The MY2022 app was built by the Beijing Organising Committee mainly to track and share Covid-19-related medical information among the athletes during the Games.
Researchers with Toronto's Citizen Lab project said on Tuesday that MY2022 failed to properly encrypt the transfer of personal data, leaving it vulnerable to hackers.
They also found that MY2022's privacy policy does not specify which organisations it would share the users' information with.
The researchers found the flaws in the iOS version of the app after creating an account in it.
They were unable to set up an account in the Android version but said the security flaws existed in both versions of MY2022.
The report said MY2022 failed to validate SSL certificates, which are needed to authenticate a website's identity and enable encrypted connection. This can be exploited by hackers to transmit the data to malicious sites.
Non-encrypted data is transmitted to "tmail.beijing2022.cn" by MY2022.
"Such data can be read by any passive eavesdropper, such as someone in range of an unsecured WiFi access point, someone operating a WiFi hotspot, or an Internet Service Provider or other telecommunications company," the report said.
Citizen Lab said it had informed the Beijing Winter Olympics Organising Committee on December 3 of its security concerns but had not received any response.
The committee did not immediately respond to a Reuters request for comment.
The Winter Olympics are set to begin on February 4. Several countries including the United States, Britain, Japan and Australia have announced diplomatic boycotts of the Games over concerns about human rights in China.
