Measuring the Leakage and Exploitability of Authentication Secrets in Super-apps: The WeChat Case

by   Supraja Baskaran, et al.

We conduct a large-scale measurement of developers' insecure practices leading to mini-app to super-app authentication bypass, among which hard-coding developer secrets for such authentication is a major contributor. We also analyze the exploitability and security consequences of developer secret leakage in mini-apps by examining individual super-app server-side APIs. We develop an analysis framework for measuring such secret leakage, and primarily analyze 110,993 WeChat mini-apps, and 10,000 Baidu mini-apps (two of the most prominent super-app platforms), along with a few more datasets to test the evolution of developer practices and platform security enforcement over time. We found a large number of WeChat mini-apps (36,425, 32.8 mini-apps (112) leak their developer secrets, which can cause severe security and privacy problems for the users and developers of mini-apps. A network attacker who does not even have an account on the super-app platform, can effectively take down a mini-app, send malicious and phishing links to users, and access sensitive information of the mini-app developer and its users. We responsibly disclosed our findings and also put forward potential directions that could be considered to alleviate/eliminate the root causes of developers hard-coding the app secrets in the mini-app's front-end code.


page 1

page 2

page 3

page 4


Do as You Say: Consistency Detection of Data Practice in Program Code and Privacy Policy in Mini-App

Mini-app is an emerging form of mobile application that combines web tec...

SoK: Decoding the Super App Enigma: The Security Mechanisms, Threats, and Trade-offs in OS-alike Apps

The super app paradigm, exemplified by platforms such as WeChat and AliP...

Don't Leak Your Keys: Understanding, Measuring, and Exploiting the AppSecret Leaks in Mini-Programs

Mobile mini-programs in WeChat have gained significant popularity since ...

How to transform the Apple's application 'Find My' into a toolbox for whistleblowers

The recent introduction of Find My app by Apple will open a large window...

Uncovering and Exploiting Hidden APIs in Mobile Super Apps

Mobile applications, particularly those from social media platforms such...

A Small Leak Will Sink Many Ships: Vulnerabilities Related to Mini Programs Permissions

As a new format of mobile application, mini programs, which function wit...

Deep Intention-Aware Network for Click-Through Rate Prediction

E-commerce platforms provide entrances for customers to enter mini-apps ...

Please sign up or login with your details

Forgot password? Click here to reset