Eight Q stolen envelopes may through WeChat applet hackers

this morning, WeChat small program officially brush the circle of friends. As an old friend of the Chinese people to eat melon, Lei Feng net house guest channel in the spirit of watching the big thing, decided to explore an important issue:

hackers there is no way through the vulnerability of small programs WeChat, secretly using your WeChat to send him a big red envelope?


in order to figure out this problem, Lei Feng house guest channel consulting a few hackers Daniel, finishing the answer is as follows:

1, from App to a small program, there are some loopholes will always exist, a small program to change the front of the business to achieve the form, but the basic business has not changed. So for small service providers, there are two risks still exist:

Web interface vulnerability. For example, XSS, CSRF, etc. all kinds of ultra vires. This is the vulnerability of the service architecture itself.

business function logic flaws. For example, the amount of orders modify, verification code, password back design flaws and so on. These are also the vulnerability of the back-end service itself.

2, which may be blocked by a small program on the possibility of the traditional App client, because the code is more complex, the system is relatively large, often there are many loopholes. Now, the interface provided by WeChat, service providers only need to call the WeChat interface can achieve the service function. This makes the previous attack on the App client lost the object.

small program running in WeChat, before people concerned about the App client hand no loopholes, and now people need to care about whether WeChat is safe.


[applet and WeChat’s relationship, similar to the relationship between App and the system]

for example.

App client will directly call the system service, so many vulnerabilities associated with the system version, such as Android WebView vulnerability, uxss vulnerabilities, etc..

in the case of Android, WeChat is using the modified Chrome kernel, X5 kernel, WebView fixes a remote code execution vulnerability, so there is no need to consider the impact of this vulnerability even in the low version of the Android system.

3, so for Tencent’s own X5 kernel, if the burst of new vulnerabilities, will affect the small program?. In theory, the vulnerability of small programs should be affected by the impact of WeChat client itself, such as the emergence of a new X5 kernel uxss vulnerability, it is possible to cause sensitive information leakage.

4, is it possible to complete the science of the security of the structure of a small WeChat? WeChat applet is a plug-in.

The basic features of the

plug-in framework are: the basic program (WeChat) provides services to

Leave a Reply

Your email address will not be published. Required fields are marked *