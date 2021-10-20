KUALA LUMPUR: The developer of MySejahtera, Malaysia's COVID-19 tracing app, said the unsolicited one-time password (OTP) sent to users was due to "malicious scripts", while assuring that there was no user data leak.

In a short statement issued on Wednesday (Oct 20), the MySejahtera team said it had investigated the matter following complaints regarding unsolicited messages to verify users' phone numbers for check-in registration.

Investigations found that the check-in QR registration feature, which is meant for business premises, had been misused by some “malicious scripts” to send out the OTPs, it added.

“Since then these API (application programming interface) end points are blocked and a fix to enhance security will be moved tonight,” it said.

“We want to reassure all our users that no user data was accessed by these scripts but random phone numbers were spammed to verify their phone number,” it added.

An API is the programming code that enables data transmission between computers, or between one piece of computer software and another.