{"ID":6267092,"CreatedAt":"2026-07-10T01:11:38.759438437Z","UpdatedAt":"2026-07-13T01:02:08.706470581Z","DeletedAt":null,"paper_url":"https://arxiv.org/abs/2607.08232","arxiv_id":"2607.08232","title":"Mini-Programs, Mega-Problems: Unveiling OAuth-based Authentication Misuses in Mini-Programs via Dynamic Analysis","abstract":"Mini-programs have become a dominant paradigm for lightweight application deployment within super apps such as WeChat. To support seamless integration, super apps provide OAuth mechanisms for user login. However, improper integration of OAuth-based Authentication (OBA) flows by third-party developers can lead to critical security flaws. In this paper, we discover three new types of runtime OBA misuses that differ from prior static-code-based studies, enabling attackers to impersonate victims. To assess their real-world impact, we design and implement MINIAUTH, the first analysis framework for systematically analyzing OBA misuse at scale. MINIAUTH automatically pinpoints the OBA login page of a mini-program, executes the workflow dynamically, and analyzes its runtime behaviors. This enables it to handle obfuscated mini-programs and uncover vulnerabilities that existing approaches cannot detect. Applying MINIAUTH to 44,273 WeChat and 2,721 Baidu mini-programs, we uncover 1,834 misuse cases, including critical logic flaws that enable client-side identity forgery via exposed credentials and authentication bypass through static or plaintext identifiers. Our cross-platform evaluation further shows that such misuses are not confined to a single ecosystem but consistently appear across different mini-program platforms. We also identify a cryptographic design flaw in Baidu's OBA APIs that allows brute-forcing of session keys. We responsibly disclosed our findings to the developers and platforms, receiving acknowledgments and assigned CNVD/CNNVD IDs. These results underscore the need for more robust developer guidance and enhanced platform-level safeguards.","short_abstract":"Mini-programs have become a dominant paradigm for lightweight application deployment within super apps such as WeChat. To support seamless integration, super apps provide OAuth mechanisms for user login. However, improper integration of OAuth-based Authentication (OBA) flows by third-party developers can lead to critic...","url_abs":"https://arxiv.org/abs/2607.08232","url_pdf":"https://arxiv.org/pdf/2607.08232v1","authors":"[\"Zidong Zhang\",\"Zhentao Xie\",\"Lingyun Ying\",\"Qinsheng Hou\",\"Yacong Gu\",\"Wenrui Diao\",\"Jianliang Wu\"]","published":"2026-07-09T08:28:57Z","proceeding":"cs.CR","tasks":"[\"cs.CR\"]","methods":"[\"Convolutional Neural Network\"]","has_code":false}
