Files and links (1)
Preprint (Author's original)arXiv.org - Non-exclusive license to distribute, Open
Conference proceeding
Don't Leak Your Keys: Understanding, Measuring, and Exploiting the AppSecret Leaks in Mini-Programs
Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, pp 2411-2425
15 Nov 2023
Abstract
Mobile mini-programs in WeChat have gained significant popularity since their debut in 2017, reaching a scale similar to that of Android apps in the Play Store. Like Google, Tencent, the provider of WeChat, offers APIs to support the development of mini-programs and also maintains a mini-program market within the WeChat app. However, mini-program APIs often manage sensitive user data within the social network platform, both on the WeChat client app and in the cloud. As a result, cryptographic protocols have been implemented to secure data access. In this paper, we demonstrate that WeChat should have required the use of the "appsecret" master key, which is used to authenticate a mini-program, to be used only in the mini-program back-end. If this key is leaked in the front-end of the mini-programs, it can lead to catastrophic attacks on both mini-program developers and users. Using a mini-program crawler and a master key leakage inspector, we measured 3,450,586 crawled mini-programs and found that 40,880 of them had leaked their master keys, allowing attackers to carry out various attacks such as account hijacking, promotion abuse, and service theft. Similar issues were confirmed through testing and measuring of Baidu mini-programs too. We have reported these vulnerabilities and the list of vulnerable mini-programs to Tencent and Baidu, which awarded us with bug bounties, and also Tencent recently released a new API to defend against these attacks based on our findings.
Metrics
Details
- Title
- Don't Leak Your Keys: Understanding, Measuring, and Exploiting the AppSecret Leaks in Mini-Programs
- Creators
- Yue Zhang - The Ohio State UniversityYuqing Yang - The Ohio State UniversityZhiqiang Lin - The Ohio State UniversityACM
- Publication Details
- Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, pp 2411-2425
- Conference
- CCS '23: ACM SIGSAC Conference on Computer and Communications Security
- Series
- ACM Conferences
- Publisher
- ACM
- Resource Type
- Conference proceeding
- Language
- English
- Academic Unit
- Computer Science
- Web of Science ID
- WOS:001124987202028
- Scopus ID
- 2-s2.0-85166612521
- Other Identifier
- 991021871474204721
InCites Highlights
Data related to this publication, from InCites Benchmarking & Analytics tool:
- Collaboration types
- Domestic collaboration
- Web of Science research areas
- Computer Science, Artificial Intelligence
- Computer Science, Interdisciplinary Applications
- Telecommunications