Security
Now Reading
MySejahtera exploits used to spam users with SMS texts and emails
Contents
0

MySejahtera exploits used to spam users with SMS texts and emails

by Vyncent ChanOctober 20, 2021
What's your reaction?
Me Gusta
0%
WOW
0%
Potato
100%
Sad Reacc
0%
Angery
0%

MySejahtera, Malaysia’s main contact-tracing app, apparently has an exploit with its for One-Time Password (OTP) SMS and email. While we haven’t gotten an example of it ourselves, users have been reporting that they have been getting MySejahtera OTP SMSes at random times, even when they aren’t requested. Emails from “[email protected]” have also been received by some of these people.

Some users were even receiving the emails informing that they have tested positive for COVID-19, although the spammers are kind enough to inform that it’s just a prank. I can imagine that it would cause quite a lot of panic. The API loophole is further detailed by Phakorn Kiong, who stumbled upon it while trying to apply for a digital certificate after getting his COVID-19 vaccine overseas.

MySejahtera: Your data is safe

MySejahtera exploit OTP SMS

MySejahtera exploit, source: Phakorn Kiong

According to the MySejahtera team, the check-in QR registration feature was misused with “malicious scripts” to send out the OTP messages to mobile numbers. They assured that user data is not accessible to these scripts, but they were just random phone numbers being spammed. I guess if you got one, you are “lucky”, in a way.

The API endpoints that have led to these exploits have apparently been blocked and fixes to enhance security will be implemented tonight.

Source

Pokdepinion: Well at least the user data in MySejahtera wasn’t leaked out… Still, it probably would have made my heart skip a beat.

About The Author
Vyncent Chan
Technology enthusiast, casual gamer, pharmacy graduate. Strongly opposes proprietary standards and always on the look out for incredible bang-for-buck.