You can instruct "MySejahtera" to spam OTP to others at will. Just run the following code at terminal of choice and change contact number (Window user pandai pandai tukar la )

I'm not testing if this really work, but if it is, then the backend looks like it's developed by some intern IT student

70 mil yo

Which is why my friend uses a throwaway email as MySejahtera ID

this api should not even be exposed! it's supposed to be called by a backend module! ..

mafioso yuno do properly backend

do u even need exploit?

ayam thought u can just try login with the number and the app will send otp?

Go ahead and try, the URL is legit anyways. Can use Postman or other tools as well, as long as you send that form-data, it works. These mistake are worse than interns lol.

They kinda forget to verify the captcha actually. They have Captcha at the page, but backend doesn't verify that token.

What do u expect when it is already doing what it is supposed to do?

Do u know u can also do similar spam otp with whatsapp?

get ur enemy whatsapp phone number and try login with the number..that person will keep getting otp spam to his phone.

There are no rate limit, meaning you can repeatedly keep on request OTP with a simple scripts.

Triggering OTP is not the issue, the issue is lack of Authentication/Authorization token. Maybe that's the implementor have the same thought as you.

Also, the OTP token never change, at least for the past 19 hours that i had been spamming myself.

This post has been edited by Darkripper: Oct 18 2021, 02:16 PM

Its a 70mil feature la ...

to send notification they can just use something like big ip f5 to whitelist only allowed IP address could access the endpoints. infact just build the service separate and segregation between internal and external network.

A simple captcha will not be sufficient to block hacker.

Anyway security vs convenient has always been a mouse and cat game. The more u do the more hacker wants to find exploit lol.

They can't do that, as that's the endpoint that client side is calling to trigger it. Eaiest way is just to rate limit + some kind of Captcha. That would reduce the exposure to an acceptable limit.

It wont solve all, but it reduces the exposure.

i tot already debunked that 70mil does not include mysejahtera?

tengine webserver...

twitter bootstrap.. google font api... owl carousel.. jquery...

all free stuff but cost 70m... thanks to our competent gomen.

iinm mysejahtera was developed merely for check-in purposes but now has become more important.
ofcourse security wise is not top priority back then.

Why not u tweet KJ about this and see what actions he will take?

Cost is not the question here. This is a critical app required by most residents in Malaysia, cannot compromise on security yo. Imagine a data-breach?


I see you're man of culture here. Jquery hurts my eye tho.

tweeted, still no news yet. So yeah

slowly lah wait he think of a good cum back like dajjal hahahaha

who knows later he will employ u as their Security consultant eh

Btw seems like the dev is fixing, some of the other exploits is getting patched. But still doesn't give much confidence when they don't acknowledge it.

This post has been edited by Darkripper: Oct 18 2021, 02:40 PM

not denying the app is critical, just correcting the fact that ppl thought the apps cost 70mil to develop and discounting the effort of the developers
but the truth is the developer was doing this for free (initially) and I think only officially get paid around end of last year/early this year

Good to do it for free, the issue is on Govt for not ensuring quality in such a critical application. Devs are probably getting squeezed also la.

Pls lah nobody do things for FREE

Govt probably has no idea what or how to manage. When app first released, looked like uni project. Now probably still no QA or code review, Dev just fix when people complain.

client side to trigger? it don't work that way. the service i work on sents millions of sms daily. we are the one triggering to an end point expose by the provider. mysejahtera would have the list of contact on their end. all they need to do is periodically send the sms via to end point expose by the few operator we have.

if it's really trigger by us who has mysejahtera that's stupid

and i can bet with you that the gomen will not give a single fuck about this, just diam diam only, look at what happen to the recent LHDN data breach?

Mysengsara

you're talking about their backend implementation, which is out-of-reach. Client trigger mysejahtera, which in turn they forward it to provider. It doesn't matter how the backend is implemented if they open their doors wide open.

Time to retire this app as More abuse being seen especially for enforcement.
Business operator don't even recognize kad vaksin and writing on the book

since when malaysian care about security? leakers everywhere.

Well this is technically not security, more like unintended use of service.

Simplest solution to this is to only allow one OTP to be sent in x amount of minutes to a single number.

Spamming KJ phone number will ruckle some feathers

like this?

What's wrong with jQuery? Hmmm...

If you want, go bombard those politicians phone number

See if this really works

PM me their number lor. Its a curl command, you can try it for yourself. Its pretty much copy paste run.

Its time had passed.

How bad is it? I dunno frontend, so no idea

I mean, there are other frameworks like React, Vue and Angular, but those are not UI only right?

jquery is top go-to library when everyone is manually manipulating HTML elements for frontend, it is easier to use than vanilla JS. It is not bad, just it is not that relevant anymore.

Then SPA like Angular, React comes along, which is easier to code, a little bit more structured and efficient. The best thing about SPA is there is less page refresh, providing a better UX.

Now you even have Vue, Svelte, SolidJS which is trying to overtake React.

Its not just for UI, but for client-side aka frontend to render and do whatever it needs to (communicate with server, service worker to run some shit in the background)

This post has been edited by Darkripper: Oct 19 2021, 02:52 AM

pay peanuts get [______]

the way u put it there is somethg so wrong in term of the app design. the request should trigger a notification and queue the request somewhere instead of client calling the service immediately. anyway 0 marks to the application design in this case

no offense but that app is crap lol

yea, jQuery have been more than 10 years? 20 years? but got Ajax ma ahahahahaha

only used Vue for their UI like the Vuetify.

Now it's all about single page application. everything click click click, no idea if it's going to next page or previous page or anything

so called 70mil

https://www.malaymail.com/news/malaysia/202...res-why/2014651

ur doing? lol

yeah someone spam my number with sj otp and i send the screenshot to their helpdesk

LOL, beat me to it:

https://www.freemalaysiatoday.com/category/...ys-mysejahtera/

seems like got captcha now

5 Unicorns by 2025

dah tak boleh

This post has been edited by flexyx: Oct 20 2021, 03:04 PM

Does anyone think it can send your data to any third parties?

I don't even want to go there....

kesian TS...

Some one using the TS code and doing spam liao.
Need to report police.

What?

Ts, you are on front lyn news

https://www.lowyat.net/2021/256199/mysejaht...-spam-api-weak/

Fxxk... The change email/phone no do not require verification from old email/phone no..... Security 404... Use throw away email also useless...

aiya, they say its a feature that get exposed. lel... *FEATURE*.

Btw they haven't fix yet also, just add reCAPTCHA, which can be solved using API also

Ular kj jawab

Got anyway to make the mysejahtera load faster? If just want to show the fully vaccinated page also take quite 10-15 seconds to load, any workaround to make it faster?

Turn off data, more faster

Anyone have issue logged in?
I used create email and phone number and password.
But still say error " Invalid user ID or password.

I tried the forget password, and changed new one, even it mentioned changed success.
But When I tried to login.
Still having Error " Invalid user ID or password."
Any Ideas?