MySejahtera exploits used to spam users with SMS texts and emails

Vyncent Chan
2 Min Read
MySejahtera exploits used to spam users with SMS texts and emails

MySejahtera, Malaysia’s main contact-tracing app, apparently has an exploit with its for One-Time Password (OTP) SMS and email. While we haven’t gotten an example of it ourselves, users have been reporting that they have been getting MySejahtera OTP SMSes at random times, even when they aren’t requested. Emails from “[email protected]” have also been received by some of these people.

Some users were even receiving the emails informing that they have tested positive for COVID-19, although the spammers are kind enough to inform that it’s just a prank. I can imagine that it would cause quite a lot of panic. The API loophole is further detailed by Phakorn Kiong, who stumbled upon it while trying to apply for a digital certificate after getting his COVID-19 vaccine overseas.

MySejahtera: Your data is safe

MySejahtera exploit OTP SMS
MySejahtera exploit, source: Phakorn Kiong

According to the MySejahtera team, the check-in QR registration feature was misused with “malicious scripts” to send out the OTP messages to mobile numbers. They assured that user data is not accessible to these scripts, but they were just random phone numbers being spammed. I guess if you got one, you are “lucky”, in a way.

The API endpoints that have led to these exploits have apparently been blocked and fixes to enhance security will be implemented tonight.


Pokdepinion: Well at least the user data in MySejahtera wasn’t leaked out… Still, it probably would have made my heart skip a beat.

Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *