Beijing Olympics App Flaws Allow Man-in-the-Middle Attacks
According to a new report from Citizen Lab, attackers can access audio and files uploaded to the MY2022 mobile app, which is required for use by all winter games attendees. Attackers can even access health details of the athletes, according to Citizen Labs. The mobile app focuses on managing communications and documentation at the upcoming Beijing Winter Olympics event. However, the critical flaw centers around the way that the app encrypts data and allows for man-in-the-middle attacks. If successful, an attacker launching a man-in-the-middle attack could gain access to sensitive information stored in the app.
MY2022 uses encryption to protect users’ voice audio and files transfers. However, this encryption can be sidestepped due to two different vulnerabilities affecting how it handles data transport, according to Citizen Lab. Server responses can reportedly be spoofed, allowing an attacker to display fake instructions to users. MY2022 collects sensitive information such as passport details, medical and travel history, demographic information, and more. All of this data is vulnerable due to the flaw. Researchers disclosed the security issues to the Beijing Organizing Committee for the 2022 Olympic and Paralympic Winter Games on December 3, however, as of January 18 researchers had yet to receive a response.