MySejahtera is a Perfectly Good App With No Exploits — Part 2

Part 1 — MySejahtera is a Perfectly Good App With No Exploits

MySejahtera App, according to National Security Council (NSC), had been developed by a seasoned local company that had made it globally.

This company is among local companies which had succeeded in expanding at the global level. The applications developed by this company are also used by Fortune 500 listed companies. Even though this company has expanded globally, KPISoft’s main management team is still based in Malaysia — Malay Mail

I doubt so. While checking some other endpoint, I noticed that reCAPTCHA is indeed implemented for some of the workflow (registration and sign up).

Register Page for MySejahtera Check-In

Above is the registration page for the extension of “ MySejahtera” known as “MySejahtera Check-In”. “MySejahtera Check-In” helps businesses in implementing SOPs to fight COVID-19 on the ground.

OTP for Phone Number Verification

So far it is looking good right? There is reCAPTCHA implemented, which would avoid the same mistake that happens with the exploits in Part 1. So let’s look at the Chrome Developer Tools and intercept the HTTP call.

The POST request endpoint is

https://mysejahtera.malaysia.gov.my/checkin/registerPhone (Register)

and

https://mysejahtera.malaysia.gov.my/checkin/validatePhone?withOtp=true (Login with OTP)

The request requires 3 fields, countryCode , contactNumber and g-recaptcha-response . The use of reCAPTCHA protects the endpoint from replay attacks as each token is valid for two minutes and can only be verified once. Great!

To my surprise, g-recaptcha-response the token was not needed for this endpoint! Why bother implementing it if backend is not going to verify the token.

We can call the endpoint with just countryCode and contactNumber , and an OTP will be sent to the phone number. There are two types of response:

1. Phone Number had already registered, No OTP will be sent (Use Login with OTP endpoint instead if you want to send OTP)
2. Phone Number yet to be registered, OTP will be sent

The issue with this exploit:

1. As usual, no Rate-Limit, no Authentication Token required. The door is open to everyone!

Load Test FTW

2. A bad actor could use this to filter which phone number had been used to register “MySejahtera Check-In”, which are all business phone numbers. With some creative social engineering, one can do wonders.

3. Paying the cost of all the OTPs sent. While I’m not sure which provider is used for this service, it is usually charged based on total volume. Below is a screenshot from Twilio pricing.

If you’re curious, following is the curl command you can use to call the API Endpoint. Change the contactNumber and test it out.

The information above is valid as of 17 October 2021.

Update 1: I’ve been sending OTP to myself for over 15 hours at random intervals. The worst thing of all? OTP code never changes.

Update 2: As of 20 October, reCAPTCHA had verification had been implemented on the backend. So considered the exploit patched.