[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"doc-detail-84332-en":3,"doc-seo-84332-105":29,"detail-sidebar-cat-0-en-105":91},{"code":4,"msg":5,"data":6},0,"success",{"doc_id":7,"user_id":8,"nickname":9,"user_avatar":10,"doc_module":4,"category_id":11,"category_name":12,"doc_title":13,"doc_description":14,"doc_content":15,"file_id":16,"file_url":17,"file_type":18,"file_size":19,"view_count":20,"is_deleted":4,"is_public":20,"is_downloadable":20,"audit_status":20,"page_count":21,"language":22,"language_code":23,"site_id":24,"html_lang":23,"table_of_contents":25,"faqs":26,"seo_title":13,"seo_description":14,"update_tm":27,"read_time":28},84332,687197207919,"Theodora","https://ap-avatar.wpscdn.com/avatar/a000253d6f5f7c60be?x-image-process=image/resize,m_fixed,w_180,h_180&k=1779446848396160552",8,"Research & Report","Mini-Programs, Mega-Problems: Unveiling OAuth-based Authentication Misuses in Mini-Programs via Dynamic Analysis","Mini-programs have become a dominant way to deploy lightweight apps inside super apps such as WeChat, where platform-specific OAuth-based Authentication (OBA) enables user login and retrieval of sensitive data. Improper third-party integration can introduce severe security flaws. This paper systematizes three runtime OBA misuse patterns that let attackers impersonate victims and implements MiniAuth, a scalable dynamic-analysis framework that executes OBA workflows to detect vulnerabilities, including those hidden by obfuscation.","Mini-Programs, Mega-Problems: Unveiling OAuth-based Authentication Misuses in Mini-Programs via Dynamic Analysis  \nZidong Zhang∗ Simon Fraser University; QI-ANXIN Research Institute Burnaby, Canada [zza323@sfu.ca](zza323@sfu.ca)  \nQinsheng Hou School of Computer Science, Shanghai Jiao Tong University  \nShanghai, China [houqinsheng@sjtu.edu.cn](houqinsheng@sjtu.edu.cn)  \nZhentao Xie∗ Shandong University; The Chinese University of Hong Kong Qingdao, China [fxizenta@mail.sdu.edu.cn](fxizenta@mail.sdu.edu.cn)  \nYacong Gu  \nTsinghua University; Tsinghua University-QI-ANXIN Group JCNS Beijing, China [guyacong@tsinghua.edu.cn](guyacong@tsinghua.edu.cn)  \nLingyun Ying† QI-ANXIN Technology Research Institute Beijing, China [yinglingyun@qianxin.com](yinglingyun@qianxin.com)  \nWenrui Diao† School of Cyber Science and Technology, Shandong University Qingdao, China  \n[diaowenrui@link.cuhk.edu.hk](diaowenrui@link.cuhk.edu.hk)  \narXiv :2607 .08232v 1 [ cs .CR] 9 Jul 2026  \nJianliang Wu† Simon Fraser University Burnaby, Canada [wujl@sfu.ca](wujl@sfu.ca)  \nAbstract  \nMini-programs have become a dominant paradigm for lightweight application deployment within super apps such as WeChat. To support seamless integration, super apps provide platform-specific OAuth-based Authentication (OBA) mechanisms for user login. However, improper integration of OBA flows by third-party developers can lead to critical security flaws.  \nIn this paper, we systematize three runtime OBA misuse patterns that arise in mini-program implementations and enable attackers to impersonate victims. To assess their real-world impact, we design and implement MiniAuth, the first analysis framework to systematically analyze mini-program OBA misuse at scale. MiniAuth automatically pinpoints the OBA login page of a mini-program, executes the workflow dynamically, and analyzes its runtime behaviors. This enables it to handle obfuscated mini-programs and uncover vulnerabilities within dynamic behaviors that existing approaches cannot detect.  \nApplying MiniAuth to 44,273 WeChat and 2,721 Baidu miniprograms, we uncover 1,834 misuse cases, including critical logic flaws that enable client-side identity forgery via exposed credentials and authentication bypass through static or plaintext identifiers. Our cross-platform evaluation further shows that such misuses are not confined to a single ecosystem but consistently appear across  \n∗ Both authors contributed equally to this research.†Corresponding authors.  \nPermission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions [from permissions@acm.org](from permissions@acm.org).  \nAnonymous Submission to ACM CCS, 2026  \n© 2026 ACM.  \nACM ISBN 978-x-xxxx-xxxx-x/YYYY/MM [https://doi.org/10.1145/nnnnnnn.nnnnnnn](https://doi.org/10.1145/nnnnnnn.nnnnnnn)  \ndifferent mini-program platforms. We also identify a cryptographic design flaw in Baidu’s OBA APIs that allows brute-forcing of session keys. We responsibly disclosed our findings to the developers and platforms, receiving acknowledgments and assigned CNVD/CNNVD IDs. These results underscore the need for more robust developer guidance and enhanced platform-level safeguards.  \nCCS Concepts  \n• Security and privacy → Software and application security.  \nKeywords  \nMini-program Security; Program Analysis; Vulnerability Detection  \n1 Introduction  \nMini-programs, lightweight applications embedded within super apps such as WeChat and Baidu, have emerged as a dominant platform for mobile services, including finance, healthc","cbCainE6ZTSq9bAh","https://ap.wps.com/l/cbCainE6ZTSq9bAh","pdf",2265597,1,19,"English","en",105,"# Abstract\n# 1 Introduction\n## Mini-programs and OBA background\n## Limitations of existing static research\n## This work and contributions","[{\"question\":\"What problem does the paper address for mini-program authentication?\",\"answer\":\"The paper addresses security failures caused by improper integration of OAuth-based Authentication (OBA) flows in mini-program implementations within super apps.\"},{\"question\":\"How does MiniAuth improve detection compared with existing approaches?\",\"answer\":\"MiniAuth dynamically pinpoints a mini-program’s OBA login page, executes the authentication workflow, and analyzes runtime behaviors, which helps it handle obfuscated code and runtime-only vulnerabilities.\"},{\"question\":\"What kinds of OBA misuse patterns are identified?\",\"answer\":\"The paper identifies three runtime misuse patterns, including client-side identity forgery enabled by exposed credentials and authentication bypass using static or plaintext identifiers.\"}]",1784194882,48,{"code":4,"msg":30,"data":31},"ok",{"site_id":24,"language":23,"slug":32,"title":13,"keywords":33,"description":14,"schema_data":34,"social_meta":86,"head_meta":88,"extra_data":90,"updated_unix":27},"mini-programs-mega-problems-unveiling-oauth-based-authentication-misuses-in-mini-programs-via-dynamic-analysis","",{"@graph":35,"@context":85},[36,53,68],{"@type":37,"itemListElement":38},"BreadcrumbList",[39,43,47,50],{"item":40,"name":41,"@type":42,"position":20},"https://docshare.wps.com","Home","ListItem",{"item":44,"name":45,"@type":42,"position":46},"https://docshare.wps.com/document/","Document",2,{"item":48,"name":12,"@type":42,"position":49},"https://docshare.wps.com/document/research-report/",3,{"item":51,"name":13,"@type":42,"position":52},"https://docshare.wps.com/document/mini-programs-mega-problems-unveiling-oauth-based-authentication-misuses-in-mini-programs-via-dynamic-analysis/84332/",4,{"url":51,"name":13,"@type":54,"author":55,"headline":13,"publisher":57,"fileFormat":60,"inLanguage":23,"description":14,"dateModified":61,"datePublished":62,"encodingFormat":60,"isAccessibleForFree":63,"interactionStatistic":64},"DigitalDocument",{"name":9,"@type":56},"Person",{"url":40,"name":58,"@type":59},"DocShare","Organization","application/pdf","2026-07-17","2026-07-16",true,{"@type":65,"interactionType":66,"userInteractionCount":20},"InteractionCounter",{"@type":67},"ViewAction",{"@type":69,"mainEntity":70},"FAQPage",[71,77,81],{"name":72,"@type":73,"acceptedAnswer":74},"What problem does the paper address for mini-program authentication?","Question",{"text":75,"@type":76},"The paper addresses security failures caused by improper integration of OAuth-based Authentication (OBA) flows in mini-program implementations within super apps.","Answer",{"name":78,"@type":73,"acceptedAnswer":79},"How does MiniAuth improve detection compared with existing approaches?",{"text":80,"@type":76},"MiniAuth dynamically pinpoints a mini-program’s OBA login page, executes the authentication workflow, and analyzes runtime behaviors, which helps it handle obfuscated code and runtime-only vulnerabilities.",{"name":82,"@type":73,"acceptedAnswer":83},"What kinds of OBA misuse patterns are identified?",{"text":84,"@type":76},"The paper identifies three runtime misuse patterns, including client-side identity forgery enabled by exposed credentials and authentication bypass using static or plaintext identifiers.","https://schema.org",{"og:url":51,"og:type":87,"og:title":13,"og:site_name":58,"og:description":14},"article",{"robots":89,"canonical":51},"index,follow",{"doc_id":7,"site_id":24},{"code":4,"msg":5,"data":92},[93,97,101,105,110,115,120,123,128,131,135],{"id":20,"doc_module":4,"doc_module_name":45,"category_name":94,"show_sort_weight":95,"slug":96},"Story & Novel",90,"story-novel",{"id":46,"doc_module":4,"doc_module_name":45,"category_name":98,"show_sort_weight":99,"slug":100},"Literature",80,"literature",{"id":52,"doc_module":4,"doc_module_name":45,"category_name":102,"show_sort_weight":103,"slug":104},"Exam",70,"exam",{"id":106,"doc_module":4,"doc_module_name":45,"category_name":107,"show_sort_weight":108,"slug":109},5,"Comic",60,"comic",{"id":111,"doc_module":4,"doc_module_name":45,"category_name":112,"show_sort_weight":113,"slug":114},6,"Technology",50,"technology",{"id":116,"doc_module":4,"doc_module_name":45,"category_name":117,"show_sort_weight":118,"slug":119},7,"Healthcare",40,"healthcare",{"id":11,"doc_module":4,"doc_module_name":45,"category_name":12,"show_sort_weight":121,"slug":122},30,"research-report",{"id":124,"doc_module":4,"doc_module_name":45,"category_name":125,"show_sort_weight":126,"slug":127},9,"Religion & Spirituality",20,"religion-spirituality",{"id":126,"doc_module":4,"doc_module_name":45,"category_name":129,"show_sort_weight":126,"slug":130},"World Cup","world-cup",{"id":132,"doc_module":4,"doc_module_name":45,"category_name":133,"show_sort_weight":132,"slug":134},10,"Lifestyle","lifestyle",{"id":21,"doc_module":4,"doc_module_name":45,"category_name":136,"show_sort_weight":106,"slug":137},"General","general"]