COVID-tracing app hacked to Rickroll Malaysians, send spam emails

Screengrab of an email sent from Photo: Fahmi Fadzil/Twitter
Screengrab of an email sent from Photo: Fahmi Fadzil/Twitter

Dozens of Malaysians woke up to photos of Rick Astley today due to a glitch on the COVID-19 contact tracing app, MySejahtera. 

The government agency running the app said today that they have traced the issue to malicious scripts on the platform and were working to improve its cybersecurity measures. Lembah Pantai Member of Parliament Fahmi Fadzil was among those who received either texts or emails containing a photo of the English singer-songwriter, taken off his Never Gonna Give You Up music video. 

The accompanying message said: “Dear User, Thank you for reaching out to MySejahtera Helpdesk. We have received your email and confirm your details as below. RickRollr.” 

Not all unsolicited messages and emails came with a photo. Others contained numerical one-time passwords, or OTPs, asking users to utilize the “check-in” feature before it expires.

“The MySejahtera team has investigated and found that the check-in QR registration feature meant for business premises was misused by some malicious scripts to send OTP to random phone numbers,” MySejahtera’s statement said today without addressing the troll emails that some have received. Malicious scripts are often added by hackers to a compromised website.

One of the emails said: “You’ve tested positive for covid nahhh, joking. Plenty of exploits to show twitter search ‘otp.’” 

MySejahtera is Malaysia’s COVID-19 contact-tracing app that enables users to check COVID-19 statistics, report their whereabouts, and show proof of their vaccination.

Other stories:

QR code on Health Minister’s vaccine badge links to random man’s SoundCloud

Reader Interactions

Leave A Reply


Support local news and join a community of like-minded
“Coconauts” across Southeast Asia and Hong Kong.

Join Now
Coconuts TV
Our latest and greatest original videos
Subscribe on