Don't Leak Your Keys: Understanding, Measuring, and Exploiting the AppSecret Leaks in Mini-Programs

by   Yue Zhang, et al.

Mobile mini-programs in WeChat have gained significant popularity since their debut in 2017, reaching a scale similar to that of Android apps in the Play Store. Like Google, Tencent, the provider of WeChat, offers APIs to support the development of mini-programs and also maintains a mini-program market within the WeChat app. However, mini-program APIs often manage sensitive user data within the social network platform, both on the WeChat client app and in the cloud. As a result, cryptographic protocols have been implemented to secure data access. In this paper, we demonstrate that WeChat should have required the use of the "appsecret" master key, which is used to authenticate a mini-program, to be used only in the mini-program back-end. If this key is leaked in the front-end of the mini-programs, it can lead to catastrophic attacks on both mini-program developers and users. Using a mini-program crawler and a master key leakage inspector, we measured 3,450,586 crawled mini-programs and found that 40,880 of them had leaked their master keys, allowing attackers to carry out various attacks such as account hijacking, promotion abuse, and service theft. Similar issues were confirmed through testing and measuring of Baidu mini-programs too. We have reported these vulnerabilities and the list of vulnerable mini-programs to Tencent and Baidu, which awarded us with bug bounties, and also Tencent recently released a new API to defend against these attacks based on our findings.


page 1

page 2

page 3

page 4


Measuring the Leakage and Exploitability of Authentication Secrets in Super-apps: The WeChat Case

We conduct a large-scale measurement of developers' insecure practices l...

A Small Leak Will Sink Many Ships: Vulnerabilities Related to Mini Programs Permissions

As a new format of mobile application, mini programs, which function wit...

Do as You Say: Consistency Detection of Data Practice in Program Code and Privacy Policy in Mini-App

Mini-app is an emerging form of mobile application that combines web tec...

Detecting Data Leakage from Databases on Android Apps with Concept Drift

Mobile databases are the statutory backbones of many applications on sma...

Preliminary Study of a Google Home Mini

Many artificial intelligence (AI) speakers have recently come to market....

App's Auto-Login Function Security Testing via Android OS-Level Virtualization

Limited by the small keyboard, most mobile apps support the automatic lo...

Trimming Mobile Applications for Bandwidth-Challenged Networks in Developing Regions

Despite continuous efforts to build and update network infrastructure, m...

Please sign up or login with your details

Forgot password? Click here to reset