M'sia's contact tracing app compromised to send out Covid-19 positive messages & 'Rick Roll' spam

Malaysia's Ministry of Health said it has beefed up the app's security on Oct. 20.

Jean Chien Tay | October 21, 2021, 10:44 AM

Follow us on Telegram for the latest updates: https://t.me/mothershipsg

Malaysia's Covid-19 contact tracing app, MySejahtera, was recently compromised to send out Rick Roll memes and fake Covid-19 positive messages to users in Malaysia, Malaysiakini reported.

The loophole in the application's script was highlighted on Oct. 18 by a full-stack developer working in Singapore, Phakorn Kiong.

Amid worries of potential leak of users' personal information, MySejahtera took to Twitter on Oct. 20 to assure users that "no user data was assessed".

Health Ministry said the app's security has been beefed up

MySejahtera is a mobile application developed by the Malaysian government to facilitate contact tracing for Covid-19 cases and verify users' vaccination statuses, similar to Singapore's TraceTogether.

In a statement, Malaysia's Ministry of Health (KKM) confirmed that it received complaints about spam emails and OTP (One-Time Password) messages that required users to verify their registered personal phone numbers.

KKM explained that the problem was due to people misusing the API (Application Programming Interface) to send out those messages via the app, and elaborated that the app's database was not compromised.

"In response to the irresponsible actions, the MySejahtera team has strengthened the MySejahtera app and website to prevent similar incidents from occurring again," KKM added.

"Anyone" could access the system

Speaking to Malaysiakini, Kiong said the app initially failed to secure the API with proper authentication methods, which allowed "anyone" to access and potentially abuse the system.

Kiong reportedly proved his statement by accessing the MySejahtera system to send an email to the news site.

He added that "bad faith actors" could pose as an official source and send emails with bad intentions to the app's users.

Spam emails featuring "Rickroll"

Meanwhile, Twitter users have shared their experiences in receiving spam emails and messages that appeared to be from MySejahtera.

A netizen posted a screenshot of an OTP on her phone, with numerous people stating similar occurrences.

A journalist received a spam email that wrote, "You've tested positive for covid nahhh, joking. Plenty of exploits to show."

"Rickroll" memes were also seen in some spam emails that appeared to be sent via MySejahtera.

Instructions on how to game the system was even posted on Malaysian online forum lowyat.net, where many proceeded to call out the team behind the "RM70 million" (S$22.6 million) app.

At the time of writing, it is unclear whether the problem has successfully been resolved.

Follow and listen to our podcast here

Top image via MySejahtera/Facebook & @zurairi/Twitter