PUTRAJAYA (Oct 20): The security level of MySejahtera's application and website has been improved following complaints regarding the issue of OTP (One Time Password) messages and spam e-mails, said the Ministry of Health (MOH).
MOH in a statement today said a preliminary investigation conducted by the National Cyber Security Agency (NACSA) found that the fake e-mails and SMSes sent from the MySejahtera application were not due to a database leak, but rather misuse of the Application Programming Interface (API).
According to the MOH, on the MySejahtera website, there is a MySejahtera Check-In Registration function for businesses, premises, public transport and others to obtain and display the MySejahtera QR Code where applicants, among others, need to enter information such as e-mail or phone number to obtain an OTP to complete the application.
The MOH said the initial investigation found that the MySejahtera Check-in QR Code Registration application function had been misused by irresponsible parties, by using random e-mail addresses or telephone numbers to perform the registration process.
"If the phone number or e-mail address entered at random exists, MySejahtera will send an OTP to the owner of the phone number or e-mail address to confirm the registration," said MOH.
In addition, MOH said the Need Help? function on the same site has also been misused to send random spam e-mails.
"Following this irresponsible action, the MySejahtera team has further increased the security level of the MySejahtera application and website to prevent the same incident from recurring," it said.
The issue of MySejahtera application security was first raised yesterday after a handful of users received OTP messages via their respective e-mails.
A popular website (Lowyat.net) also featured a post titled "MySejahtera Not So Sejahtera, Full of Exploits", which said that the MySejahtera application can be used to send OTP messages to anyone's phone number.
MySejahtera's application and website are currently under the joint management of the MOH and the National Security Council (MKN).