CODE
curl --location --request POST 'https://mysejahtera.malaysia.gov.my/checkin/registerPhone' \
--form 'countryCode="60"' \
--form 'contactNumber="12345678"'
--form 'countryCode="60"' \
--form 'contactNumber="12345678"'
MySejahtera Not So Sejahtera, Full of Exploits
|
Oct 18 2021, 01:51 PM, updated 4y ago
Show posts by this member only | IPv6 | Post
#1
|
Senior Member
1,257 posts Joined: Dec 2008 From: /k/ |
You can instruct "MySejahtera" to spam OTP to others at will. Just run the following code at terminal of choice and change contact number (Window user pandai pandai tukar la )
CODE curl --location --request POST 'https://mysejahtera.malaysia.gov.my/checkin/registerPhone' \ --form 'countryCode="60"' \ --form 'contactNumber="12345678"' |
|
|
|
Oct 18 2021, 02:04 PM
Show posts by this member only | Post
#2
|
Senior Member
815 posts Joined: Jan 2003 |
I'm not testing if this really work, but if it is, then the backend looks like it's developed by some intern IT student PoisonSoul liked this post
|
|
Oct 18 2021, 02:06 PM
Show posts by this member only | IPv6 | Post
#3
|
Senior Member
766 posts Joined: Nov 2010 |
|
|
Oct 18 2021, 02:07 PM
Show posts by this member only | Post
#4
|
Junior Member
733 posts Joined: Mar 2016 |
Which is why my friend uses a throwaway email as MySejahtera ID brkli liked this post
|
|
Oct 18 2021, 02:08 PM
Show posts by this member only | Post
#5
|
Senior Member
4,430 posts Joined: Jul 2005 |
this api should not even be exposed! it's supposed to be called by a backend module! ..
|
|
Oct 18 2021, 02:11 PM
Show posts by this member only | Post
#6
|
Senior Member
2,485 posts Joined: Dec 2004 From: initrd |
mafioso yuno do properly backend
|
|
|
|
Oct 18 2021, 02:12 PM
Show posts by this member only | Post
#7
|
All Stars
21,785 posts Joined: Dec 2004 From: KL |
QUOTE(Darkripper @ Oct 18 2021, 01:51 PM) You can instruct "MySejahtera" to spam OTP to others at will. Just run the following code at terminal of choice and change contact number (Window user pandai pandai tukar la ) do u even need exploit?CODE curl --location --request POST 'https://mysejahtera.malaysia.gov.my/checkin/registerPhone' \ --form 'countryCode="60"' \ --form 'contactNumber="12345678"' ayam thought u can just try login with the number and the app will send otp? |
|
Oct 18 2021, 02:13 PM
Show posts by this member only | IPv6 | Post
#8
|
Senior Member
1,257 posts Joined: Dec 2008 From: /k/ |
QUOTE(imin @ Oct 18 2021, 02:04 PM) I'm not testing if this really work, but if it is, then the backend looks like it's developed by some intern IT student Go ahead and try, the URL is legit anyways. Can use Postman or other tools as well, as long as you send that form-data, it works. These mistake are worse than interns lol.QUOTE(kidmad @ Oct 18 2021, 02:08 PM) They kinda forget to verify the captcha actually. They have Captcha at the page, but backend doesn't verify that token. |
|
Oct 18 2021, 02:14 PM
Show posts by this member only | Post
#9
|
All Stars
21,785 posts Joined: Dec 2004 From: KL |
QUOTE(imin @ Oct 18 2021, 02:04 PM) I'm not testing if this really work, but if it is, then the backend looks like it's developed by some intern IT student What do u expect when it is already doing what it is supposed to do?Do u know u can also do similar spam otp with whatsapp? get ur enemy whatsapp phone number and try login with the number..that person will keep getting otp spam to his phone. |
|
Oct 18 2021, 02:15 PM
Show posts by this member only | IPv6 | Post
#10
|
Senior Member
1,257 posts Joined: Dec 2008 From: /k/ |
QUOTE(WaCKy-Angel @ Oct 18 2021, 02:12 PM) There are no rate limit, meaning you can repeatedly keep on request OTP with a simple scripts.Triggering OTP is not the issue, the issue is lack of Authentication/Authorization token. Maybe that's the implementor have the same thought as you. Also, the OTP token never change, at least for the past 19 hours that i had been spamming myself. This post has been edited by Darkripper: Oct 18 2021, 02:16 PM |
|
Oct 18 2021, 02:23 PM
Show posts by this member only | IPv6 | Post
#11
|
Senior Member
1,793 posts Joined: Jan 2007 From: The Long river ... |
Its a 70mil feature la ...
|
|
Oct 18 2021, 02:23 PM
|
Senior Member
4,430 posts Joined: Jul 2005 |
QUOTE(Darkripper @ Oct 18 2021, 02:13 PM) Go ahead and try, the URL is legit anyways. Can use Postman or other tools as well, as long as you send that form-data, it works. These mistake are worse than interns lol. to send notification they can just use something like big ip f5 to whitelist only allowed IP address could access the endpoints. infact just build the service separate and segregation between internal and external network.They kinda forget to verify the captcha actually. They have Captcha at the page, but backend doesn't verify that token. |
|
Oct 18 2021, 02:24 PM
|
All Stars
21,785 posts Joined: Dec 2004 From: KL |
QUOTE(Darkripper @ Oct 18 2021, 02:15 PM) There are no rate limit, meaning you can repeatedly keep on request OTP with a simple scripts. A simple captcha will not be sufficient to block hacker.Triggering OTP is not the issue, the issue is lack of Authentication/Authorization token. Maybe that's the implementor have the same thought as you. Also, the OTP token never change, at least for the past 19 hours that i had been spamming myself. Anyway security vs convenient has always been a mouse and cat game. The more u do the more hacker wants to find exploit lol. |
|
|
|
Oct 18 2021, 02:27 PM
Show posts by this member only | IPv6 | Post
#14
|
Senior Member
1,257 posts Joined: Dec 2008 From: /k/ |
QUOTE(kidmad @ Oct 18 2021, 02:23 PM) to send notification they can just use something like big ip f5 to whitelist only allowed IP address could access the endpoints. infact just build the service separate and segregation between internal and external network. They can't do that, as that's the endpoint that client side is calling to trigger it. Eaiest way is just to rate limit + some kind of Captcha. That would reduce the exposure to an acceptable limit.QUOTE(WaCKy-Angel @ Oct 18 2021, 02:24 PM) A simple captcha will not be sufficient to block hacker. It wont solve all, but it reduces the exposure.Anyway security vs convenient has always been a mouse and cat game. The more u do the more hacker wants to find exploit lol. |
|
Oct 18 2021, 02:29 PM
|
Junior Member
791 posts Joined: Mar 2010 |
|
|
Oct 18 2021, 02:32 PM
|
Moderator
6,161 posts Joined: Oct 2004 |
tengine webserver...
twitter bootstrap.. google font api... owl carousel.. jquery... all free stuff but cost 70m... thanks to our competent gomen. |
|
Oct 18 2021, 02:34 PM
|
All Stars
21,785 posts Joined: Dec 2004 From: KL |
QUOTE(Darkripper @ Oct 18 2021, 02:27 PM) They can't do that, as that's the endpoint that client side is calling to trigger it. Eaiest way is just to rate limit + some kind of Captcha. That would reduce the exposure to an acceptable limit. iinm mysejahtera was developed merely for check-in purposes but now has become more important.It wont solve all, but it reduces the exposure. ofcourse security wise is not top priority back then. Why not u tweet KJ about this and see what actions he will take? Amaru liked this post
|
|
Oct 18 2021, 02:37 PM
Show posts by this member only | IPv6 | Post
#18
|
Senior Member
1,257 posts Joined: Dec 2008 From: /k/ |
QUOTE(jmas @ Oct 18 2021, 02:29 PM) Cost is not the question here. This is a critical app required by most residents in Malaysia, cannot compromise on security yo. Imagine a data-breach? QUOTE(kons @ Oct 18 2021, 02:32 PM) tengine webserver... I see you're man of culture here. Jquery hurts my eye tho.twitter bootstrap.. google font api... owl carousel.. jquery... all free stuff but cost 70m... thanks to our competent gomen. |
|
Oct 18 2021, 02:37 PM
Show posts by this member only | IPv6 | Post
#19
|
Senior Member
1,257 posts Joined: Dec 2008 From: /k/ |
|
|
Oct 18 2021, 02:38 PM
|
All Stars
21,785 posts Joined: Dec 2004 From: KL |
|
Change to: | 0.0169sec
0.42
5 queries
GZIP Disabled
Time is now: 9th November 2024 - 10:01 PM |