Malaysians have been getting spammed with texts and emails supposedly from MySejahtera. Here's what we know so far.
written by one Phakorn Kiong and published a few days ago, who claims to have used the MySejahtera app for roughly 2 months last year. According to him, after finding out that MySejahtera allowed those who received their COVID-19 jabs abroad to, he tried out the feature and followed the instructions given.
However, he met into an error page, and so looked through the MySejahtera website’s code to find that there were some mistakes in the code. He decided to sign up for the digital certificate anyway despite the error page by bypassing it altogether. Kiong achieved this by submitting his request directly via the API endpoint. Upon submitting his request that way, he received an auto-generated email that confirmed his details.
Kiong would then find out a few more quirks with the MySejahtera website. For one, because all the information that you submit in a request was saved as an HTML string before being sent back to you as an email, you could technically abuse it to get the MySejahtera helpdesk to send an email to any email address that you used during the request submission. It required no authentication token and had no rate limit imposed on it too.
From what we can tell so far, it seems as though that MySejahtera’s database as not been compromised, but that there was a loophole with the API for the OTP SMS and email. Hopefully we’d be getting further clarifications from the MySejahtera team on what happened soon.
Philippines Latest News, Philippines Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
No MySejahtera user data leak in unsolicited OTP texts incident, says teamPETALING JAYA: The MySejahtera team is investigating an incident where unsolicited one-time password (OTP) messages were sent to random phone numbers.
Read more »
Getting unsolicited OTP text messages from MySejahtera? Here’s why | Malay MailKUALA LUMPUR, Oct 20 — The MySejahtera team today revealed that its check-in QR registration feature was misused by “malicious scripts” to send OTPs to mobile numbers. The team responded after an increased number of complaints were registered through its helpdesk and social media platforms,...
Read more »
Posting Instagram photos from your desktop is now possible for all users - SoyaCincauInstagram was testing out the feature, in June, that would let you post right from your desktop. And now, the test feature will be available to all users as it launches globally this week.
Read more »
Bayar RM3,000 untuk status vaksin lengkap di MySejahtera | The Malaysian InsightKegiatan haram itu dijalankan oleh individu yang mempunyai akses ke aplikasi dan tawaran dibuat secara rahsia.
Read more »