sabotaging MY2022's encryption is problematic."
The flaws affect SSL certificates, which allow online entities to communicate securely.
MY2022 doesn't authenticate SSL certificates, meaning other parties could access the app's data, while data is transmitted without the usual encryption SSL certificates have, Knockel wrote.
While the app is transparent about the medical information it collects as part of China's efforts to screen Covid-19 cases, he said "it is unclear with whom or which organization(s) it shares this information."
MY2022 also contains a list called "illegalwords.txt" of "politically sensitive" phrases in China, many of which relate to China's political situation or its Tibetan and Uighur Muslim minorities.
These include keywords like "CCP evil" and Xi Jinping, China's president, though Knockel said it was unclear if the list was being actively used for censorship purposes.
Because of these features, the app may violate both Google and Apple policies around smartphone software, and "also China's own laws and national standards pertaining to privacy protection, providing potential avenues for future redress," he wrote.
Q.Bulbul--SF-PST