Malaysia’s Covid-19 App Reports ‘Malicious Script’ Misuse

(Bloomberg) -- Malaysia’s Covid-19 tracking application has been misused by “malicious scripts” to send unsolicited one-time passwords to random phone numbers.

The team running the MySejahtera app, which also verifies Covid vaccinations, said they received complaints from several users about getting OTP messages to verify their phone numbers for check-in QR registrations.

Some users, including lawmaker Fahmi Fadzil, received emails saying they’ve tested positive for Covid.

The incident sparked concerns on social media about a likely leak of personal data involving the nation’s 32 million people. The MySejahtera team assured users that their data was not accessed by the “malicious scripts” and that the issue will be fixed soon. 

“These Application Programming Interface end points are blocked and a fix to enhance security will be moved tonight,” the team said in a statement issued Tuesday night.

Based on an initial investigation by the National Cyber ​​Security Agency, the fake emails are due to the abuse of API, and not because of a leak in the app’s database, the health ministry said in a statement on Wednesday.

“The MySejahtera team has increased the level of security of applications and websites to prevent the incident from happening again,” the ministry said.

About 94% of the nation’s adults have completed their Covid vaccination as of Tuesday, while 97% of the adult population had received at least one dose, according to the health ministry. The rapid vaccine rollout has allowed the government to lift curbs on movements as it aims to reopen all economic and social sectors by the final quarter of the year. 

Malaysia reported 5,516 new Covid cases on Wednesday, with the tally staying below the 6,000 mark for a third day. New daily infections have remained below the 10,000 mark since Oct. 3.

©2021 Bloomberg L.P.