- Report: Cross-Country Exposure: Analysis of the MY2022 Olympics App
- Date Published: January 18, 2022
- MY2022 (冬奥通)
- iOS version 2.0.0
- Android version 2.0.1
MY2022 fails to validate SSL certificates, allowing an attacker to spoof trusted servers by interfering with the communication between the app and these servers.
The application can be deceived into connecting to a malicious host as if it were a trusted one. This allows transmitted information to be intercepted and the app to display spoofed content as if it was from a trusted host.
- December 3, 2021 - Vendor notified.
- January 17 2022 - Version 2.0.5 of the iOS version of MY2022 to Apple’s App Store. We analyzed it to see if the vulnerabilities we reported were fixed. However, we found that the issues we reported had not been resolved. Additionally, the app introduced a new feature called “Green Health Code” whose data transmissions were similarly vulnerable in that these transmissions were also instrumented using an SSL implementation that failed to validate SSL certificates.
- January 18 2022 - Report published.
- January 19 2022 - The vendor responded and requested additional information.
- January 19 2022 - We responded to vendor’s January 19 2022 email and provided additional information.
- January 20 2022 - The vendor confirmed receipt of our additional information and indicated they would contact us if they required additional information.
- January 29 2022 - We analyzed version 2.0.7 of the iOS version of MY2022, finding that the reported vulnerabilities were fixed.