MySejahtera exploits used to spam users with SMS texts and emails
MySejahtera, Malaysia’s main contact-tracing app, apparently has an exploit with its for One-Time Password (OTP) SMS and email. While we haven’t gotten an example of it ourselves, users have been reporting that they have been getting MySejahtera OTP SMSes at random times, even when they aren’t requested. Emails from “[email protected]” have also been received by some of these people.
Just realised we have been getting these emails since Sunday, complete with Rickrolls 😂 pic.twitter.com/0dQSOL5zws
— Zurairi A.R. (@zurairi) October 20, 2021
Some users were even receiving the emails informing that they have tested positive for COVID-19, although the spammers are kind enough to inform that it’s just a prank. I can imagine that it would cause quite a lot of panic. The API loophole is further detailed by Phakorn Kiong, who stumbled upon it while trying to apply for a digital certificate after getting his COVID-19 vaccine overseas.
MySejahtera: Your data is safe
According to the MySejahtera team, the check-in QR registration feature was misused with “malicious scripts” to send out the OTP messages to mobile numbers. They assured that user data is not accessible to these scripts, but they were just random phone numbers being spammed. I guess if you got one, you are “lucky”, in a way.
The API endpoints that have led to these exploits have apparently been blocked and fixes to enhance security will be implemented tonight.
Pokdepinion: Well at least the user data in MySejahtera wasn’t leaked out… Still, it probably would have made my heart skip a beat.