KUALA LUMPUR, Oct 20 — Several MySejahtera users have complained about receiving troll emails from the Covid-19 app’s helpdesk and spam OTP SMS messages, amid exploits of the app’s backend.
MySejahtera users tweeted screenshots of an email they received from [email protected] saying: “You’ve tested positive for covid nahhh, joking. plenty of exploits to show.”
Yesterday, some MySejahtera users also received OTP (one-time passwords) SMSes from 68088 for MySejahtera check-in registrations.
MySejahtera said in a statement last night, in response to the OTP SMS spam complaints, that the check-in QR registration feature meant for business premises was misused by some malicious scripts to send OTP to random phone numbers.
“Since then, these API end points are blocked and a fix to enhance security will be moved tonight. We want to reassure all our users that no user data was accessed by these scripts but random phone numbers were spammed to verify their phone number. We apologise for this inconvenience,” said the MySejahtera team.
MySejahtera, which is owned by the Ministry of Health (MOH), has yet to respond to complaints of spam emails that surfaced this morning on Twitter.
A Lowyat forum thread highlighted a code that could be used to instruct MySejahtera to spam OTP to users.
“Go ahead and try, the URL is legit anyways. Can use Postman or other tools as well, as long as you send that form-data, it works. These mistake are worse than interns lol,” wrote one Lowyat member in the forum.
It is currently unknown if MySejahtera’s database — which contains personal information like one’s full name, identity card number, and email address or phone number, as well as Covid-19 vaccination certificate and check-in history at public locations — can be accessed by outsiders.