❌

Reading view

↗️

Alipay (1B+ users) DeepLink+JSBridge Attack Chain: Silent GPS Exfiltration, 6 CVEs (CVSS 9.3)

βœ‡/r/netsec - Information Security News & Discussion
By: /u/feng_sg

Update (March 13, 2026):

Several major developments since this was posted:

  1. Packet Storm Security β€” Advisory published: https://packetstorm.news/files/id/217089

  2. Apple Product Security β€” Confirmed forwarding to investigation team (Ticket OE01052449093014). Apple is actively investigating Alipay iOS app.

  3. Google Play β€” Policy violation investigation confirmed (Case #9-7515000040640).

  4. Singapore PDPC β€” Formal investigation opened (Case #00629724).

  5. HKCERT β€” Forwarded report to CNCERT (China National CERT).

  6. MITRE CVE β€” 6 CVEs pending (Ticket #2005801), CVSS 7.4–9.3.

Vendor (Ant Group) continues to maintain these are "normal functionality" and has issued no patch.

Full report: https://innora.ai/zfb/

submitted by /u/feng_sg
[link] [comments]
  •  
  • ↗️
❌