Receiving One-Time Password (OTP) messages or spam emails can be annoying, but imagine it coming from trolls – that’s something rather concerning and a little bit scary.
Several users of Malaysia’s official Covid tracking app have noticed security issues where users have received text messages and emails that come from trolls who have exploited a back end code.
Some users have tweeted that they have received something similar to what Twitter user and journalist Zurairi AR received from MySejahtera’s official email (donotreply@mysejahtera.org).
In a response to all the complaints of the spam messages and emails, MySejahtera issued a statement last night saying that they will tighten the Application Programming Interface (API) security to make sure that no one else can abuse the leaked codes.
They also said that no user data has been leaked, but mentioned that any verified phone number or email on the app can and might receive spam texts or emails.
MySejahtera’s team has investigated the issue and found that the “Check-In” feature on business premises has been the subject of misuse by some trolls that got their hands on the code.
The code was posted on Lowyat.net forum with the user who put it there saying “You can instruct “MySejahtera” to spam OTP to others at will” and it is apparently a legit line of code that a forum user has tested.
