Measuring the Leakage and Exploitability of Authentication Secrets in Super-apps: The WeChat Case

Super-apps such as WeChat and Baidu host millions of mini-apps, which are very popular among users and developers because of the mini-apps’ convenience, lightweight, ease of sharing, and not requiring explicit installation. Such ecosystems involve several entities, such as the super-app and mini-app clients, the super-app backend server, the mini-app developer server, and other hosting platforms and services used by the mini-app developer. To support various user-level functionalities, these components must authenticate each other, which differs from regular user authentication to the super-app platform. In this paper, we explore the mini-app to super-app authentication problem caused by insecure development practices. This type of authentication allows the mini-app code to access super-app services on the developer’s behalf.

We conduct a large-scale measurement of developers’ insecure practices leading to mini-app to super-app authentication bypass, among which hard-coding developer secrets for such authentication is a major contributor. We also analyze the exploitability and security consequences of developer secret leakage in mini-apps by examining individual super-app server-side APIs. We develop an analysis framework for measuring such secret leakage, and primarily analyze 110,993 WeChat mini-apps, and 10,000 Baidu mini-apps (two of the most prominent super-app platforms), along with a few more datasets to test the evolution of developer practices and platform security enforcement over time. We found a large number of WeChat mini-apps (36,425, 32.8%) and a few Baidu mini-apps (112) leak their developer secrets, which can cause severe security and privacy problems for the users and developers of mini-apps. A network attacker who does not even have an account on the super-app platform, can effectively take down a mini-app, send malicious and phishing links to users, and access sensitive information of the mini-app developer and its users. We responsibly disclosed our findings and also put forward potential directions that could be considered to alleviate/eliminate the root causes of developers hard-coding the app secrets in the mini-app’s front-end code.