Outline ·
[ Standard ] ·
Linear+
MySejahtera Not So Sejahtera, Full of Exploits
|
WaCKy-Angel
|
 Oct 18 2021, 02:12 PM
|
|
QUOTE(Darkripper @ Oct 18 2021, 01:51 PM) You can instruct "MySejahtera" to spam OTP to others at will. Just run the following code at terminal of choice and change contact number (Window user pandai pandai tukar la ) CODE curl --location --request POST 'https://mysejahtera.malaysia.gov.my/checkin/registerPhone' \
--form 'countryCode="60"' \
--form 'contactNumber="12345678"' do u even need exploit? ayam thought u can just try login with the number and the app will send otp? |
|
|
|
|
|
WaCKy-Angel
|
Oct 18 2021, 02:14 PM
|
|
|
QUOTE(imin @ Oct 18 2021, 02:04 PM) I'm not testing if this really work, but if it is, then the backend looks like it's developed by some intern IT student What do u expect when it is already doing what it is supposed to do? Do u know u can also do similar spam otp with whatsapp? get ur enemy whatsapp phone number and try login with the number..that person will keep getting otp spam to his phone. |
|
|
|
|
|
WaCKy-Angel
|
Oct 18 2021, 02:24 PM
|
|
|
QUOTE(Darkripper @ Oct 18 2021, 02:15 PM) There are no rate limit, meaning you can repeatedly keep on request OTP with a simple scripts. Triggering OTP is not the issue, the issue is lack of Authentication/Authorization token. Maybe that's the implementor have the same thought as you. Also, the OTP token never change, at least for the past 19 hours that i had been spamming myself. A simple captcha will not be sufficient to block hacker. Anyway security vs convenient has always been a mouse and cat game. The more u do the more hacker wants to find exploit lol. |
|
|
|
|
|
WaCKy-Angel
|
Oct 18 2021, 02:34 PM
|
|
|
QUOTE(Darkripper @ Oct 18 2021, 02:27 PM) They can't do that, as that's the endpoint that client side is calling to trigger it. Eaiest way is just to rate limit + some kind of Captcha. That would reduce the exposure to an acceptable limit. It wont solve all, but it reduces the exposure. iinm mysejahtera was developed merely for check-in purposes but now has become more important. ofcourse security wise is not top priority back then. Why not u tweet KJ about this and see what actions he will take? |
|
|
|
|
|
WaCKy-Angel
|
Oct 18 2021, 02:38 PM
|
|
|
QUOTE(Darkripper @ Oct 18 2021, 02:37 PM) tweeted, still no news yet. So yeah slowly lah wait he think of a good cum back like dajjal hahahaha who knows later he will employ u as their Security consultant eh |
|
|
|
|
|
WaCKy-Angel
|
Oct 18 2021, 02:51 PM
|
|
|
QUOTE(jmas @ Oct 18 2021, 02:43 PM) not denying the app is critical, just correcting the fact that ppl thought the apps cost 70mil to develop and discounting the effort of the developers but the truth is the developer was doing this for free (initially) and I think only officially get paid around end of last year/early this year Pls lah nobody do things for FREE |
|
|
|
|
|
WaCKy-Angel
|
Oct 20 2021, 11:52 AM
|
|
|
QUOTE(Darkripper @ Oct 18 2021, 01:51 PM) You can instruct "MySejahtera" to spam OTP to others at will. Just run the following code at terminal of choice and change contact number (Window user pandai pandai tukar la ) CODE curl --location --request POST 'https://mysejahtera.malaysia.gov.my/checkin/registerPhone' \
--form 'countryCode="60"' \
--form 'contactNumber="12345678"' ur doing? lol |
|
|
|
|
Quote
0.0163sec
0.29
6 queries
GZIP Disabled