The World Cup fever has arrived, and those who will be in person in Qatar will be urged to download the Ehteraz and Hayya applications. The official World Cup app, Hayya, allows users to monitor match tickets and utilize the free Metro in Qatar. Ehteraz is a Covid-19 tracking app. There are several access requests for the software that would grant access to sensitive data, which raised questions about it.
Due to major privacy issues, security professionals and authorities are advising World Cup participants not to download Qatar’s World Cup applications for tourists.
The German Federal Data Protection Authority issued the warning, claiming in a statement that the two applications that users are being urged to download go considerably further than the privacy statements on the apps suggest.
One of the two applications, Ehteraz, tracks phone calls while the other, Hayya, stops the device it is put on from going to sleep. The information obtained by the applications is sent to a centralized server in addition to staying locally on the device.
Further categorizing the Ehteraz app as a “infection tracking software” that may access users’ phones for personal information, the Norwegian Data Protection Authority went further. The authorities states that they are unsure of the true functions of these applications or the intended uses of the users’ personal information.
The delegates are advised not to download the applications, or to bring a second burner phone on which they may be loaded in case Qatari officials demand that they do so once they are in the country.
Comments from Travis Biehn, Principal Security Consultant at Synopsys Software Integrity Group
“Several reports have warned of the security and privacy risks of installing the official 2022 World Cup apps. Citing privacy concerns, details are emerging about potentially dangerous permissions these applications request, and where they send the data they collect from mobile devices. The Synopsys Cybersecurity Research Center (CyRC) has analyzed two of these applications and found that they also may be susceptible to attacks through their vulnerable open source software components.”
“For instance, the COVID contract tracing app, “EHTERAZ 12.4.7,” contained at least eight outdated software components that themselves contain serious security flaws, including 13 critical severity vulnerabilities and 20 high severity vulnerabilities. The most problematic software components are old versions of message processing libraries like GSON and Expat, which contain serious memory corruption vulnerabilities. These components are likely used for processing messages from the application’s back-end server, as well as image processing libraries libpng and libjpeg-turbo.”
“It is likely that an attacker would have to go to great lengths to exploit these vulnerabilities, but they would also be able to access the same sensitive data that has many privacy advocates sounding the alarm about these apps in the first place.”