Demystifying Cookie Sharing Risks in WebView-based Mobile App-in-app Ecosystems
Miao Zhang, Shenao Wang, Guilin Zheng, Yanjie Zhao, Haoyu Wang
TL;DR
The paper identifies Cross Mini-program Cookie Sharing (CMCS), a vulnerability caused by shared WebView cookies across mini-programs in app-in-app ecosystems. It analyzes multiple platforms (WeChat, AliPay, TikTok, Baidu) and demonstrates collusion attacks where privileged data can be leaked through cookies to unprivileged mini-programs. It introduces MiCoScan, a static analysis framework that combines WebView context modeling and cross-webview data flow analysis to detect CMCS vulnerabilities, and performs a large-scale measurement over 351,483 mini-programs revealing widespread risk. The work highlights the need for stronger per-mini-program WebView isolation and explicit consent mechanisms to prevent cross-program data leakage, with practical implications for user privacy in super-app ecosystems.
Abstract
Mini-programs, an emerging mobile application paradigm within super-apps, offer a seamless and installation-free experience. However, the adoption of the web-view component has disrupted their isolation mechanisms, exposing new attack surfaces and vulnerabilities. In this paper, we introduce a novel vulnerability called Cross Mini-program Cookie Sharing (CMCS), which arises from the shared web-view environment across mini-programs. This vulnerability allows unauthorized data exchange across mini-programs by enabling one mini-program to access cookies set by another within the same web-view context, violating isolation principles. As a preliminary step, we analyzed the web-view mechanisms of four major platforms, including WeChat, AliPay, TikTok, and Baidu, and found that all of them are affected by CMCS vulnerabilities. Furthermore, we demonstrate the collusion attack enabled by CMCS, where privileged mini-programs exfiltrate sensitive user data via cookies accessible to unprivileged mini-programs. To measure the impact of collusion attacks enabled by CMCS vulnerabilities in the wild, we developed MiCoScan, a static analysis tool that detects mini-programs affected by CMCS vulnerabilities. MiCoScan employs web-view context modeling to identify clusters of mini-programs sharing the same web-view domain and cross-webview data flow analysis to detect sensitive data transmissions to/from web-views. Using MiCoScan, we conducted a large-scale analysis of 351,483 mini-programs, identifying 45,448 clusters sharing web-view domains, 7,965 instances of privileged data transmission, and 9,877 mini-programs vulnerable to collusion attacks. Our findings highlight the widespread prevalence and significant security risks posed by CMCS vulnerabilities, underscoring the urgent need for improved isolation mechanisms in mini-program ecosystems.