We conduct a large-scale measurement of developers' insecure practices leading to mini-app to super-app authentication bypass, among which hard-coding developer secrets for such authentication is a major contributor. We also analyze the exploitability and security consequences of developer secret leakage in mini-apps by examining individual super-app server-side APIs. We develop an analysis framework for measuring such secret leakage, and primarily analyze 110,993 WeChat mini-apps, and 10,000 Baidu mini-apps (two of the most prominent super-app platforms), along with a few more datasets to test the evolution of developer practices and platform security enforcement over time. We found a large number of WeChat mini-apps (36,425, 32.8%) and a few Baidu mini-apps (112) leak their developer secrets, which can cause severe security and privacy problems for the users and developers of mini-apps. A network attacker who does not even have an account on the super-app platform, can effectively take down a mini-app, send malicious and phishing links to users, and access sensitive information of the mini-app developer and its users. We responsibly disclosed our findings and also put forward potential directions that could be considered to alleviate/eliminate the root causes of developers hard-coding the app secrets in the mini-app's front-end code.

翻译：我们对开发者导致小程序到超级应用认证绕过的不安全实践进行了大规模测量，其中硬编码开发者认证密钥是主要因素。我们还通过检查各个超级应用服务端API，分析了小程序中开发者密钥泄露的可利用性及其安全后果。我们开发了一套分析框架用于测量此类密钥泄露，主要分析了110,993个微信小程序和10,000个百度小程序（两个最突出的超级应用平台），并辅以更多数据集以测试开发者实践和平台安全措施随时间的演变。我们发现大量微信小程序（36,425个，占32.8%）和少量百度小程序（112个）泄露了开发者密钥，这可能给小程序用户和开发者带来严重的安全和隐私问题。一个甚至没有超级应用平台账号的网络攻击者，可以有效下线小程序、向用户发送恶意和钓鱼链接，并访问小程序开发者及其用户的敏感信息。我们负责任地披露了这些发现，并提出了可能减轻或消除开发者在迷你应用前端代码中硬编码应用密钥这一根本问题的潜在方向。