Cross Miniapp Request Forgery: Root Causes, Attacks, and Vulnerability Detection

Abstract

A miniapp is a full-fledged app that is executed inside a mobile super app such as WeChat or SnapChat. Being mini by nature, it often has to communicate with other miniapps to accomplish complicated tasks. However, unlike a web app that uses network domains (i.e., IP addresses) to navigate between different web apps, a miniapp uses a unique global appId assigned by the super app to navigate between miniapps. Unfortunately, any missing checks of the sender's appId in a receiver miniapp can lead to a new type of attacks we name it cross-miniapp request forgery (CMRF). In addition to demystifying the root cause of this attack (i.e., the essence of the vulnerability), this paper also seeks to measure the popularity of this vulnerability among miniapps by developing CmrfScanner, which is able to statically detect the CMRF-vulnerability based on the abstract syntax tree of miniapp code to determine whether there are any missing checks of the appIds. We have tested CmrfScanner with 2,571,490 WeChat miniapps and 148,512 Baidu miniapps, and identified 52,394 (2.04%) WeChat miniapps and 494 (0.33%) Baidu miniapps that involve cross-communication. Among them, CmrfScanner further identified that 50,281 (95.97%) of WeChat miniapps, and 493 (99.80%) of Baidu miniapps lack the appID checks of the sender's mini-apps, indicating that a large amount of miniapp developers are not aware of this attack. We also estimated the impact of this vulnerability and found 55.05% of the lack of validation WeChat miniapps (7.09% of such Baidu miniapps) can have direct security consequences such as privileged data access, information leakage, promotion abuse, and even shopping for free. We hope that our findings can raise awareness among miniapp developers, and future miniapps will not be subject to CMRF attacks.