KUALA LUMPUR – Not for the first time, MySejahtera users are facing issues with the government-developed mobile app.
This time, scores of users are receiving unsolicited one-time password (OTP) messages for check-in QR registrations, raising security and data breach concerns within the app.
Some have also received prank emails claiming they have tested positive for Covid-19.
The issue surrounding the OTP messages supposedly first surfaced on Monday, after several users posted on social media about receiving the SMS at odd hours.
A user by the name of “Darkripper” also posted on a Lowyat.net forum highlighting how the OTP can be pushed by anyone to random phone numbers.
“You can instruct MySejahtera to spam OTP to others at will. Just run the following code at (the) terminal of choice and change (the) contact number,” the user wrote in his post with an accompanying code.
On Twitter, a number of users have expressed concern that their profile on the app may have been compromised.
“Hi @KhairyKJ @my_sejahtera, I received an OTP number for check-in registration at 3.52am whereas I did not request any action at that moment. I was sleeping. Can you help? I’m afraid someone will use my identity for their needs,” @nazirulatic posted.
Meanwhile, @chewmeiling said: “Hey, I got an OTP too at 2.11am this morning! I think maybe some people are trying to access others’ MySejahtera accounts.”
“Why did I get an OTP for MySejahtera at 12am? Is someone trying to steal my ID?” posted another user @pawtanbunn. A simple search on Twitter will find many more such cases.
In response to media enquiries, MySejahtera’s team said it has investigated the issue and found that the check-in feature meant for business premises has been misused by some malicious scripts to send the OTPs to random numbers.
“Since then, these application programming interface end points have been blocked and a fix to enhance security will be moved tonight.
“We want to reassure all our users that no user data was accessed by these scripts, but random phone numbers were spammed to verify their numbers. We apologise for this inconvenience,” it said.
Today, another issue surfaced with multiple users claiming to have received an email from MySejahtera, jokingly informing them that they are Covid-19-positive.
“You’ve tested positive for covid nahhh, joking. Plenty of exploits to show,” the email read.
The email was signed off by “CPRC MOH” (Crisis Preparedness and Response Centre, Health Ministry) and delivered from [email protected].
This time, it’s an email. Not sure what is going on. Is #MySejahtera app safe or not? @Khairykj @KKMPutrajaya @AnnuarMusa @kkmm_gov is this some kind of joke? Anyone else got this? pic.twitter.com/2VnQMBsME2
— Kavita Maheendran (@kavitamaheendra) October 20, 2021
Twitter user @kavitamaheendra, who was among those to have received the unsolicited email, questioned if the app is truly safe and asked if this was a kind of joke.
The Health Ministry has yet to officially respond to this issue. – The Vibes, October 20, 2021