Part 1 — MySejahtera is a Perfectly Good App With No Exploits
MySejahtera App, according to National Security Council (NSC), had been developed by a seasoned local company that had made it globally.
This company is among local companies which had succeeded in expanding at the global level. The applications developed by this company are also used by Fortune 500 listed companies. Even though this company has expanded globally, KPISoft’s main management team is still based in Malaysia — Malay Mail
I doubt so. While checking some other endpoint, I noticed that reCAPTCHA
is indeed implemented for some of the workflow (registration and sign up).
Above is the registration page for the extension of “ MySejahtera” known as “MySejahtera Check-In”. “MySejahtera Check-In” helps businesses in implementing SOPs to fight COVID-19 on the ground.
So far it is looking good right? There is reCAPTCHA
implemented, which would avoid the same mistake that happens with the exploits in Part 1. So let’s look at the Chrome Developer Tools and intercept the HTTP call.
The POST
request endpoint is
https://mysejahtera.malaysia.gov.my/checkin/registerPhone (Register)
and
https://mysejahtera.malaysia.gov.my/checkin/validatePhone?withOtp=true (Login with OTP)
The request requires 3 fields, countryCode
, contactNumber
and g-recaptcha-response
. The use of reCAPTCHA
protects the endpoint from replay attacks as each token is valid for two minutes and can only be verified once. Great!
To my surprise, g-recaptcha-response
the token was not needed for this endpoint! Why bother implementing it if backend
is not going to verify the token.
We can call the endpoint with just countryCode
and contactNumber
, and an OTP will be sent to the phone number. There are two types of response:
Phone Number had already registered, No OTP will be sent (Use Login with OTP endpoint instead if you want to send OTP)
Phone Number yet to be registered, OTP will be sent
The issue with this exploit:
- As usual, no Rate-Limit, no Authentication Token required. The door is open to everyone!
Load Test FTW
2. A bad actor could use this to filter which phone number had been used to register “MySejahtera Check-In”, which are all business phone numbers. With some creative social engineering, one can do wonders.
3. Paying the cost of all the OTPs sent. While I’m not sure which provider is used for this service, it is usually charged based on total volume. Below is a screenshot from Twilio pricing.
If you’re curious, following is the curl
command you can use to call the API Endpoint. Change the contactNumber
and test it out.
The information above is valid as of 17 October 2021.
Update 1: I’ve been sending OTP to myself for over 15 hours at random intervals. The worst thing of all? OTP code never changes.
Update 2: As of 20 October, reCAPTCHA
had verification had been implemented on the backend. So considered the exploit patched.