Team behind Malaysia's Covid-19 tracking app says no user data leaked amid 'malicious' activity

Although random phone numbers were spammed to verify their numbers, the team offered assurance that no user data was accessed by the "malicious scripts".
Although random phone numbers were spammed to verify their numbers, the team offered assurance that no user data was accessed by the "malicious scripts".PHOTO: AFP

PETALING JAYA (THE STAR/ASIA NEWS NETWORK) - Malaysia's Covid-19 tracking application has been misused by "malicious scripts" to send unsolicited one-time passwords (OTPs) to random phone numbers.

The team managing the MySejahtera app is investigating, it said. The app functions similarly to Singapore's TraceTogether app and holds its user's vaccination records while facilitating contact tracing. 

In a brief statement, the team said it had received complaints through the MySejahtera app helpdesk and social media channels about the incident, where an unsolicited OTP message was sent to verify random users' phone numbers for check-in QR registration, which is meant for business premises.

"The MySejahtera team has investigated and found that the check-in QR registration feature meant for business premises was misused by some malicious scripts to send OTP to random phone numbers," it said on Wednesday (Oct 20).

Although random phone numbers were spammed to verify their numbers, the team offered assurance that no user data was accessed by the "malicious scripts".

The team also apologised for the inconvenience and added that it has since blocked MySejahtera's application programming interface (API) endpoints to facilitate a security enhancement fix later at night.

An API refers to the coding platform that allows two software programmes to communicate. APIs work by sending information requests from a Web application or server and receiving data in response.

Some users, including lawmaker Fahmi Fadzil, received hoax e-mails saying they have tested positive for Covid-19.

The Lembah Pantai MP tweeted screenshots showing he had received messages from MySejahtera on Tuesday informing him that "You've tested positive for covid nahhh, joking" or Rickroll memes, an Internet prank that involves sending its targets images or videos of English singer Rick Astley.

Malaysia reported 5,516 new Covid-19 cases on Wednesday, taking the total infections in the country to more than 2.4 million.