# Alipay DeepLink + JSBridge Security Research **17 Verified Vulnerabilities | 3 Devices | 308 Server Log Entries** ## Full Report - **Website**: [https://innora.ai/zfb/](https://innora.ai/zfb/) - **GitHub Mirror**: This repository ## Summary This repository documents a comprehensive security research project that uncovered **17 security vulnerabilities** in Alipay's DeepLink URI scheme (`alipays://`) and its Nebula WebView container. ### Key Findings | Severity | Count | Examples | |----------|-------|---------| | **CRITICAL** | 3 | GPS silent theft, Transfer pre-fill, Payment initiation | | **HIGH** | 6 | Device fingerprinting, UI spoofing, Session leak | | **MEDIUM** | 8 | Network info, Chain WebView, Scheme injection | ### Attack Chain ``` External SMS/QQ/WeChat Link → Browser opens alipays:// DeepLink → Alipay launches with attacker's URL in WebView → AlipayJSBridge APIs exposed to external page → Silent data collection (GPS, device info, session) → UI spoofing (title bar, toast notifications) → Sensitive page navigation (transaction history, transfer) ``` ### Cross-Platform Verification - Samsung Galaxy S25 Ultra (Android 15, New Zealand) - Redmi 12 (Android 14, Malaysia) - iPhone 16 Pro (iOS 18.3, China) ## Live PoC (Read-Only Demo) > **No data is collected or transmitted.** All results display locally only. - [Trigger Page](https://innora.ai/zfb/poc/trigger.html) — Simulates attacker distribution page - [JSBridge PoC](https://innora.ai/zfb/poc/verify.html) — Demonstrates API access from external page - [Chain WebView](https://innora.ai/zfb/poc/chain.html) — Proves chained pages retain bridge access ## Responsible Disclosure Timeline | Date | Action | |------|--------| | 2026-02-25 | Initial report sent to Ant Group SRC (TLS/SSL findings) | | 2026-03-07 | Full report V3 sent with 17 vulnerabilities + 308 log entries | | 2026-03-08 | Ant Group response: "These are normal features" (正常功能) | | 2026-03-11 | Public disclosure after vendor declined to acknowledge | ## Repository Structure ``` ├── index.html # Full bilingual (CN/EN) research blog ├── poc/ │ ├── trigger.html # Attack trigger simulation page │ ├── verify.html # JSBridge exploitation PoC │ └── chain.html # Chain WebView demonstration ├── review_kimi.md # Kimi K2 cross-validation review ├── review_sonnet.md # Sonnet review ├── review_summary.md # Review summary └── README.md # This file ``` ## Evidence - **308 server exfiltration log entries** (JSONL format, not included in public repo) - **42 real-device screenshots** (not included in public repo) - Full evidence available upon request: feng@innora.ai ## Legal Disclaimer This research is conducted for **educational and security improvement purposes only**. All testing was performed on accounts owned by the researcher. No unauthorized access to third-party accounts or data occurred. The PoC pages are **read-only demonstrations** with all data exfiltration endpoints disabled. They only display results locally in the browser. ## Mirrors & Archives To prevent single-point deletion, this research is archived at multiple locations: - **Website**: [https://innora.ai/zfb/](https://innora.ai/zfb/) - **GitHub**: [https://github.com/sgInnora/alipay-deeplink-research](https://github.com/sgInnora/alipay-deeplink-research) If any mirror is taken down, please check the other locations. **Readers are encouraged to fork this repository as backup.** ## Contact - **Researcher**: Innora AI Security Research Team - **Email**: feng@innora.ai - **Website**: [innora.ai](https://innora.ai) --- *This research follows responsible disclosure practices. The vendor was given adequate time to respond before public disclosure.*