fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Beijing 2022 Winter Olympics App Bursting with Privacy Risks

Beijing 2022 Winter Olympics App Bursting with Privacy Risks

The official app for Beijing 2022 Winter Olympics, ‘My 2022,’ was found to be insecure when it comes to protecting the sensitive data of its users.

Most importantly, the app’s encryption system carries a significant flaw that enables middle-men to access documents, audio, and files in cleartext form.

‘My 2022’ is also subject to censorship based on a list of keywords and has an unclear privacy policy that doesn’t determine who exactly receives and processes all the sensitive data users have to upload to it.

As such, it is violating Google’s software policy and Apple’s App Store guidelines, yet it is available in both stores. Finally, the app violates China’s own laws regarding privacy protection.

The My 2022 app that all attendees are required to install and use
The My 2022 app that all attendees are required to install and use
Source: Citizen Lab

Requesting everything

In a detailed report by Citizen Lab, researchers analyzed the ‘My 2022’ app for potential privacy and security issues and found that the app collects the following sensitive information:

  • Device identifiers and model
  • Cellular service provider information
  • Installed apps on the device
  • WLAN status
  • Real-time location
  • Audio information
  • Device storage access
  • Location access

This data collection is disclosed in the privacy policy and is required for COVID-19 protection controls, translation services, Weibo integration, and tourism recommendations and navigation.

Also Read: PDPA Compliance for MCST: The importance of hiring a DPO

However, using ‘My 2022’ isn’t optional. All athletes, members of the press, and the audience have to install the app and add their personal information to it.

For domestic users, ‘My 2022’ collects names, national identification numbers, phone numbers, email addresses, profile pictures, and employment information and shares it with the Beijing Organizing Committee for the 2022 Olympics.

For foreigners, ‘My 2022’ collects complete passport information, daily health status, COVID-19 vaccination status, demographic data, and which organization they work for.

Insecure communications

Even more concerning are flaws in the app’s SSL-based encryption that allows rogue connections due to certification validation issues.

According to the findings of Citizen Lab, an attacker may spoof at least five servers and intercept data sent from the app, tricking it into seeing a malicious host as trusted.

As such, all of the sensitive data described in the previous section can be collected by third parties that are out of the Chinese government’s control.

In addition to the server spoofing problem, the analysts found transmitted data is not always encrypted, so some transmissions containing sensitive metadata could be intercepted and read in plaintext form via simple network packet eavesdropping.

Disclosure and response

The severe privacy and security risks discovered by Citizen Labs were reported to the Beijing Organizing Committee for the 2022 Olympic and Paralympic Winter Games on December 3, 2021.

Also Read: The importance of penetration testing for businesses

As of today (January 18, 2022), nobody has responded, so the researchers publicly disclosed the flaws.

Yesterday, the app developers released the ‘My 2022’ version 2.0.5, and upon a new round of analysis, it was determined that the reported issues still remain unresolved.

On the question of whether China placed the flaws in the app intentionally, Citizen Labs finds that highly unlikely, considering that the recipient of the data is the Chinese state, and there’s no incentive to create additional backdoors for anyone else.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us