KUALA LUMPUR, Oct 20 — The MySejahtera team today revealed that its check-in QR registration feature was misused by “malicious scripts” to send OTPs to mobile numbers.
The team responded after an increased number of complaints were registered through its helpdesk and social media platforms, on unsolicited OTP messages being received, some in the early hours of the morning.
The team, however, assured users that their data was not accessed by the scripts and that the issue will be fixed tonight.
“Since then, these API endpoints are blocked and a fix to enhance security will be moved tonight. We want to reassure all our users that no user data was accessed by these scripts but random phone numbers were spammed to verify their phone number. We apologise for this inconvenience,” a statement to the media read.
API refers to the Application Programming Interface.
Though the statement only addressed issues with text messages, several users also highlighted that they had received similar spam emails.
Some had received images of singer Rick Astley from his music video Never Gonna Give You Up.
The emails also came with an attached message reading: “Dear user, thank you for reaching out to MySejahtera Helpdesk. We have received your email and confirm your details as below. We shall investigate your request and due to high surge of traffic at helpdesk, we will get back to you within the next 5 days.Thank you for your patience & have a pleasant day ahead.”
Another user shared a screenshot of him receiving a prank email from MySejahtera, informing him that he had tested positive for Covid-19.
“You’ve tested positive for Covid nahhh, joking, Plenty of exploits to show,” the email titled ‘MySejahtera Check-in Support-Health Assessment’ read.
MySejahtera is expected to release a detailed statement on the issue later.