Fake MySejahtera Covid-19 Positive Emails and OTP request

News November 18, 2021

“You’ve tested positive for covid nahhh, joking.”

Complaints about receiving unknown OTP and fake emails from MySejahtera app went viral over social media last month. Some users found themselves receiving one-time password (OTP) messages to verify their check-in registration. Several MySejahtera users reported receiving fake emails from the app. At the same time, some were told that they had been confirmed Covid-19 positive, followed by an acknowledgment that the email was just a joke. 

duck cartoon joke

What happened to MySejahtera?

The MySejahtera team has since addressed that the OTP sent to MySejahtera users was due to misuse of its Application Programming Interface (API) by malicious scripts. However, the Health Ministry said that the exploits did not result from leakage in the MySejahtera database. The MySejahtera team reassured all users that these scripts leaked no user data. 

What is API, and what is its relationship with MySejahtera?

An Application Programming Interface (API) is a set of programming codes that enables data transmission between one software product and another. It also contains the terms of this data exchange. 

When we use the MySejahtera app to request information, such as checking the number of infections of the day, the app will make a call to the server. There’s an API at the server end which receives the call request from the app. Then, the server will process the data requested and send it back to the app, which enables users to check the number of infections in the app. 

During the recent Clubhouse session hosted by LGMS, the panelists discussed that someone might have found a way to interrupt the MySejahtera API call to the server, and tell the server to send out the OTP and fake emails to fellow MySejahtera users. API is indeed a powerful gateway for applications to function. Therefore, all the API cores should have strong authentication to ensure no illegal API clause exists between the application and server. 

Mysejahtera screenshot

Is this incident considered “hacking”?

The incident possibly happened due to weak authentication of the in-app API. When someone discovers a loophole to call the API, the person can force MySejahtera to trigger the app to send out OTP, SMS, and fake emails. The act of triggering the API can be considered as a way of hacking. 

Advice to Developers

#CEO of #LGMS, Mr. C.F. Fong, suggested our government take aggressive action to audit and compromise check on the app and server. Besides this, developers should frequently conduct penetration testing (pentest) on the app. It’s critical to ensure all the application has been updated and pen-tested as the optimization of the application is frequently modified to ensure a better user experience. 

Advice to Malaysians

“Malaysians should bear in mind that our personal data is easy to get outside there. Be conscious that any scam group might manipulate your data,” stated Mr. C.F. Fong, the #CEO of #LGMS. 

We are advised not to easily trust any caller who can tell us our personal details and not voluntarily follow the caller’s instructions. Whenever we receive a suspicious call, hang up and call back to the official phone number. Tell your friend or family, stay calm and verify the authenticity of the phone call. 

More News about Data Breach in Malaysia:

>> Four million Malaysian Data being sold on the Dark Web? 

>> Concern over hackers, data leakage on internet

>> Data breach claim unsubstantiated>


>> Experts call for tougher law on data breach as Malindo Air becomes latest victim

>> Data breach is a big concern, say experts


About LGMS
The leading cybersecurity expert in Asia trusted by multinational corporations around the world. LGMS is a cybersecurity consulting company focused on delivering specialized cybersecurity assessments, consultations, and advisory services.  Established in 2005, LGMS has since built a reputation for its integrity, values, and best practices by providing world-class professional services to local, regional, and international clients across various industries and backgrounds. Visit www.lgms.global for more information.

Click in for information about LGMS services

For more, follow us on
YouTube Channel: LGMS Penetration Testing Expert (LE Global Services)
Facebook Page : lgms.global
Linkedin Page: lgms-global
Instagram ID: lgms.global
TikTok: www.tiktok.com/@lgms.global

Wish to become more competent in your Cyber Security Career and know more about Cyber Security Security tips?
Don’t miss out on our Weekly Clubhouse Cyber Security Talk,
πŸ“Œ Join CYBERSEC CHAT Club on Clubhouse: https://lnkd.in/dT7mRyZ