Why Your WeChat Mini‑Program Is Scanned During Review and How to Interpret the Alerts

Incident Overview

A project migration changed the domain used by a WeChat mini‑program. The production endpoint was not updated before the mini‑program was submitted for review, requiring an emergency release. During the review, the platform’s security scanner generated a flood of alert emails.

Alert Details

Response error: Server Unknown Error Detail error:

Uncaught InvalidArgumentException: Malformed UTF-8 characters, possibly incorrectly encoded in

Timestamp: 2024-11-07 21:55:38 Source IP: 106.55.202.118 Request path:

/open/v3/live/record?action=eval&live_id=undefined%bf%27%bf'%27%22'"\%5C%0d%0a##

Log Investigation

Server access logs showed repeated GET requests to /open/v3/live/record with query strings that resemble SQL‑injection payloads. All requests originated from IP 106.55.202.118 and carried the HTTP header Tencent Security Team.

106.55.202.118 - - [07/Nov/2024:21:55:33 +0800] "GET /open/v3/live/record?action=eval&live_id=undefined%27%29%29 AND (SELECT*FROM(SELECT(SLEEP(4)))coce) limit 1# HTTP/1.1" 401 468 "https://live.tinywan.com/" "Tencent Security Team, more information: https://developers.weixin.qq.com/community/minihome/doc/0008ea401c89c02cff2d1345051001"
... (additional similar entries omitted) ...

The pattern of low‑rate requests with the same header indicated they were not external attacks but generated by the WeChat review platform itself.

Root Cause

When a mini‑program is submitted for review, WeChat automatically performs a security scan. The scanner sends service requests to the backend, appearing in logs as coming from “Tencent Security Team” and from IPs such as 106.55.202.118, 113.96.223.69, 125.39.132.125, and 43.139.209.119. Because the endpoint still pointed to a test environment, the scan triggered error responses and the subsequent alert emails.

WeChat Mini‑Program Security Scan

Purpose

The scan checks for common vulnerabilities (e.g., data tampering, database leakage, web attacks) that could lead to reverse engineering or business‑logic exposure. All submitted mini‑programs must pass this detection before audit approval.

Scanning Process

The platform simulates realistic business scenarios and sends HTTP requests to the mini‑program’s backend. Requests are low‑rate and include the header Tencent Security Team. If the scan interferes with normal service, developers can throttle or limit the frequency of these requests.

Result Impact

Detection results are a key factor in the audit. If security issues are reported, the mini‑program is rejected until the issues are resolved.

Common Questions

Can the scan be skipped? No. Skipping results in rejection.

Can the scan be stopped after code audit? The platform continues pending scans until completion. Developers may manually abort scans via the notification center; scans are automatically aborted if the audit is withdrawn.

Mitigation Recommendations

Ensure the production endpoint is correctly configured before submitting the mini‑program for review.

Monitor logs for the specific “Tencent Security Team” header to differentiate scanner traffic from genuine user traffic.

If scanner traffic impacts service, implement rate‑limiting or IP‑based throttling for the identified scanner IPs.

Appendix: Security detection content details