Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
-
Indian army says new exchange of gunfire with Pakistan
-
Epstein accuser Virginia Giuffre takes own life in Australia: family
-
Hundreds of buildings damaged, dozens injured in 6.3 Ecuador quake
-
India and Pakistan's Kashmir fallout hits economy too
-
Francis's funeral to be grand farewell to 'pope of the poor'
-
Pogacar faces defiant Evenepoel at Liege-Bastogne-Liege
-
Chelsea eye great escape against Barcelona in Women's Champions League
-
Iran, US to hold new round of high-level nuclear talks
-
'Energy and effort' pay off for Reds as Blues' woes continue
-
Albatross and closing birdie lift China's Liu to LPGA Chevron lead
-
On the horizon? Wave of momentum for high seas treaty
-
Developing countries should fast-track US trade deals: World Bank president
-
Grizzlies' Morant 'doubtful' for must-win game 4 v Thunder
-
Trump in Rome for pope funeral in first foreign trip of new term
-
Trump says Russia-Ukraine deal 'very close' after new Kremlin talks
-
US rookies lead PGA pairs event with McIlroy and Lowry in hunt
-
Trump tariff promises get a reality check
-
Warriors coach Kerr 'relatively optimistic' injured Butler will play game 3
-
Postecoglou hopes 'Stonecutter's Credo' can inspire Spurs
-
PSG lose unbeaten Ligue 1 record ahead of Arsenal showdown
-
Venezuela accuses El Salvador president of 'human trafficking'
-
Own goal takes Sundowns to African final against Pyramids
-
Scores of buildings damaged, 20 injured in Ecuador quake
-
US stocks extend rally as market eyes busy calendar next week
-
Pope's death triggers surge of disinformation he fought against
-
Rovanpera takes control of Rally Islas Canarias
-
Zelensky insists Crimea is Ukrainian as US envoy meets Putin
-
Patel and Mendis help Sunrisers beat Kings in Dhoni's 400th T20
-
Copa del Rey ref statements 'unacceptable': Real Madrid after boycotting final build-up
-
Insurance CEO's accused killer pleads not guilty to federal murder charges
-
FBI arrests Wisconsin judge for shielding undocumented migrant
-
Brazil ex-president Collor de Mello jailed for corruption
-
Zelensky insists Crimea 'belongs' to Ukraine as US envoy meets Putin
-
Real Madrid boycott Copa del Rey build-up over referee complaints
-
Trinidad and Tobago votes for parliament, PM, with opposition in lead
-
IMF chief hails 'constructive' Spring Meetings held under tariff uncertainty
-
Iran FM Araghchi in Oman ahead of nuclear talks with US
-
Dozens of buildings destroyed, 20 injured in Ecuador quake
-
Young Barca must 'enjoy' Real Madrid Copa final fight: Flick
-
Pakistan and India border closure separates families
-
Brazil's Bolsonaro 'stable' after post-surgery setback
-
Catholics in secular Cuba hail Francis as 'bridge'
-
US envoy Witkoff, Putin discuss 'possibility' of direct Russia-Ukraine talks
-
Community seeks answers after French school knife killing
-
German prosecutors seek jail terms in VW 'dieselgate' trial
-
Sabalenka makes winning start at Madrid Open
-
EU, US should de-escalate and negotiate trade deal: IMF Europe director
-
Russia accuses Ukraine of killing general in car bombing
-
Emery wants FA Cup glory and Champions League berth for Villa
-
Buildings destroyed, one injured in Ecuador quake
NYSE - LSE
Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
An app all attendees of the upcoming Beijing Olympics must use has encryption flaws that could allow personal information to leak, a cyber security watchdog said Tuesday.
The "simple but devastating flaw" in the encryption of the MY2022 app, which is used to monitor Covid and is mandatory for athletes, journalists and other attendees of the games in China's capital, could allow health information, voice messages and other data to leak, warned Jeffrey Knockel, author of the report for Citizen Lab.
The International Olympic Committee responded to the report by saying users can disable the app's access to parts of their phones and that assessments from two unnamed cyber security organizations "confirmed that there are no critical vulnerabilities."
"The user is in control over what the... app can access on their device," the committee told AFP, adding that installing it on cellphones isn't required "as accredited personnel can log on to the health monitoring system on the web page instead."
The committee said it had asked Citizen Lab for its report "to understand their concerns better."
Citizen Lab said it notified the Chinese organizing committee for the Games of the issues in early December and gave them 15 days to respond and 45 days to fix the problem, but received no reply.
"China has a history of undermining encryption technology to perform political censorship and surveillance," Knockel wrote.
"As such, it is reasonable to ask whether the encryption in this app was intentionally sabotaged for surveillance purposes or whether the defect was born of developer negligence," he continued, adding that "the case for the Chinese government sabotaging MY2022's encryption is problematic."
The flaws affect SSL certificates, which allow online entities to communicate securely.
MY2022 doesn't authenticate SSL certificates, meaning other parties could access the app's data, while data is transmitted without the usual encryption SSL certificates have, Knockel wrote.
While the app is transparent about the medical information it collects as part of China's efforts to screen Covid-19 cases, he said "it is unclear with whom or which organization(s) it shares this information."
MY2022 also contains a list called "illegalwords.txt" of "politically sensitive" phrases in China, many of which relate to China's political situation or its Tibetan and Uighur Muslim minorities.
These include keywords like "CCP evil" and Xi Jinping, China's president, though Knockel said it was unclear if the list was being actively used for censorship purposes.
Because of these features, the app may violate both Google and Apple policies around smartphone software, and "also China's own laws and national standards pertaining to privacy protection, providing potential avenues for future redress," he wrote.
S.Gregor--AMWN