MySejahtera & vaksincovid.gov.my Security Vulnerability
While registering for my COVID-19 vaccine on the official website at https://www.vaksincovid.gov.my, I found an exposed unauthenticated API endpoint. The endpoint is hosted on Amazon's API Gateway, a service enabling quick development and deployment of API endpoints.
The endpoint seems to be connected to the official MySejahtera database, as it requires the identification number (IC number) and phone number registered when signing up for the MySejahtera app.
Sending a GET request to the API endpoint with an identification and phone number returns all vaccine appointment information, e.g.:
{
"appt_id": "XXXXXX08XXXX",
"appt_name": "Amir Asyraf", <- Name registered in MySejahtera
"appt_phone": "XXXXXXXXXXX", <- Phone number with country calling code prefix
"appt_email": "XXX",
"appt_state": "XXX",
"appt_district": "XXX",
"appt_facility1": "XXXXXXX",
"appt_location1": "XXXXXXX",
"appt_date1": "X-X-XXXX",
"appt_time1": "XX:XX",
"appt_difftime1": "XX",
"appt_complete1": "X",
"appt_facility2": "XXXXXXX",
"appt_location2": "XXXXXXX",
"appt_date2": "XX-XX-XXXX",
"appt_time2": "XX:XX",
"appt_difftime2": "XX",
"appt_complete2": "X",
"res": "XXXXXXX"
}
Now, there's one way I could think of this vulnerability could exploited, and in my opinion it is quite serious, but I'm not going to detail it here. By knowing only the IC and phone number, any malicious actors can retrieve a victim's vaccine registration appointment exact time and date. This is made worse considering Malaysians have had several data breaches and leaks in the past several years, for example the massive UiTM data leak in 2019 and the even more massive telco leak in 2017. The IC and phone numbers of Malaysians are VERY trivial to obtain. Anyone with some common surely could figure out how valuable this information is to criminals.
I have contacted vaksincovid.gov.my and have yet to receive any response.