Mini-Programs, Mega-Problems: Unveiling OAuth-based Authentication Misuses in Mini-Programs via Dynamic Analysis

📅 2026-07-09
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work addresses critical security vulnerabilities in mini-programs arising from third-party developers’ incorrect integration of OAuth authentication flows, which can lead to severe issues such as identity impersonation. The authors propose MINIAUTH, the first dynamic analysis framework tailored for mini-programs, which systematically detects OAuth misuse by integrating automated workflow execution, runtime behavior monitoring, and deobfuscation techniques. Applying MINIAUTH reveals three novel classes of runtime vulnerabilities, uncovers cross-platform commonalities, and exposes a cryptographic design flaw in Baidu’s API. An evaluation across 46,994 WeChat and Baidu mini-programs identifies 1,834 instances of authentication misuse, including identity forgery due to credential leakage and authentication bypass caused by plaintext identifiers. These findings have been acknowledged by vendors and assigned official CNVD/CNNVD identifiers.
📝 Abstract
Mini-programs have become a dominant paradigm for lightweight application deployment within super apps such as WeChat. To support seamless integration, super apps provide OAuth mechanisms for user login. However, improper integration of OAuth-based Authentication (OBA) flows by third-party developers can lead to critical security flaws. In this paper, we discover three new types of runtime OBA misuses that differ from prior static-code-based studies, enabling attackers to impersonate victims. To assess their real-world impact, we design and implement MINIAUTH, the first analysis framework for systematically analyzing OBA misuse at scale. MINIAUTH automatically pinpoints the OBA login page of a mini-program, executes the workflow dynamically, and analyzes its runtime behaviors. This enables it to handle obfuscated mini-programs and uncover vulnerabilities that existing approaches cannot detect. Applying MINIAUTH to 44,273 WeChat and 2,721 Baidu mini-programs, we uncover 1,834 misuse cases, including critical logic flaws that enable client-side identity forgery via exposed credentials and authentication bypass through static or plaintext identifiers. Our cross-platform evaluation further shows that such misuses are not confined to a single ecosystem but consistently appear across different mini-program platforms. We also identify a cryptographic design flaw in Baidu's OBA APIs that allows brute-forcing of session keys. We responsibly disclosed our findings to the developers and platforms, receiving acknowledgments and assigned CNVD/CNNVD IDs. These results underscore the need for more robust developer guidance and enhanced platform-level safeguards.
Problem

Research questions and friction points this paper is trying to address.

OAuth-based Authentication
Mini-Programs
Authentication Misuse
Security Vulnerabilities
Identity Impersonation
Innovation

Methods, ideas, or system contributions that make the work stand out.

dynamic analysis
OAuth-based authentication
mini-program security
authentication misuse
cross-platform vulnerability
🔎 Similar Papers