Skip to main content




No user data leak, says Malaysia's COVID-19 tracing app developer following complaints on spam SMS

There were also complaints of spam emails from an account appeared to belong to MySejahtera. 

No user data leak, says Malaysia's COVID-19 tracing app developer following complaints on spam SMS

MySejahtera is Malaysia's COVID-19 contact tracing app. (File photo: Bernama)

KUALA LUMPUR: The developer of MySejahtera, Malaysia's COVID-19 tracing app, said the unsolicited one-time password (OTP) sent to users was due to "malicious scripts", while assuring that there was no user data leak.  

In a short statement issued on Wednesday (Oct 20), the MySejahtera team said it had investigated the matter following complaints regarding unsolicited messages to verify users' phone numbers for check-in registration. 

Investigations found that the check-in QR registration feature, which is meant for business premises, had been misused by some “malicious scripts” to send out the OTPs, it added. 

“Since then these API (application programming interface) end points are blocked and a fix to enhance security will be moved tonight,” it said. 

“We want to reassure all our users that no user data was accessed by these scripts but random phone numbers were spammed to verify their phone number,” it added. 

An API is the programming code that enables data transmission between computers, or between one piece of computer software and another.

Some Malaysians took to Twitter to highlight that they had received the OTP messages. They were worried that others had tried to log into their MySejahtera account and that if they were victims of a database breach or identity theft. 

In addition to the SMS spam, email accounts appeared to be targeted as well with many receiving troll emails from "donotreply [at]". 

The email content suggested that there may be design and security flaws with the contact tracing app. 

Screenshot of a spam email from an account appeared to belong to MySejahtera.

The MySejahtera mobile application was released last year to facilitate contact tracing in Malaysia’s efforts to fight COVID-19. Users could also book vaccine appointments via the app. 

MySejahtera’s website indicated that the app was developed through a strategic cooperation involving the National Security Council (NSC), Ministry of Health (MOH), Malaysian Administrative Modernisation and Management Planning Unit (MAMPU), Malaysian Communications and Multimedia Commission (MCMC) and Ministry of Science, Technology and Innovation (MOSTI).

NSC said last year that MySejahtera was developed by a Malaysian firm, KPISoft Sdn Bhd, according to Malay Mail.

It explained that the development of MySejahtera began after MOH asked the National Cyber Security Agency, NSC and MAMPU to assess an app developed  by KPISoft, on a corporate social responsibility basis, to be made into a national app to monitor the spread of COVID-19. 

Following evaluation by the agencies, the application was found to be the readiest for national implementation among the choices offered to the government at that time, taking into consideration MOH’s desperate need for the technology, the NSC was quoted as saying. 

Last month, Prime Minister Ismail Sabri Yaakob said in the parliament that the one-year corporate social responsibility had expired on Mar 31, the Star reported. 

As such, the government would start paying the developer for the app from Apr 1, he was quoted as saying, adding that the government was discussing with several government agencies on the amount and method of payment. 


In a statement issued later on Wednesday, the Health Ministry said based on preliminary investigations by the National Cyber Security Agency, the spam emails and SMSes were due to abuse of MySejahtera's API and not a database leak. 

The ministry explained that irresponsible parties had entered random numbers and email addresses in the "MySejahtera Check-In Registration" function on MySejahtera's website, which is for entities such as businesses, premises and public transport to obtain a QR code for display. 

"To complete the request, applicants need to enter information such as email addresses or telephone numbers to get the OTP," it said. 

And if such addresses or numbers did exist, MySejahtera would send out the OTP to verify the registration, the ministry added.  

In addition, MySejahtera's "Need Help?" function on the website was similarly abused to send random spam. 

"Following these irresponsible actions, the MySejahtera team has increased the application's and site's security levels to prevent the same incident from recurring," the ministry's statement said. 

BOOKMARK THIS: Our comprehensive coverage of the COVID-19 pandemic and its developments

Download our app or subscribe to our Telegram channel for the latest updates on the coronavirus outbreak:

Source: CNA/vt


Also worth reading