How a WeChat Windows Bug Exposes Message XML Data (Text, Articles, Emojis)

Overview

While using the WeChat PC client (version 3.1.0.67), the author discovered that after performing certain actions, an XML snippet appears in the message input box. This XML encodes the full data of the quoted message, exposing sender information, content, and references to embedded media.

XML Structure

The XML contains fields such as <fromusername>, <content>, <msgsource>, and other metadata. The <content> element holds the actual quoted message, which may be plain text, an article, an emoji, or other rich content.

Extracted Content Types

Plain Text and Articles

When a plain‑text message is quoted, the <content> field shows the original text. If the quoted message is an article from a public account, the XML also includes the article title, subtitle, URL, and the public account name.

Emoji (GIF) Messages

For emoji messages, the <content> element contains a nested, escaped XML segment that includes a cdnurl pointing to the original GIF file. By decoding this URL, the original emoji GIF can be downloaded and reused.

Red Packet (Lucky Money)

The author attempted to quote a red‑packet message; the resulting XML displayed a structure that could not be rendered, indicating limited support for this type.

Other Quotable Message Types

The bug suggests that many additional message types can be quoted, such as video messages, money transfers, and mini‑programs, though the author leaves further exploration to the reader.

Implications

This unintended exposure of raw message data could be leveraged for information‑gathering or privacy‑related attacks, highlighting a security oversight in the WeChat Windows client.