MySejahtera security level improved - MOH

MOH in a statement today said a preliminary investigation conducted by the National Cyber Security Agency (NACSA) found that the fake emails and SMS sent from the MySejahtera application was not due to a database leak, but rather misuse of the Application Programming Interface (API).

According to the MOH, on the MySejahtera website, there is a MySejahtera Check-In Registration function for businesses, premises, public transport and others to obtain and display the MySejahtera QR Code where applicants, among others, need to enter information such as email or phone number to obtain an OTP to complete the application.

The MOH said the initial investigation found that the MySejahtera Check-in QR Code Registration application function had been misused by irresponsible parties, by using random email addresses or telephone numbers to perform the registration process.

"If the phone number or email address entered at random exists, MySejahtera will send an OTP to the owner of the phone number or email address to confirm the registration," said MOH.

In addition, MOH said the Need Help? function on the same site has also been misused to send random spam emails.

"Following this irresponsible action, the MySejahtera team has further increased the security level of the MySejahtera application and website to prevent the same incident from recurring," it said.

The issue of MySejahtera application security was first raised yesterday after a handful of users received OTP messages via their respective emails.

A popular website (Lowyat.net) also featured a post titled "MySejahtera Not So Sejahtera, Full of Exploits", which said that the MySejahtera application can be used to send OTP messages to anyone's phone number.

MySejahtera's application and website are currently under the joint management of the MOH and the National Security Council (MKN).