我们昨天在处理一起投票项目被刷票的人过程中,发现刷票的openid全部为合法内容,但是每秒可刷票几十次,用过查看服务器日志,发现有大规模的链接给程序传入code值(微信授权中,用code换取openid和微信用户信息的接口中使用的),并且大概有十分之一的概率可以获取到一个用户信息,其他的均为失败,怀疑有人通过code撞库,但是概率之高又不像随机撞库,所以感觉可能微信的code算法已经泄漏,请各位开发者注意这个问题。
微信授权的code漏洞?Code vulnerability in WeChat authorization?
微信授权的code漏洞?我们昨天在处理一起投票项目被刷票的人过程中,发现刷票的openid全部为合法内容,但是每秒可刷票几十次,用过查看服务器日志,发现有大规模的链接给程序传入code值(微信授权中,用code换取openid和微信用户信息的接口中使用的),并且大概有十分之一的概率可以获取到一个用户信息,其他的均为失败,怀疑有人通过code撞库,但是概率之高又不像随机撞库,所以感觉可能微信的code算法已经泄漏,请各位开发者注意这个问题。
Yesterday, in the process of processing a vote item swipe, we found that the openid of the vote swipe is all legal content, but it can be swiped dozens of times per second. After checking the server log, we found that there are large-scale links passing code values to the program (used in the wechat authorization, using code to exchange the openid and wechat user information interface), and there is about one tenth of the probability One user information can be obtained, others are all failed. It is suspected that someone has collided with the library through code, but the probability is not as high as random library collision. Therefore, we feel that the code algorithm of wechat may have been leaked. Please pay attention to this problem.
回答:
+1,这个月遇到过类似的问题,短时间内大量合法微信用户授权注册,对这些异常流量的用户电话回访后,用户均表示近期未在我们平台有过授权注册的操作。
mark
原文出处:微信授权的code漏洞?
群主管理都是支付大佬
你好。有可能是爬虫,麻烦自行排查下看看。