MALAYSIA Tanah Tumpah Darahku


Wednesday, October 20, 2021

MySejahtera spam emails, OTP messages not due to database leak - Health Ministry


The Health Ministry has denied that spam emails and unsolicited one-time passwords (OTPs) sent out from MySejahtera were due to a database leak.

Instead, it said the incidents were due to the abuse of the application programming interfaces (APIs), which are software intermediaries that allow two applications to talk to each other.

“Based on preliminary investigations and other necessary actions by the National Cyber Security Agency, the sending of the false emails and text messages are caused by abuse of the APIs and not a leak in the MySejahtera database,” the Health Ministry said in a statement today.

Earlier, full-stack developer Phakorn Kiong also told Malaysiakini that there were security vulnerabilities in MySejahtera involving the APIs which were causing the spam emails and OTP messages.

The Health Ministry explained that the MySejahtera check-in feature, which is meant for business premises and others to register for a check-in QR code, requires the applicant to enter their email address or phone number to get an OTP.

It said “irresponsible parties” have used random email addresses and phone numbers to trigger the process of registration.

“If the phone number or email address that was entered randomly does exist, MySejahtera will send an OTP to the owner of the phone number or email address to verify the registration,” it added.

Misuse of MySejahtera website

The Health Ministry said the help function on the MySejahtera website was also used to send spam emails randomly.

“Following these irresponsible actions, the MySejahtera team has increased the level of security for the application and the website to prevent the same incident,” it added.  

Kiong earlier explained that the MySejahtera website did not have any ‘locks’ to prevent outsiders from interfering with the APIs.

“In usual design, there are supposed to be 'keys' which the server can use to identify who is calling the server (as a form of authentication).

“The problem with this design is there are no 'locks' implemented. Anyone can come in and abuse the APIs,” he said.

The incident had received widespread attention since last night after many people reported receiving spam emails and unsolicited OTP messages purportedly from MySejahtera. - Mkini

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.