(Updated)

MoH: No data leak, MySejahtera check-in QR code and helpdesk abused by irresponsible parties

MoH: The ministry has received complaints through the MySejahtera helpdesk and social media about the OTP message to confirm the user's phone number for MySejahtera check-in QR code registration and spam emails from the MySejahtera helpdesk. (Photo by Zahid Izzani Mohd Said/The Edge)

MoH: The ministry has received complaints through the MySejahtera helpdesk and social media about the OTP message to confirm the user's phone number for MySejahtera check-in QR code registration and spam emails from the MySejahtera helpdesk. (Photo by Zahid Izzani Mohd Said/The Edge)

-A +A

KUALA LUMPUR (Oct 20): Following complaints from several MySejahtera users about receiving troll emails and spam SMS messages with one-time passwords (OTPs) from the Covid-19 app's helpdesk, the Ministry of Health (MoH) has given assurance that there is no leak in the MySejahtera database.

"The ministry has received complaints through the MySejahtera helpdesk and social media about the OTP message to confirm the user's phone number for MySejahtera check-in QR code registration and spam emails from the MySejahtera helpdesk.

"Based on the initial investigation and actions taken by the National Cyber Security Agency (NACSA), the sending of the fake emails and SMSs is due to misuse of the API (application programming interface) and not a leak in the MySejahtera database," the ministry said in a statement on Wednesday.

An API refers to the coding platform that allows two software programs to communicate.

An API endpoint is where it connects with the software program. APIs work by sending information requests from a web application or server and receiving a response.

On the MySejahtera website, there is a MySejahtera Check-In Registration feature that allows businesses, establishments, public transportation, and others to obtain and display the MySejahtera QR code. To complete the registration, an applicant must enter information such as their email address or phone number, among other things, to receive an OTP.

Following the complaints received, the MySejahtera team conducted an initial investigation. The team found that the function of the MySejahtera Check-in QR Code Registration application was misused by irresponsible parties. These parties used a random email address or phone number to complete the registration process.

The MoH said that if the phone number or email address was entered randomly, MySejahtera will send an OTP to the owner of the phone number or email address to confirm the registration.

In addition, the ministry noted that the Need Help feature on the same website was also misused to send random spam emails.

“Following this irresponsible action, the MySejahtera team has further increased the security level of MySejahtera's applications and websites to prevent such an incident from happening again,” the ministry added.

The MySejahtera application and website are currently jointly managed by the MoH and the National Security Council (MKN).

Joyce Goh