Note: To protect ongoing investigations, certain case reference numbers and contact emails have been redacted. This table will be updated as investigations progress.
+ + +2026年3月6日——早于我们公开披露5天——美国信息技术与创新基金会 (ITIF) 发表文章 "Alipay Presents Real Risks — But Don't Rush to Ban It"。
+ITIF 被宾夕法尼亚大学评为全球最权威的科技政策智库。文章独立指出支付宝收集"购买记录、设备位置、身份证件、健康数据和生物特征标记",并呼吁 FTC 和 CFPB 对支付宝进行数据审计。文章还引用中国《国家情报法》第7条,指出中国政府可合法要求企业提交所收集的数据。
+这一完全独立的评估与我们的技术发现高度一致:当白名单绕过允许任意攻击者获取支付宝用户的GPS和设备信息时,数据主权风险被进一步放大。
+On March 6, 2026 — 5 days before our public disclosure — the Information Technology & Innovation Foundation (ITIF) published "Alipay Presents Real Risks — But Don't Rush to Ban It."
+ITIF is ranked by the University of Pennsylvania as the world's most authoritative science and technology policy think tank. The article independently identifies Alipay as collecting "purchase histories, device locations, government IDs, health data, and biometric markers," and calls for FTC and CFPB audits. It cites China's National Intelligence Law Article 7, noting the government can legally compel companies to share collected data.
+This entirely independent assessment is highly consistent with our technical findings: when a whitelist bypass allows arbitrary attackers to obtain users' GPS and device information, data sovereignty risks are amplified further.
+在厂商修复这些问题之前,普通用户可以采取以下措施降低风险:
+Until the vendor addresses these issues, ordinary users can take the following steps to reduce risk:
+| # | +措施Measure | +说明Description | +防护范围Coverage | +
|---|---|---|---|
| 1 | +不点击陌生链接Don't click unknown links | +收到含 ds.alipay.com 或 alipays:// 的链接时保持警惕,尤其是来自群聊、短信、邮件的链接Be cautious with links containing ds.alipay.com or alipays://, especially from group chats, SMS, or emails |
+ 全部漏洞All vulnerabilities | +
| 2 | +关闭定位权限Disable location permission | +在系统设置中将支付宝的定位权限改为"仅在使用时允许"或"关闭",需要时临时开启In system settings, change Alipay's location permission to "While Using" or "Off"; enable temporarily when needed | +GPS 静默外泄Silent GPS exfiltration | +
| 3 | +验证转账信息Verify transfer details | +任何弹出的转账/付款页面,务必仔细核对收款方信息,不要因为页面看起来"正常"就直接确认For any transfer/payment page that appears, carefully verify recipient information — don't confirm just because the page "looks normal" | +转账预填攻击Transfer pre-fill attack | +
| 4 | +关闭小额免密Disable small-amount password-free payments | +设置 → 支付设置 → 免密支付 → 关闭小额免密。确保每笔支付都需要密码/指纹确认Settings → Payment Settings → Password-free Payment → Disable. Ensure every payment requires password/biometric confirmation | +支付接口调用Payment interface invocation | +
| 5 | +保持应用更新Keep app updated | +如果厂商悄悄修复了部分问题(有社区反馈表明部分接口已变化),更新到最新版可获得保护If the vendor silently patches issues (community feedback suggests some APIs have changed), updating to the latest version provides protection | +已修补的接口Patched interfaces | +
This research has sparked professional discussions on GitHub, V2EX, LINUX DO and other platforms. We thank all security professionals who participated in the technical discussion and address the main questions below.
+来源:GitHub Issue #4 (sevck), V2EX (Puteulanus)
+我们同意:DeepLink 机制本身是移动生态的通用设计。我们从未将「DeepLink 存在」定义为漏洞。
+但核心问题是:支付宝自有域名 ds.alipay.com 的开放重定向允许任何人通过白名单域名将任意外部页面加载到支付宝的特权 WebView 中,获得完整的 JSBridge API 访问权限。这不是「DeepLink 存在」的问题,而是安全边界被完全突破。
类比:门锁是正常设计。但如果任何人可以用一张纸条打开你家门锁,那就是门锁的安全漏洞——不是「门锁这种设计不算漏洞」。
+Source: GitHub Issue #4 (sevck), V2EX (Puteulanus)
+We agree: DeepLink is a standard mechanism in the mobile ecosystem. We never defined "the existence of DeepLink" as a vulnerability.
+But the core issue is: Alipay's own domain ds.alipay.com has an open redirect that allows anyone to load arbitrary external pages into Alipay's privileged WebView via the whitelisted domain, gaining full JSBridge API access. This is not about "DeepLink existing" — it is about the security boundary being completely breached.
Analogy: A door lock is a normal design. But if anyone can open your door lock with a slip of paper, that's a vulnerability in the lock — not "door locks aren't vulnerabilities."
+来源:GitHub Issue #4 (sevck, rama291041610)
+这是一个权限委托 vs 权限滥用的问题。
+| 场景 | 用户期望 | 实际行为 |
|---|---|---|
| 用户授权支付宝使用 GPS | 支付宝自身功能使用 | ✅ 正常 |
| 外部攻击者通过 WebView 获取 GPS | 不在用户预期内 | ❌ 权限滥用 |
| 标准浏览器请求用户位置 | 弹窗请求确认 | ✅ W3C 标准行为 |
| 支付宝 WebView 中外部页面请求位置 | 应当弹窗确认 | ❌ 无弹窗,静默获取 |
正如参与讨论的 nailchu 所指出的:「我授权是授给你支付宝的,攻击方想拿就拿算怎么个事儿?就算浏览器也会跳'该网站正在请求位置信息'啊」
+用户把位置权限授予支付宝,是信任支付宝——不是信任任何能够加载到支付宝 WebView 中的随机网页。当攻击者的页面可以通过白名单绕过进入 WebView 并静默调用 getLocation,这就是对用户信任的滥用。
实测证据:308 条服务器日志记录了从 3 台真实设备静默获取的 GPS 坐标(8.8m 精度),7 秒内完成,0 次用户交互。GitHub Issue #5 的 freshnn 也独立确认 Android 上「无感 GPS」成功。
+Source: GitHub Issue #4 (sevck, rama291041610)
+This is a question of permission delegation vs. permission abuse.
+| Scenario | User Expectation | Actual Behavior |
|---|---|---|
| User grants Alipay GPS permission | Used by Alipay's own functions | ✅ Normal |
| External attacker accesses GPS via WebView | Not within user's expectation | ❌ Permission abuse |
| Standard browser requests location | Shows confirmation dialog | ✅ W3C standard |
| External page in Alipay WebView requests location | Should show dialog | ❌ No dialog, silent access |
As nailchu pointed out in the discussion: "I authorized Alipay, not any attacker who wants my location. Even browsers show 'This website is requesting your location.'"
+When users grant location permission to Alipay, they trust Alipay — not any random webpage that can be loaded into Alipay's WebView. When an attacker's page enters the WebView via whitelist bypass and silently calls getLocation, this is an abuse of user trust.
Evidence: 308 server log entries documenting GPS coordinates silently obtained from 3 real devices (8.8m accuracy), completed in 7 seconds, with 0 user interactions. freshnn on GitHub Issue #5 also independently confirmed "silent GPS" works on Android.
+来源:GitHub Issue #4 (sevck, rama291041610)
+我们部分同意:转账确实需要用户至少 2 次点击 + 密码/生物认证确认,不能自动完成。本报告已在相关章节明确标注此前提条件。
+但 Chrome 类比不准确:
+setTitle/showToast),攻击者可以伪造合法转账理由,降低用户警惕参与讨论的 cxxsheng 独立编写了 PoC,结论:「还是认为这个功能是漏洞,但是危害性会低一些」。他还引用了 CVE-2024-40676(Android 先例):减少用户交互步骤本身可以构成漏洞。
+Source: GitHub Issue #4 (sevck, rama291041610)
+We partially agree: Transfers indeed require at least 2 clicks + password/biometric confirmation and cannot complete automatically. This precondition is already explicitly stated in the relevant sections of this report.
+But the Chrome analogy is inaccurate:
+setTitle/showToast), attackers can fabricate legitimate-looking transfer reasons, reducing user vigilancecxxsheng independently wrote a PoC and concluded: "I still consider this a vulnerability, but with lower severity." He also cited CVE-2024-40676 (Android precedent): reducing user interaction steps itself can constitute a vulnerability.
+来源:GitHub Issue #5 (freshnn)
+freshnn 报告 iOS 可以调用并打开相关页面,但服务端收不到数据;Android 上「无感 GPS」则复现成功。
+可能原因:
+关键事实:我们的 iPhone 16 Pro (iOS 18.3) 测试确实成功获取了 GPS 数据(记录在服务器日志中),蚂蚁集团安全负责人的 iPhone 在杭州的测试也被我们成功获取了坐标。iOS 复现需要满足特定的服务器配置条件,并非漏洞不存在。
+我们将在 Issue #5 中提供详细的 iOS 复现排查指南。
+Source: GitHub Issue #5 (freshnn)
+freshnn reported that iOS can invoke and open the relevant pages, but the server receives no data; Android "silent GPS" was successfully reproduced.
+Possible causes:
+Key fact: Our iPhone 16 Pro (iOS 18.3) test did successfully obtain GPS data (recorded in server logs). Ant Group's security lead's iPhone in Hangzhou was also successfully captured. iOS reproduction requires specific server configuration — the vulnerability exists, but the PoC setup matters.
+We will provide a detailed iOS reproduction troubleshooting guide in Issue #5.
+来源:V2EX (Puteulanus)
+支付宝 WebView ≠ 标准浏览器。关键区别:
+| 能力 | 标准浏览器 | 支付宝 WebView (Nebula) |
|---|---|---|
| 位置请求 | 弹窗确认 | 静默获取 |
| 支付接口 | 无 | tradePay 可调用 |
| 内部页面导航 | 无 | startApp 可跳转敏感页面 |
| 设备指纹 | 标准 User-Agent | IMEI/品牌/型号/运营商 |
| UI 控制 | 受限 | setTitle/showToast 可伪造 |
白名单的存在本身就证明支付宝自己认为需要限制哪些页面可以访问这些特权 API。绕过白名单 = 绕过支付宝自己设定的安全边界。
+Source: V2EX (Puteulanus)
+Alipay WebView ≠ standard browser. Key differences:
+| Capability | Standard Browser | Alipay WebView (Nebula) |
|---|---|---|
| Location request | Confirmation dialog | Silent access |
| Payment API | None | tradePay callable |
| Internal navigation | None | startApp navigates to sensitive pages |
| Device fingerprint | Standard User-Agent | IMEI/Brand/Model/Carrier |
| UI control | Limited | setTitle/showToast spoofable |
The very existence of the whitelist proves that Alipay itself recognizes the need to restrict which pages can access these privileged APIs. Bypassing the whitelist = bypassing Alipay's own security boundary.
+本研究的有效性已获得多个独立第三方的验证:
+The validity of this research has been verified by multiple independent third parties:
+