Mobile mini-programs in WeChat have gained significant popularity since their debut in 2017, reaching a scale similar to that of Android apps in the Play Store. Like Google, Tencent, the provider of WeChat, offers APIs to support the development of mini-programs and also maintains a mini-program market within the WeChat app. However, mini-program APIs often manage sensitive user data within the social network platform, both on the WeChat client app and in the cloud. As a result, cryptographic protocols have been implemented to secure data access. In this paper, we demonstrate that WeChat should have required the use of the "appsecret" master key, which is used to authenticate a mini-program, to be used only in the mini-program back-end. If this key is leaked in the front-end of the mini-programs, it can lead to catastrophic attacks on both mini-program developers and users. Using a mini-program crawler and a master key leakage inspector, we measured 3,450,586 crawled mini-programs and found that 40,880 of them had leaked their master keys, allowing attackers to carry out various attacks such as account hijacking, promotion abuse, and service theft. Similar issues were confirmed through testing and measuring of Baidu mini-programs too. We have reported these vulnerabilities and the list of vulnerable mini-programs to Tencent and Baidu, which awarded us with bug bounties, and also Tencent recently released a new API to defend against these attacks based on our findings.

翻译：微信中的移动小程序自2017年首次亮相以来已获得显著流行，其规模已接近Play商店中的Android应用。与Google类似，微信提供商腾讯提供了支持小程序开发的API，并在微信应用内维护了一个小程序市场。然而，小程序API经常在社交网络平台（包括微信客户端应用和云端）内管理敏感用户数据。因此，已实现加密协议以保护数据访问。在本文中，我们证明微信本应要求“appsecret”主密钥（用于验证小程序身份）仅在小程序后端使用。如果此密钥在小程序前端泄露，可能导致针对小程序开发者和用户的灾难性攻击。通过使用小程序爬虫和主密钥泄漏检测器，我们测量了3,450,586个已爬取的小程序，发现其中40,880个泄露了主密钥，使得攻击者能够实施各种攻击，如账户劫持、推广滥用和服务盗用。通过对百度小程序的测试和测量，也确认了类似问题。我们已将这些漏洞及易受攻击的小程序列表报告给腾讯和百度，并获得了漏洞赏金。此外，基于我们的发现，腾讯近期发布了一个新的API以防御这些攻击。