KUALA LUMPUR: Early investigations by the National Cyber Security Agency (NACSA) found that the spam emails and fake one-time password (OTP) messages sent to MySejahtera users was due to misuse of its Application Programming Interface (API).
However, the Health Ministry said the exploits did not result from a leakage in the MySejahtera database.
Yesterday, several MySejahtera users found themselves receiving a one-time password (OTP) message to verify their check-in registration into premises.
Meanwhile today, spam emails were dispatched to some MySejahtera users from the application's helpdesk.
Several MySejahtera users woke up to disturbing spam emails from the application's helpdesk today that read: "You've tested positive for covid nahhh, joking. Plenty of exploits to show."
The ministry, in a statement today, said the MySejahtera website is built with a feature that allows businesses, premises, public transportation and other services to obtain and display QR codes to enable check-in registrations.
"In order to complete the application, the applicant is required to enter email address or mobile phone number to obtain an OTP.
"This feature has been misused by some irresponsible people who have used random email addresses and phone numbers to make registrations.
"If the email addresses or phone numbers keyed-in randomly actually existed, MySejahtera sent OTP messages to their owners to verify the registration.
"Besides that, the 'Need Help?' feature in the same website was also misused to despatch spam emails randomly.
"In the wake of these irresponsible actions, the MySejahtera team has beefed up the security levels of the MySejahtera app and website to prevent this incident from recurring," the ministry said.
The MySejahtera mobile application and website, that was introduced in April last year, is under the purview of the Health Ministry and the National Security Council (NSC).