PETALING JAYA: There was no data leak involving MySejahtera users, says the Health Ministry.
The ministry said this after it carried out an investigation following complaints and reports of unsolicited one-time password (OTP) text messages and spam email from the Covid-19 app’s helpdesk.
It said initial investigations by the Malaysian National Cyber Security Agency (Nacsa) showed the OTP messages and spam emails were sent out by misusing the app’s application programming interface (API).
“There was no leak of the MySejahtera database,” the ministry said in a statement.
Earlier, the MySejahtera team said the unsolicited OTP messages were sent to verify random users’ phone numbers for check-in QR registration, which is meant for business premises, public transport operators and others to get a QR code to be used for MySejahtera check-ins.
The ministry said irresponsible parties had randomly entered mobile numbers and email addresses into the registration field on the MySejahtera website.
“If such an email or mobile phone number is valid, MySejahtera will send out an OTP to confirm the registration,” it said.
On the spam email, the ministry said the “Need Help?” function had been misused to send out spam to random email addresses.
It added that the MySejahtera team apologised for the inconvenience and had since blocked MySejahtera’s API endpoints to facilitate a security enhancement fix.
An API refers to the coding platform that allows two software programmes to communicate.
An API endpoint is where it connects with the software programme.
APIs work by sending information requests from a web application or server and by receiving a response.
The MySejahtera app and website were jointly managed by the ministry and the National Security Council.