Search papers, labs, and topics across Lattice.
This paper investigates the security vulnerabilities associated with OAuth-based Authentication (OBA) in mini-programs within super apps like WeChat and Baidu. By employing MINIAUTH, a dynamic analysis framework, the authors identify 1,834 misuse cases across 44,273 WeChat and 2,721 Baidu mini-programs, revealing critical flaws such as client-side identity forgery and authentication bypass. The findings highlight a pervasive issue in OBA implementations that necessitates improved developer practices and platform safeguards to mitigate security risks.
Uncovering 1,834 OAuth-based Authentication misuses in mini-programs reveals critical flaws that could allow attackers to impersonate users across multiple platforms.
Mini-programs have become a dominant paradigm for lightweight application deployment within super apps such as WeChat. To support seamless integration, super apps provide OAuth mechanisms for user login. However, improper integration of OAuth-based Authentication (OBA) flows by third-party developers can lead to critical security flaws. In this paper, we discover three new types of runtime OBA misuses that differ from prior static-code-based studies, enabling attackers to impersonate victims. To assess their real-world impact, we design and implement MINIAUTH, the first analysis framework for systematically analyzing OBA misuse at scale. MINIAUTH automatically pinpoints the OBA login page of a mini-program, executes the workflow dynamically, and analyzes its runtime behaviors. This enables it to handle obfuscated mini-programs and uncover vulnerabilities that existing approaches cannot detect. Applying MINIAUTH to 44,273 WeChat and 2,721 Baidu mini-programs, we uncover 1,834 misuse cases, including critical logic flaws that enable client-side identity forgery via exposed credentials and authentication bypass through static or plaintext identifiers. Our cross-platform evaluation further shows that such misuses are not confined to a single ecosystem but consistently appear across different mini-program platforms. We also identify a cryptographic design flaw in Baidu's OBA APIs that allows brute-forcing of session keys. We responsibly disclosed our findings to the developers and platforms, receiving acknowledgments and assigned CNVD/CNNVD IDs. These results underscore the need for more robust developer guidance and enhanced platform-level safeguards.