Security News > 2022 > January > Beijing Olympics App Flaws Allow Man-in-the-Middle Attacks

Beijing Olympics App Flaws Allow Man-in-the-Middle Attacks
2022-01-19 13:36

The mobile app that all attendees and athletes of the upcoming Beijing Winter Olympics must use to manage communications and documentation at the event has a "Devastating" flaw in the way it encrypts data that can allow for man-in-the-middle attacks that access sensitive user information, researchers have found.

MY2022 is an app mandated for use by all attendees - including members of the press and athletes - of the 2022 Olympic Games in Beijing.

Citizen Lab researchers also inspected a Jan. 17 release of version 2.0.5 of MY2022 for iOS to Apple's App Store, finding that the issues reported still had not been resolved, Knockel wrote.

"This failure to validate means the app can be deceived into connecting to a malicious host while believing it is a trusted host, allowing information that the app transmits to servers to be intercepted and allowing the app to display spoofed content that appears to originate from trusted servers," Knockel wrote.

Researchers believe the app's flaws may not only violate Google's Unwanted Software Policy and Apple's App Store guidelines but also China's own laws and national standards pertaining to privacy protection, they said.

"Mobile users frequently assume that they are safe either because of app store policies, or because they have consented to terms of service - but third parties are not carefully checked by app reviewers, and they are rarely monitored for safety."


News URL

https://threatpost.com/beijing-olympics-app-flaws-allow-man-in-the-middle-attacks/177748/