icybear/alipay-deeplink-research
1
0
Fork 0
mirror of https://github.com/sgInnora/alipay-deeplink-research synced 2026-06-27 05:34:17 +08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: icybear:0f298946f404d461843652156854c81e0b999fcb
Branches Tags
icybear:main
...
compare: icybear:582fa970a39d8aa5abbed714371f57a8aa3a4dbc
Branches Tags
icybear:main

3 Commits
0f298946f4 ... 582fa970a3

Author SHA1 Message Date
feng
582fa970a3 fix: anonymize researcher reference per issue #10 request 
Remove named references to cxxsheng across 4 locations in index.html,
replacing with anonymous attribution ("独立安全研究者" / "An independent
security researcher"). Respects contributor's request to not be cited.

Closes #10

Co-Authored-By: Claude <noreply@anthropic.com>
 2026-04-06 08:02:40 +08:00
feng
61b85c22ef update: Wave 3 deletion — 9th article deleted citing Cybersecurity Law 
- article_censorship.html: 8→9 articles, 2→3 waves
- Added Wave 3 timeline entry: Vol.04 PatchProxy deleted 2026-03-25
- Key contradiction: CAC Data Bureau confirmed Alipay investigation on SAME DAY
- Added deletion notice screenshot (evidence/wechat_wave3_deletion.png)

Co-Authored-By: Claude <noreply@anthropic.com>
 2026-03-26 07:29:12 +08:00
feng
2630c97b31 feat: add disclosure timeline page — bilingual, SEO-optimized 
737-line timeline page covering 2024-2026 disclosure process
- Bilingual (Chinese/English) with color-coded event tags
- Full SEO: hreflang, og:image, twitter card, meta description
- Navigation consistent with other blog pages
- Legal-safe: facts only, no subjective claims

Co-Authored-By: Claude <noreply@anthropic.com>
 2026-03-25 09:38:06 +08:00
4 changed files with 760 additions and 13 deletions
Expand all files Collapse all files

25
article_censorship.html
View File

@@ -4,12 +4,12 @@
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>当"网络安全法"成为审查武器 | When "Cybersecurity Law" Becomes a Censorship Weapon — Innora AI Security Research</title>
<meta name="description" content="支付宝安全研究审查全记录:8篇微信文章被分波删除36份MITRE报告IACR论文已发表。完整时间线与证据。Censorship documented: 8 articles deleted.">
<meta name="description" content="支付宝安全研究审查全记录:9篇微信文章被分波删除36份MITRE报告IACR论文已发表。完整时间线与证据。Censorship documented: 8 articles deleted.">
<meta name="author" content="Jiqiang Feng — Innora AI Security Research">
<!-- Open Graph -->
<meta property="og:title" content="When 'Cybersecurity Law' Becomes a Censorship Weapon: A Security Researcher's Global Fight">
<meta property="og:description" content="8 WeChat articles force-deleted in 2 waves. 36 reports filed with MITRE. IACR paper published. 22 countries investigating. Full evidence and timeline.">
<meta property="og:description" content="9 WeChat articles force-deleted in 3 waves. 36 reports filed with MITRE. IACR paper published. 22 countries investigating. Full evidence and timeline.">
<meta property="og:type" content="article">
<meta property="og:url" content="https://innora.ai/zfb/article_censorship.html">
<meta property="og:image" content="https://innora.ai/zfb/og-image.png">
@@ -29,7 +29,7 @@
<!-- Twitter Card -->
<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:title" content="When 'Cybersecurity Law' Becomes a Censorship Weapon">
<meta name="twitter:description" content="8 WeChat articles deleted in 2 waves. 36 MITRE reports filed. IACR paper published. First documented case of vendor switching legal grounds after platform rejection. Full evidence.">
<meta name="twitter:description" content="9 WeChat articles deleted in 3 waves. 36 MITRE reports filed. IACR paper published. First documented case of vendor switching legal grounds after platform rejection. Full evidence.">
<meta name="twitter:image" content="https://innora.ai/zfb/og-image.png">
<meta name="keywords" content="Alipay, security research, censorship, WeChat, cybersecurity law, CVE, MITRE, whistleblower, Ant Group, CSSF, HKMA, vulnerability disclosure">
@@ -620,7 +620,7 @@ footer a { color: var(--teal); }
"@context": "https://schema.org",
"@type": "Article",
"headline": "When 'Cybersecurity Law' Becomes a Censorship Weapon: A Security Researcher's Global Fight Against Corporate Suppression",
"description": "8 WeChat articles force-deleted in 2 waves. 36 reports filed with MITRE. IACR paper published. 22 countries investigating. Full timeline and evidence.",
"description": "9 WeChat articles force-deleted in 3 waves. 36 reports filed with MITRE. IACR paper published. 22 countries investigating. Full timeline and evidence.",
"datePublished": "2026-03-15",
"author": {"@type": "Person", "name": "Jiqiang Feng (风宁)", "email": "feng@innora.ai"},
"publisher": {"@type": "Organization", "name": "Innora AI Security Research", "url": "https://innora.ai"},
@@ -710,8 +710,8 @@ footer a { color: var(--teal); }
</h1>
<p class="subtitle">
<span class="zh">8篇微信安全研究文章被分两波强制删除。36份报告已提交MITRE。IACR学术论文已收录。22个国家的监管机构正在调查。真相不需要删除通知。</span>
<span class="en">8 WeChat security research articles forcibly deleted in 2 waves. 36 reports filed with MITRE. IACR paper published. 22 countries investigating. Truth needs no takedown notice.</span>
<span class="zh">9篇微信安全研究文章被分三波删除。36份报告已提交MITRE。IACR学术论文已收录。22个国家的监管机构正在调查。真相不需要删除通知。</span>
<span class="en">9 WeChat security research articles deleted in 3 waves. 36 reports filed with MITRE. IACR paper published. 22 countries investigating. Truth needs no takedown notice.</span>
</p>
<div class="hero-meta">
@@ -1106,10 +1106,19 @@ footer a { color: var(--teal); }
<span class="en"><strong>The escalation pattern is unmistakable:</strong></span>
</p>
<p>
<span class="zh">口头否认漏洞 → 律师函投诉"名誉侵权"(被驳回)→ 改用"网络安全法"第一波删4篇→ 研究员继续发表 → 再次删除第二波再删4篇→ 服务器端拦截PoC</span>
<span class="en">Verbal denial → Lawyer letter citing "reputation infringement" (rejected) → Switch to "Cybersecurity Law" (Wave 1: 4 articles deleted) → Researcher continues publishing → Second deletion (Wave 2: 4 more deleted) → Server-side PoC interception</span>
<span class="zh">口头否认漏洞 → 律师函投诉"名誉侵权"(被驳回)→ 改用"网络安全法"第一波删4篇→ 研究员继续发表 → 再次删除第二波再删4篇 网信办核查同日再删1篇第三波 服务器端拦截PoC</span>
<span class="en">Verbal denial → Lawyer letter citing "reputation infringement" (rejected) → Switch to "Cybersecurity Law" (Wave 1: 4 articles deleted) → Researcher continues publishing → Second deletion (Wave 2: 4 more deleted) → CAC investigation same day, 1 more deleted (Wave 3) → Server-side PoC interception</span>
</p>
</div>
<!-- Wave 3: Single Article Deletion (March 25) -->
<div class="timeline-item critical">
<div class="timeline-date">2026-03-25</div>
<p>
<span class="zh"><strong>第三波:网信办核查同日删除</strong> — Vol.04《支付宝146,173个方法可被远程替换——PatchProxy热修复的代码级铁证》被删除。删除理由明确引用"违反《中华人民共和国网络安全法》"。<strong>同一天(3月25日)中国网信办数据局正式通知研究员正在组织对支付宝App进行核查。</strong>揭露支付宝安全问题的文章被以"网络安全法"名义删除,与网络安全最高执法机构的调查行动形成直接矛盾。</span>
<span class="en"><strong>Wave 3: Deletion on Same Day as CAC Investigation</strong> — Vol.04 "Alipay's 146,173 Remotely Replaceable Methods — PatchProxy Hot-Patching" was deleted. The deletion notice explicitly cited "violation of the Cybersecurity Law of the PRC." <strong>On the same day (March 25), China's CAC Data Bureau formally notified the researcher that it was conducting an investigation into Alipay's data practices.</strong> An article exposing Alipay's security issues was deleted under "Cybersecurity Law" while the nation's top cybersecurity enforcement agency was simultaneously investigating the same company.</span>
</p>
</div>
</section>
<!-- ═══════════════════════════════════════════

737
disclosure-timeline.html Normal file
View File

@@ -0,0 +1,737 @@
<!DOCTYPE html>
<html lang="zh-CN">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Disclosure Timeline — Alipay SecurityGuard Security Research | 披露时间线</title>
<link rel="alternate" hreflang="zh" href="https://innora.ai/zfb/disclosure-timeline.html" />
<link rel="alternate" hreflang="en" href="https://innora.ai/zfb/disclosure-timeline.html" />
<link rel="alternate" hreflang="x-default" href="https://innora.ai/zfb/disclosure-timeline.html" />
<meta name="description" content="支付宝SecurityGuard SDK安全研究完整披露时间线从初始发现到监管通报的全过程记录。Alipay SecurityGuard SDK security research disclosure timeline: from initial discovery to regulatory coordination.">
<meta name="author" content="Innora AI Security Research">
<meta property="og:title" content="Disclosure Timeline | Alipay SecurityGuard Security Research | 披露时间线">
<meta property="og:description" content="A factual record of the responsible disclosure process for the Alipay SecurityGuard SDK security research. 支付宝安全研究的负责任披露过程完整记录。">
<meta property="og:type" content="article">
<meta property="og:url" content="https://innora.ai/zfb/disclosure-timeline.html">
<meta property="og:image" content="https://innora.ai/zfb/og-image.png">
<meta property="og:image:width" content="1200">
<meta property="og:image:height" content="630">
<meta property="og:locale" content="zh_CN">
<meta property="og:locale:alternate" content="en_US">
<meta property="article:published_time" content="2026-03-25T00:00:00+08:00">
<meta property="article:modified_time" content="2026-03-25T00:00:00+08:00">
<meta property="article:author" content="Innora AI Security Research">
<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:title" content="Disclosure Timeline | Alipay SecurityGuard Security Research">
<meta name="twitter:description" content="Factual chronological record of the Alipay SecurityGuard SDK responsible disclosure process. 36 CVEs filed. 9+ regulatory authorities briefed.">
<meta name="twitter:image" content="https://innora.ai/zfb/og-image.png">
<meta name="keywords" content="Alipay, SecurityGuard SDK, security research, disclosure timeline, CVE, responsible disclosure, MITRE, IACR, Zenodo, Ant Group, 支付宝, 安全研究, 披露时间线">
<link rel="canonical" href="https://innora.ai/zfb/disclosure-timeline.html">
<link rel="icon" href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 100 100'><text y='.9em' font-size='90'>&#128274;</text></svg>">
<style>
:root {
--bg: #0a0a0f;
--surface: #12121a;
--border: rgba(255,255,255,0.08);
--text: #d0d0e0;
--muted: #7878a0;
--accent: #4488ff;
--accent2: #00d4aa;
--accent3: #ff6b6b;
--timeline-line: #2a2a3a;
}
* { box-sizing: border-box; margin: 0; padding: 0; }
body {
background: var(--bg);
color: var(--text);
font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Noto Sans SC", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei", sans-serif;
font-size: 15px;
line-height: 1.75;
padding-top: 46px;
}
/* === NAV === */
.innora-nav-wrap {
position: fixed; top: 0; left: 0; width: 100%; z-index: 9999;
font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Noto Sans SC", sans-serif;
}
.innora-nav {
display: flex; justify-content: space-between; align-items: center;
padding: 0 20px; height: 46px;
background: rgba(18,18,26,0.92);
backdrop-filter: blur(10px); -webkit-backdrop-filter: blur(10px);
border-bottom: 1px solid rgba(255,255,255,0.08);
}
.innora-nav a.brand { color: #e0e0e8; text-decoration: none; font-weight: 600; font-size: 0.95rem; }
.innora-nav-links { display: flex; list-style: none; gap: 12px; flex-wrap: wrap; }
.innora-nav-links a { color: #9898a8; text-decoration: none; font-size: 0.8rem; transition: color 0.2s; }
.innora-nav-links a:hover, .innora-nav-links a.active { color: #4488ff; font-weight: bold; }
.innora-hmb { display: none; flex-direction: column; gap: 4px; background: none; border: none; cursor: pointer; padding: 6px; }
.innora-hmb i { display: block; width: 22px; height: 2px; background: #9898a8; border-radius: 1px; }
@media(max-width:700px){
.innora-nav-links { display: none; position: absolute; top: 46px; left: 0; width: 100%; flex-direction: column; background: rgba(18,18,26,0.97); padding: 8px 0; gap: 0; }
.innora-nav-links.open { display: flex; }
.innora-nav-links li { text-align: center; padding: 8px; }
.innora-hmb { display: flex; }
}
/* === LAYOUT === */
.page-wrapper {
max-width: 820px;
margin: 0 auto;
padding: 40px 20px 80px;
}
/* === HEADER === */
.page-header {
text-align: center;
padding: 40px 0 32px;
border-bottom: 1px solid var(--border);
margin-bottom: 40px;
}
.page-header .label {
display: inline-block;
background: rgba(68,136,255,0.12);
color: var(--accent);
border: 1px solid rgba(68,136,255,0.3);
border-radius: 20px;
padding: 4px 14px;
font-size: 12px;
font-weight: 600;
letter-spacing: 1px;
text-transform: uppercase;
margin-bottom: 16px;
}
.page-header h1 {
font-size: 28px;
font-weight: 800;
color: #e8e8f0;
line-height: 1.3;
margin-bottom: 10px;
}
.page-header .subtitle {
font-size: 14px;
color: var(--muted);
margin-bottom: 8px;
}
.page-header .updated {
font-size: 12px;
color: #4a4a6a;
}
/* === AI DISCLOSURE === */
.ai-notice {
background: rgba(68,136,255,0.06);
border-left: 3px solid var(--accent);
border-radius: 0 6px 6px 0;
padding: 10px 15px;
margin-bottom: 28px;
font-size: 13px;
color: var(--muted);
line-height: 1.6;
}
.ai-notice strong { color: var(--accent); }
/* === YEAR HEADING === */
.year-heading {
display: flex;
align-items: center;
gap: 12px;
margin: 40px 0 8px;
}
.year-heading .year-badge {
background: var(--accent);
color: #fff;
font-size: 18px;
font-weight: 900;
padding: 4px 16px;
border-radius: 4px;
letter-spacing: 1px;
}
.year-heading .year-line {
flex: 1;
height: 1px;
background: linear-gradient(90deg, rgba(68,136,255,0.4), transparent);
}
/* === TIMELINE === */
.timeline {
position: relative;
padding-left: 32px;
margin-top: 8px;
}
.timeline::before {
content: '';
position: absolute;
left: 8px;
top: 4px;
bottom: 4px;
width: 2px;
background: linear-gradient(180deg, var(--accent) 0%, var(--accent2) 60%, #4a4a6a 100%);
border-radius: 1px;
}
.timeline-item {
position: relative;
margin-bottom: 0;
padding-bottom: 28px;
}
.timeline-item:last-child {
padding-bottom: 0;
}
.timeline-item::before {
content: '';
position: absolute;
left: -28px;
top: 6px;
width: 10px;
height: 10px;
background: var(--accent);
border-radius: 50%;
border: 2px solid var(--bg);
box-shadow: 0 0 0 2px var(--accent);
}
.timeline-item.minor::before {
width: 8px;
height: 8px;
top: 7px;
left: -27px;
background: var(--surface);
border-color: var(--accent2);
box-shadow: 0 0 0 2px var(--accent2);
}
.timeline-item.milestone::before {
width: 12px;
height: 12px;
top: 5px;
left: -29px;
background: var(--accent);
box-shadow: 0 0 0 3px rgba(68,136,255,0.3);
}
.event-card {
background: var(--surface);
border: 1px solid var(--border);
border-radius: 8px;
padding: 14px 16px;
transition: border-color 0.2s;
}
.event-card:hover {
border-color: rgba(68,136,255,0.3);
}
.event-date {
font-size: 11px;
font-weight: 700;
letter-spacing: 0.5px;
color: var(--accent);
text-transform: uppercase;
margin-bottom: 4px;
font-family: "SF Mono", "Fira Code", Consolas, monospace;
}
.event-title-zh {
font-size: 15px;
font-weight: 700;
color: #d8d8e8;
margin-bottom: 2px;
line-height: 1.5;
}
.event-title-en {
font-size: 13px;
color: var(--muted);
line-height: 1.5;
margin-bottom: 6px;
}
.event-detail {
font-size: 13px;
color: #5a5a7a;
line-height: 1.6;
}
.tag {
display: inline-block;
font-size: 11px;
padding: 2px 8px;
border-radius: 3px;
font-weight: 600;
margin-right: 6px;
margin-top: 4px;
vertical-align: middle;
}
.tag-cve { background: rgba(255,107,107,0.12); color: #ff6b6b; border: 1px solid rgba(255,107,107,0.3); }
.tag-pub { background: rgba(0,212,170,0.10); color: #00d4aa; border: 1px solid rgba(0,212,170,0.25); }
.tag-reg { background: rgba(255,180,0,0.10); color: #ffb400; border: 1px solid rgba(255,180,0,0.25); }
.tag-vendor { background: rgba(120,120,160,0.12); color: #9898c8; border: 1px solid rgba(120,120,160,0.3); }
.tag-arch { background: rgba(68,136,255,0.12); color: #4488ff; border: 1px solid rgba(68,136,255,0.3); }
/* === RESOURCES === */
.resources-section {
margin-top: 48px;
padding-top: 32px;
border-top: 1px solid var(--border);
}
.resources-section h2 {
font-size: 18px;
font-weight: 700;
color: #d0d0e0;
margin-bottom: 20px;
}
.resource-grid {
display: grid;
grid-template-columns: repeat(auto-fill, minmax(260px, 1fr));
gap: 12px;
}
.resource-card {
background: var(--surface);
border: 1px solid var(--border);
border-radius: 8px;
padding: 14px 16px;
text-decoration: none;
display: block;
transition: border-color 0.2s, background 0.2s;
}
.resource-card:hover {
border-color: rgba(68,136,255,0.4);
background: rgba(68,136,255,0.04);
}
.resource-card .res-label {
font-size: 11px;
color: var(--muted);
text-transform: uppercase;
letter-spacing: 0.5px;
margin-bottom: 4px;
}
.resource-card .res-title {
font-size: 14px;
color: var(--accent);
font-weight: 600;
word-break: break-all;
}
.resource-card .res-desc {
font-size: 12px;
color: #5a5a7a;
margin-top: 4px;
}
/* === FOOTER BOXES === */
.footer-box {
margin-top: 40px;
border-radius: 8px;
padding: 18px 20px;
font-size: 14px;
line-height: 1.7;
}
.footer-box.nature {
background: rgba(0,180,100,0.06);
border: 1px solid rgba(0,180,100,0.2);
}
.footer-box.nature strong { color: #00b464; }
.footer-box.author {
background: rgba(255,255,255,0.03);
border: 1px solid var(--border);
margin-top: 16px;
}
.footer-box.author .author-name {
font-size: 16px;
font-weight: 700;
color: #d8d8e8;
margin-bottom: 4px;
}
.footer-box.author .author-meta {
font-size: 13px;
color: var(--muted);
}
.footer-box.author .author-quote {
font-size: 12px;
color: #4a4a6a;
font-style: italic;
margin-top: 6px;
}
/* === BACK TO TOP === */
#btt {
display: none;
position: fixed;
bottom: 24px;
right: 20px;
background: rgba(68,136,255,0.15);
border: 1px solid rgba(68,136,255,0.3);
color: var(--accent);
border-radius: 50%;
width: 38px;
height: 38px;
font-size: 18px;
cursor: pointer;
text-align: center;
line-height: 36px;
z-index: 100;
transition: background 0.2s;
}
#btt:hover { background: rgba(68,136,255,0.25); }
</style>
</head>
<body>
<!-- NAV -->
<header class="innora-nav-wrap">
<nav class="innora-nav">
<a href="/zfb/" class="brand">Innora Security Research</a>
<ul class="innora-nav-links" id="inav">
<li><a href="/zfb/">Home 首页</a></li>
<li><a href="/zfb/patchproxy-146k.html">PatchProxy</a></li>
<li><a href="/zfb/privacy-analysis.html">Privacy 隐私</a></li>
<li><a href="/zfb/transport-encryption.html">Encryption 加密</a></li>
<li><a href="/zfb/rebuttal.html">Rebuttal 反驳</a></li>
<li><a href="/zfb/regulatory-complaint.html">Regulatory 监管</a></li>
<li><a href="/zfb/disclosure-timeline.html" class="active">Timeline 时间线</a></li>
</ul>
<button class="innora-hmb" onclick="document.getElementById('inav').classList.toggle('open')">
<i></i><i></i><i></i>
</button>
</nav>
</header>
<div class="page-wrapper">
<!-- PAGE HEADER -->
<div class="page-header">
<div class="label">Responsible Disclosure | 负责任披露</div>
<h1>Disclosure Timeline<br><span style="font-size:20px;font-weight:600;color:#9898b8;">披露时间线</span></h1>
<p class="subtitle">A factual chronological record of the Alipay SecurityGuard SDK security research and disclosure process.<br>支付宝 SecurityGuard SDK 安全研究与披露过程的客观时间线记录。</p>
<p class="updated">Last updated: 2026-03-25 | Research period: 2024 Q1 2026 Q1</p>
</div>
<!-- AI NOTICE -->
<div class="ai-notice">
<strong>内容标识 / Content Notice:</strong>&nbsp;
本页面内容基于可核实的客观事实记录,所有时间节点均有文件或公开记录作为来源。部分文本整理使用了 AI 辅助。
This page documents verifiable, objective events only. All timestamps are sourced from contemporaneous records or public archives. Text editing assisted by AI.
</div>
<!-- ===== 2024 ===== -->
<div class="year-heading">
<div class="year-badge">2024</div>
<div class="year-line"></div>
</div>
<div class="timeline">
<div class="timeline-item milestone">
<div class="event-card">
<div class="event-date">Q1 Q2 2024</div>
<div class="event-title-zh">启动对 SecurityGuard v2 SDK 的初步分析</div>
<div class="event-title-en">Initial discovery and analysis of SecurityGuard v2 SDK</div>
<div class="event-detail">
通过公开渠道获取的支付宝 APKAndroid 版本),对内嵌的 SecurityGuard v2 SDK 进行初步静态分析,识别关键组件与架构模式。<br>
Began static analysis of SecurityGuard v2 SDK embedded in publicly available Alipay APK builds. Identified key components and architectural patterns.
<span class="tag tag-arch">Analysis</span>
</div>
</div>
</div>
</div><!-- /timeline 2024 -->
<!-- ===== 2025 ===== -->
<div class="year-heading">
<div class="year-badge">2025</div>
<div class="year-line"></div>
</div>
<div class="timeline">
<div class="timeline-item milestone">
<div class="event-card">
<div class="event-date">Q3 Q4 2025</div>
<div class="event-title-zh">深入分析加密实现、原生代码与隐私机制</div>
<div class="event-title-en">Deep analysis of cryptographic implementations, native code, and privacy mechanisms</div>
<div class="event-detail">
系统性分析 SDK 的密码学实现、热修复机制PatchProxy / AVMP、网络通信层及数据收集行为。研究范围扩展至原生 .so 库与 JNI 层。<br>
Systematic analysis of cryptographic implementations, hot-patch mechanisms (PatchProxy / AVMP), network communication layers, and data collection behaviors. Scope extended to native .so libraries and JNI layer.
<span class="tag tag-arch">Deep Dive</span>
</div>
</div>
</div>
</div><!-- /timeline 2025 -->
<!-- ===== 2026 ===== -->
<div class="year-heading">
<div class="year-badge">2026</div>
<div class="year-line"></div>
</div>
<div class="timeline">
<div class="timeline-item milestone">
<div class="event-card">
<div class="event-date">Feb 25, 2026</div>
<div class="event-title-zh">通过 AntSRC 向厂商提交漏洞报告</div>
<div class="event-title-en">Vulnerability report submitted to vendor via AntSRC</div>
<div class="event-detail">
通过蚂蚁集团官方安全漏洞响应渠道AntSRC / security@antgroup.com提交详细技术报告启动负责任披露流程。<br>
Detailed technical report submitted via Ant Group's official security vulnerability response channel (AntSRC / security@antgroup.com), initiating the responsible disclosure process.
<span class="tag tag-vendor">Vendor Contact</span>
</div>
</div>
</div>
<div class="timeline-item">
<div class="event-card">
<div class="event-date">Mar 10, 2026</div>
<div class="event-title-zh">厂商回复:认定为"正常功能"</div>
<div class="event-title-en">Vendor responds: classified as "normal function"</div>
<div class="event-detail">
蚂蚁集团通过 AntSRC 渠道回复,将报告中涉及的技术行为定性为"正常功能",未提出修复计划。<br>
Ant Group replied via AntSRC, classifying the reported technical behaviors as "normal function" with no remediation plan indicated.
<span class="tag tag-vendor">Vendor Response</span>
</div>
</div>
</div>
<div class="timeline-item milestone">
<div class="event-card">
<div class="event-date">Mar 12, 2026</div>
<div class="event-title-zh">向 MITRE 提交首批 CVE 报告Ticket #20058019 份 CVE</div>
<div class="event-title-en">First MITRE CVE submission — Ticket #2005801, 9 CVE reports</div>
<div class="event-detail">
鉴于厂商回复不认可,依据 MITRE CVE 提交流程,正式向 MITRE 提交首批 CVE 报告,覆盖密码学、热修复与隐私等多个技术领域。<br>
Following the vendor's non-acknowledgment, formally submitted the first batch of CVE reports to MITRE covering cryptography, hot-patch, and privacy domains.
<span class="tag tag-cve">CVE Submission</span>
</div>
</div>
</div>
<div class="timeline-item">
<div class="event-card">
<div class="event-date">Mar 12 Mar 22, 2026</div>
<div class="event-title-zh">8 篇技术分析文章在微信公众号发布</div>
<div class="event-title-en">8 technical analysis articles published on WeChat Official Account</div>
<div class="event-detail">
以中文撰写并发布 8 篇系列技术分析文章("The Nora Chronicles"),涵盖 PatchProxy 机制、加密降级、隐私分析、DeepLink 攻击面等专题。<br>
Published 8 technical analysis articles in Chinese ("The Nora Chronicles") covering PatchProxy, encryption downgrade, privacy analysis, DeepLink attack surface, and related topics.
<span class="tag tag-pub">Published</span>
</div>
</div>
</div>
<div class="timeline-item milestone">
<div class="event-card">
<div class="event-date">Mar 17, 2026</div>
<div class="event-title-zh">GitHub 代码库公开发布</div>
<div class="event-title-en">GitHub repository published</div>
<div class="event-detail">
正式公开 GitHub 证据仓库包含技术报告、反编译代码片段jadx、脚本及 Docker 验证环境说明。<br>
Publicly released GitHub evidence repository containing technical reports, decompiled code excerpts (jadx), scripts, and Docker verification environment documentation.
<span class="tag tag-pub">Published</span>
<span class="tag tag-arch">github.com/sgInnora/alipay-securityguard-analysis</span>
</div>
</div>
</div>
<div class="timeline-item milestone">
<div class="event-card">
<div class="event-date">Mar 19, 2026</div>
<div class="event-title-zh">IACR ePrint 论文发布(编号 2026/526</div>
<div class="event-title-en">IACR ePrint paper published — 2026/526</div>
<div class="event-detail">
在国际密码学研究协会IACRePrint 服务器发布预印本研究论文,题目:"Broken by Design: A Static Analysis of Alipay's SecurityGuard SDK"。注ePrint 为预印本服务,不属于同行评审出版物。<br>
Published preprint research paper on the IACR ePrint server: "Broken by Design: A Static Analysis of Alipay's SecurityGuard SDK." Note: ePrint is a preprint service, not a peer-reviewed publication.
<span class="tag tag-pub">Academic Record</span>
<span class="tag tag-arch">eprint.iacr.org/2026/526</span>
</div>
</div>
</div>
<div class="timeline-item">
<div class="event-card">
<div class="event-date">Mar 19, 2026</div>
<div class="event-title-zh">Packet Storm Security 收录(编号 #217089</div>
<div class="event-title-en">Packet Storm Security publication — #217089</div>
<div class="event-detail">
安全漏洞信息聚合平台 Packet Storm Security 收录本研究,进一步扩大技术社区的可见度。<br>
Research indexed by Packet Storm Security, a widely referenced security advisory aggregation platform.
<span class="tag tag-pub">Published</span>
<span class="tag tag-arch">packetstormsecurity.com/files/217089</span>
</div>
</div>
</div>
<div class="timeline-item milestone">
<div class="event-card">
<div class="event-date">Mar 19 Mar 23, 2026</div>
<div class="event-title-zh">后续 MITRE CVE 提交Batch 14累计 36 份 CVE11 个工单)</div>
<div class="event-title-en">Additional MITRE submissions — Batches 14, total 36 CVE reports across 11 tickets</div>
<div class="event-detail">
在初始提交基础上,分四批次陆续向 MITRE 提交补充 CVE 报告覆盖认证机制、JSBridge 授权、Wi-Fi 追踪、弱随机数等新发现领域。<br>
Submitted four additional batches of CVE reports to MITRE covering authentication mechanisms, JSBridge authorization, Wi-Fi tracking, weak random number generation, and other newly documented areas.
<span class="tag tag-cve">36 CVE Reports</span>
<span class="tag tag-cve">11 Tickets</span>
</div>
</div>
</div>
<div class="timeline-item">
<div class="event-card">
<div class="event-date">Mar 22, 2026</div>
<div class="event-title-zh">8 篇微信文章因厂商投诉被移除</div>
<div class="event-title-en">8 WeChat articles removed following vendor complaint</div>
<div class="event-detail">
微信平台依据蚂蚁集团经代理律师事务所提出的投诉,将前期发布的 8 篇技术分析文章下架。各文章已同步存档于 innora.ai/zfb/ 永久保存。<br>
WeChat platform removed the 8 previously published technical analysis articles following a complaint filed by Ant Group through a proxy law firm. All articles are permanently archived at innora.ai/zfb/.
<span class="tag tag-vendor">Platform Removal</span>
</div>
</div>
</div>
<div class="timeline-item">
<div class="event-card">
<div class="event-date">Mar 22, 2026</div>
<div class="event-title-zh">创建 Mastodon 账号infosec.exchange/@Innora</div>
<div class="event-title-en">Mastodon account created — infosec.exchange/@Innora</div>
<div class="event-detail">
在去中心化社交平台 Mastodon 的 infosec.exchange 实例创建账号,建立独立于平台审查的技术社区沟通渠道。<br>
Created account on infosec.exchange Mastodon instance to establish a communication channel independent of centralized platform moderation.
<span class="tag tag-arch">Platform</span>
</div>
</div>
</div>
<div class="timeline-item milestone">
<div class="event-card">
<div class="event-date">Mar 23, 2026</div>
<div class="event-title-zh">Zenodo 永久学术存档DOI: 10.5281/zenodo.19186848</div>
<div class="event-title-en">Zenodo permanent academic archive — DOI: 10.5281/zenodo.19186848</div>
<div class="event-detail">
在欧洲核子研究中心CERN运营的 Zenodo 平台完成研究材料的永久学术存档,获得不可删除的 DOI确保数字内容长期可访问性。<br>
Completed permanent academic archival of research materials on Zenodo (operated by CERN), obtaining a non-revocable DOI ensuring long-term digital accessibility.
<span class="tag tag-pub">Permanent Archive</span>
<span class="tag tag-arch">doi.org/10.5281/zenodo.19186848</span>
</div>
</div>
</div>
<div class="timeline-item milestone">
<div class="event-card">
<div class="event-date">Mar 23, 2026</div>
<div class="event-title-zh">Docker 验证环境发布37/37 测试通过)</div>
<div class="event-title-en">Docker verification environment published — 37/37 tests pass</div>
<div class="event-detail">
发布完整的 Docker 化验证环境,使第三方研究人员可独立复现全部 37 项技术发现,所有测试 100% 通过。验证脚本与 Dockerfile 均已包含在 GitHub 仓库中。<br>
Published complete Dockerized verification environment enabling independent third-party reproduction of all 37 technical findings with 100% test pass rate. Verification scripts and Dockerfile included in GitHub repository.
<span class="tag tag-pub">Reproducible</span>
<span class="tag tag-arch">37 / 37 Tests Pass</span>
</div>
</div>
</div>
<div class="timeline-item">
<div class="event-card">
<div class="event-date">Mar 13 Mar 25, 2026</div>
<div class="event-title-zh">已向 9+ 国家/地区的监管机构通报</div>
<div class="event-title-en">Regulatory authorities in 9+ countries/regions briefed</div>
<div class="event-detail">
依据各机构的管辖范围,向多个国家和地区的监管机构提交技术简报,涵盖金融监管、数据保护、网络安全应急响应等职能类型。<br>
Technical briefings submitted to regulatory authorities across multiple jurisdictions based on their respective mandates, covering financial regulation, data protection, and cybersecurity incident response functions.
<span class="tag tag-reg">Regulatory</span>
<span class="tag tag-reg">9+ Jurisdictions</span>
</div>
</div>
</div>
</div><!-- /timeline 2026 -->
<!-- ===== RESOURCES ===== -->
<div class="resources-section">
<h2>关键资源 / Key Resources</h2>
<div class="resource-grid">
<a href="https://github.com/sgInnora/alipay-securityguard-analysis" class="resource-card" target="_blank" rel="noopener">
<div class="res-label">GitHub Repository</div>
<div class="res-title">github.com/sgInnora/<br>alipay-securityguard-analysis</div>
<div class="res-desc">Technical evidence, scripts, Docker environment | 技术证据、脚本、Docker环境</div>
</a>
<a href="https://eprint.iacr.org/2026/526" class="resource-card" target="_blank" rel="noopener">
<div class="res-label">IACR ePrint (Preprint)</div>
<div class="res-title">eprint.iacr.org/2026/526</div>
<div class="res-desc">Research preprint — not peer reviewed | 预印本论文(非同行评审)</div>
</a>
<a href="https://doi.org/10.5281/zenodo.19186848" class="resource-card" target="_blank" rel="noopener">
<div class="res-label">Zenodo Permanent Archive</div>
<div class="res-title">doi.org/10.5281/<br>zenodo.19186848</div>
<div class="res-desc">Permanent DOI — CERN/Zenodo | 不可撤销的学术存档</div>
</a>
<a href="https://packetstormsecurity.com/files/217089" class="resource-card" target="_blank" rel="noopener">
<div class="res-label">Packet Storm Security</div>
<div class="res-title">packetstormsecurity.com/<br>files/217089</div>
<div class="res-desc">Security advisory index entry | 安全公告索引</div>
</a>
<a href="https://innora.ai/zfb/" class="resource-card" target="_blank" rel="noopener">
<div class="res-label">Research Blog</div>
<div class="res-title">innora.ai/zfb/</div>
<div class="res-desc">Technical analysis articles archive | 技术分析文章存档</div>
</a>
<a href="https://infosec.exchange/@Innora" class="resource-card" target="_blank" rel="noopener">
<div class="res-label">Mastodon</div>
<div class="res-title">infosec.exchange/@Innora</div>
<div class="res-desc">Research updates and announcements | 研究动态与公告</div>
</a>
</div>
</div>
<!-- ===== FOOTER BOXES ===== -->
<div class="footer-box nature">
<p style="margin-bottom:8px"><strong>研究性质声明 / Research Nature Statement</strong></p>
<p style="color:#a0a0c0;font-size:13px;line-height:1.7;margin-bottom:8px">
本研究基于公开渠道获取的 Android APK 文件(支付宝 v10.8.30.8000进行静态反编译分析jadx未侵入任何受保护计算机系统。所有技术结论可通过对同版本 APK 执行相同分析流程独立验证。
</p>
<p style="color:#a0a0c0;font-size:13px;line-height:1.7;margin-bottom:8px">
This research is based on static decompilation analysis (jadx) of publicly available Android APK files (Alipay v10.8.30.8000). No protected computer systems were accessed. All technical findings are independently reproducible by applying the same analysis methodology to the same APK version.
</p>
<p style="color:#a0a0c0;font-size:13px;line-height:1.7;margin-bottom:8px">
<strong style="color:#00b464">AI 辅助标识 / AI Assistance:</strong> 本页面使用 Claude 辅助文本整理,时间线事实记录由人工核实。<br>
This page used Claude for text editing assistance. Timeline facts were manually verified.
</p>
<p style="color:#a0a0c0;font-size:13px">
<strong style="color:#00b464">许可协议 / License:</strong> CC BY-NC-SA 4.0 &nbsp;|&nbsp;
<strong style="color:#00b464">联系 / Contact:</strong> security@innora.ai
</p>
</div>
<div class="footer-box author">
<div class="author-name">Feng Ning (风宁)</div>
<div class="author-meta">Innora.ai &nbsp;·&nbsp; CISSP &nbsp;·&nbsp; Penang, Malaysia</div>
<div class="author-quote">"No Code is Done until it is Committed and Documented."</div>
</div>
</div><!-- /page-wrapper -->
<button id="btt" title="Back to top">&#8593;</button>
<script>
(function(){
var p = location.pathname;
document.querySelectorAll('.innora-nav-links a').forEach(function(a){
var href = a.getAttribute('href') || '';
if(p.endsWith(href.replace('/zfb/','')) || ((p.endsWith('/zfb/') || p.endsWith('/zfb')) && href === '/zfb/')){
a.style.color = '#4488ff';
a.style.fontWeight = 'bold';
}
});
var b = document.getElementById('btt');
if(b){
window.addEventListener('scroll', function(){
b.style.display = window.scrollY > 400 ? 'block' : 'none';
});
b.addEventListener('click', function(){ window.scrollTo({top:0, behavior:'smooth'}); });
}
})();
</script>
</body>
</html>

BIN
evidence/wechat_wave3_deletion.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 298 KiB

11
index.html
View File

@@ -2565,7 +2565,7 @@ Language/zh-Hant Region/CN</code></pre>
<li>支付宝的预填是<strong>攻击者通过 URL 参数指定</strong>收款账号和金额 — 性质完全不同</li>
<li>结合 UI 欺骗能力(<code>setTitle</code>/<code>showToast</code>),攻击者可以伪造合法转账理由,降低用户警惕</li>
</ul>
<p>参与讨论的 <a href="https://github.com/sgInnora/alipay-deeplink-research/issues/4" target="_blank">cxxsheng</a> 独立编写了 PoC结论<em>「还是认为这个功能是漏洞,但是危害性会低一些」</em>还引用了 <a href="https://github.com/advisories/GHSA-88q7-6vxh-w5q7" target="_blank">CVE-2024-40676</a>Android 先例):减少用户交互步骤本身可以构成漏洞。</p>
<p>一位参与讨论的独立安全研究者编写了 PoC结论<em>「还是认为这个功能是漏洞,但是危害性会低一些」</em>该研究者还引用了 <a href="https://github.com/advisories/GHSA-88q7-6vxh-w5q7" target="_blank">CVE-2024-40676</a>Android 先例):减少用户交互步骤本身可以构成漏洞。</p>
</div>
<div class="en">
<p style="color:#9898a8;font-style:italic;margin:0 0 12px 0;">Source: GitHub Issue #4 (sevck, rama2910****10)</p>
@@ -2576,7 +2576,7 @@ Language/zh-Hant Region/CN</code></pre>
<li>Alipay's pre-fill is <strong>specified by the attacker via URL parameters</strong> for recipient account and amount — fundamentally different</li>
<li>Combined with UI spoofing (<code>setTitle</code>/<code>showToast</code>), attackers can fabricate legitimate-looking transfer reasons, reducing user vigilance</li>
</ul>
<p><a href="https://github.com/sgInnora/alipay-deeplink-research/issues/4" target="_blank">cxxsheng</a> independently wrote a PoC and concluded: <em>"I still consider this a vulnerability, but with lower severity."</em> He also cited <a href="https://github.com/advisories/GHSA-88q7-6vxh-w5q7" target="_blank">CVE-2024-40676</a> (Android precedent): reducing user interaction steps itself can constitute a vulnerability.</p>
<p>An independent security researcher wrote a PoC and concluded: <em>"I still consider this a vulnerability, but with lower severity."</em> The researcher also cited <a href="https://github.com/advisories/GHSA-88q7-6vxh-w5q7" target="_blank">CVE-2024-40676</a> (Android precedent): reducing user interaction steps itself can constitute a vulnerability.</p>
</div>
</div>
@@ -2667,7 +2667,7 @@ Language/zh-Hant Region/CN</code></pre>
<li><strong>PDPC 新加坡</strong> — 启动正式数据保护调查 (#006****24)</li>
<li><strong>CIRCL 卢森堡 CERT</strong> — 事件处理人员主动代为联系 Alibaba SRC</li>
<li><strong>HKMA 香港金管局</strong> — 立案调查 (Case CE2026****5412)</li>
<li><strong>cxxsheng</strong>GitHub 安全研究者)— 独立编写 PoC 后确认漏洞存在</li>
<li><strong>独立安全研究者</strong>GitHub— 独立编写 PoC 后确认漏洞存在</li>
<li><strong>freshnn</strong>GitHub 用户)— 独立确认 Android 无感 GPS 复现成功</li>
</ul>
</div>
@@ -2682,7 +2682,7 @@ Language/zh-Hant Region/CN</code></pre>
<li><strong>PDPC Singapore</strong> — Formal data protection investigation (#006****24)</li>
<li><strong>CIRCL Luxembourg CERT</strong> — Incident handler proactively contacted Alibaba SRC on our behalf</li>
<li><strong>HKMA Hong Kong</strong> — Case filed (CE2026****5412)</li>
<li><strong>cxxsheng</strong> (GitHub researcher) — Independently wrote PoC and confirmed vulnerability exists</li>
<li><strong>Independent researcher</strong> (GitHub) — Independently wrote PoC and confirmed vulnerability exists</li>
<li><strong>freshnn</strong> (GitHub user) — Independently confirmed silent GPS reproduction on Android</li>
</ul>
</div>
@@ -2864,7 +2864,8 @@ if (saved === 'zh') setLang('zh');
<a href="https://github.com/sgInnora/alipay-securityguard-analysis" style="color:#4488ff">GitHub</a> ·
<a href="https://zenodo.org/records/19186848" style="color:#4488ff">Zenodo</a> ·
<a href="https://eprint.iacr.org/2026/526" style="color:#4488ff">IACR</a> ·
<a href="https://packetstormsecurity.com/files/217089/" style="color:#4488ff">Packet Storm</a>
<a href="https://packetstormsecurity.com/files/217089/" style="color:#4488ff">Packet Storm</a> ·
<a href="https://infosec.exchange/@Innora" style="color:#4488ff" rel="me">Mastodon</a>
</p>
</footer>
<script>document.addEventListener('DOMContentLoaded',function(){var p=location.pathname;document.querySelectorAll('.innora-nav-links a').forEach(function(a){if(p.endsWith(a.getAttribute('href').replace('/zfb/',''))||((p.endsWith('/zfb/')||p.endsWith('/zfb'))&&a.getAttribute('href')=='/zfb/'))a.style.color='#4488ff';a.style.fontWeight='bold'});var b=document.getElementById('btt');if(b)window.addEventListener('scroll',function(){b.style.display=window.scrollY>400?'block':'none'})});</script>