CVE-2021-40180
published 2022-07-26CVE-2021-40180: In the WeChat application 8.0.10 for Android and iOS, a mini program can obtain sensitive information from a user's address book via wx.searchContacts.
PriorityP335high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
1.06%
60.2th percentile
In the WeChat application 8.0.10 for Android and iOS, a mini program can obtain sensitive information from a user's address book via wx.searchContacts.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tencent | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
arXiv
Uncovering and Exploiting Hidden APIs in Mobile Super Apps
arxiv_fulltext·2023-06-13
Uncovering and Exploiting Hidden APIs in Mobile Super Apps
Uncovering and Exploiting Hidden APIs in Mobile Super Apps
Chao Wang
The Ohio State University
[email protected]
Yue Zhang
The Ohio State University
[email protected]
Zhiqiang Lin
The Ohio State University
[email protected]
printacmref=false
[1]
Recently, a novel miniapp paradigm, called miniapp, has brought significant convenience to our daily life, where small programs host into the super apps (e.g., , Tiktok), and enrich functionalities (e.g. e-commerce, e-learning, e-government) of those super apps. These miniapps can be developed by 1st party (i.e., the one who also programmed the super apps) or by the 3rd party developers. While intuitively, for a specific super app platform, both the 1st-part miniapps and the 3rd-party miniapps should have used the same set of th
arXiv
A Small Leak Will Sink Many Ships: Vulnerabilities Related to Mini Programs Permissions
arxiv_fulltext·2022-05-30
A Small Leak Will Sink Many Ships: Vulnerabilities Related to Mini Programs Permissions
## Abstract
As a new format of mobile application, mini programs, which function within a larger app and are built with HTML, CSS, and JavaScript web technology, have become the way to do almost everything in China. This paper presents our research on the permissions of mini programs. We conducted a systematic study on 9 popular mobile app ecosystems, which host over 7 million mini programs, and tested over 2,580 APIs to understand these emerging systems better. We extracted a common abstracted model for mini programs permission control and revealed six categories of potential security vulnerabilities in the permission environments. It is alarming that the current popular mobile app ecosystems (host apps) under study have at least one security vulnerability. We present the corresponding a
https://arxiv.org/pdf/2205.15202.pdfhttps://github.com/BESTICSP/Vulnerabilities-Related-to-Mini-Programs-Permissions/blob/main/WX%20applet%20contact%20permission%20vulnerability%20report.pdfhttps://pan.baidu.com/s/116sAQvs1CEzCeIfpI1NZvAhttps://pan.baidu.com/s/1RqMrZBruZZ4OHdnXUN5xDwhttps://arxiv.org/pdf/2205.15202.pdfhttps://github.com/BESTICSP/Vulnerabilities-Related-to-Mini-Programs-Permissions/blob/main/WX%20applet%20contact%20permission%20vulnerability%20report.pdfhttps://pan.baidu.com/s/116sAQvs1CEzCeIfpI1NZvAhttps://pan.baidu.com/s/1RqMrZBruZZ4OHdnXUN5xDw
2022-07-26
Published