MySejahtera exploits revealed, users getting spam texts and emails

[ UPDATE 21/10/2021 ] The MySejahtera team has since issued further clarification on the matter, stating that no user data had been compromised. Instead, their API had been misused, and they’ve since taken necessary action to prevent further spam messages. You can read more about it here.

===

If you’re currently living in Malaysia, you’d know by now that the MySejahtera app is a must-have for every single one of us. We use it to track where we go, and is a crucial part of the government’s effort to detect and report new cases of COVID-19 as well as to alert those who may have been in contact with positive cases.

As such, it’s pretty alarming to hear that Malaysians have been getting text messages supposedly from MySejahtera at odd times. It was first reported that users were getting unsolicited OTP SMSs, stating that they’ve received an OTP number for a MySejahtera registration.

A quick look at some local forums show a thread where a user had posted a script which instructions on how to instruct the MySejahtera website to send out these OTP messages to any number they wish. The MySejahtera team has since revealed that its QR registration feature for people to check-in to a location has been misused by bad actors, who would use ‘malicious scripts’ to spam out these OTPs to mobile numbers.

They also say that they’ve since resolved the issue by blocking off the API endpoints being abused, and that no user data was compromised. Instead, these bad actors had been entering random phone numbers into the script to send out the text messages.

If that wasn’t concerning enough, it seems as though email addresses have also been compromised. Users were reporting emails from the address ‘donotreply@mysejahtera.org‘, with both your email and username laid out in full. It also included the message “You’ve tested positive for covid nahh, joking. plenty of exploits to show”. We at SoyaCincau also got this email, but get this, it was sent to one of our company emails, which has never been used to register for a MySejahtera account.

We weren’t the only ones to receive these emails though, as many more Twitter users are also reporting similar emails. Not all of them are in the same vein though, as some also highlighted getting emails with a RickRoll reference in them too:

Here’s where we divulge a bit. We found an article on Medium written by one Phakorn Kiong and published a few days ago, who claims to have used the MySejahtera app for roughly 2 months last year. According to him, after finding out that MySejahtera allowed those who received their COVID-19 jabs abroad to apply for a digital certificate via the MySejahtera helpdesk, he tried out the feature and followed the instructions given.

However, he met into an error page, and so looked through the MySejahtera website’s code to find that there were some mistakes in the code. He decided to sign up for the digital certificate anyway despite the error page by bypassing it altogether. Kiong achieved this by submitting his request directly via the API endpoint. Upon submitting his request that way, he received an auto-generated email that confirmed his details.

Kiong would then find out a few more quirks with the MySejahtera website. For one, because all the information that you submit in a request was saved as an HTML string before being sent back to you as an email, you could technically abuse it to get the MySejahtera helpdesk to send an email to any email address that you used during the request submission. It required no authentication token and had no rate limit imposed on it too. Incidentally, his example also included the same RickRoll reference as the one sent to others.

Of course, it’s important to remember that correlation does not imply causation. In any case, the MySejahtera team has so far already dealt with the spam SMS issue, and while they haven’t acknowledged the emails they are likely aware of them and working to close the loophole too.

From what we can tell so far, it seems as though that MySejahtera’s database has not been compromised, but that there was a loophole with the API for the OTP SMS and email. Hopefully we’d be getting further clarifications from the MySejahtera team on what happened soon.