#introduction I'm Jiqiang Feng, independent security researcher at Innora AI.
-
#introduction I'm Jiqiang Feng, independent security researcher at Innora AI. I found 17 vulnerabilities (CVSS up to 9.3) in Alipay, a payment app used by 1B+ people. 18 CVEs filed with MITRE. Peer-reviewed paper published by IACR.
My Twitter/X account was permanently suspended during this disclosure. 8 research articles were also deleted from WeChat by the vendor's lawyers.
innora.ai | github.com/sgInnora
-
#introduction I'm Jiqiang Feng, independent security researcher at Innora AI. I found 17 vulnerabilities (CVSS up to 9.3) in Alipay, a payment app used by 1B+ people. 18 CVEs filed with MITRE. Peer-reviewed paper published by IACR.
My Twitter/X account was permanently suspended during this disclosure. 8 research articles were also deleted from WeChat by the vendor's lawyers.
innora.ai | github.com/sgInnora
THREAD: Alipay SecurityGuard SDK — What we found and what happened next.
1/7 We reverse-engineered Alipay's SecurityGuard SDK (v10.8.30.8000, 89K Java source files). Found 17 vulnerabilities including a whitelist bypass (CVSS 9.3) that makes all 17 remotely exploitable via a single crafted URL.
18 CVEs filed across 4 MITRE tickets. Vendor says: 'normal functionality.'
-
THREAD: Alipay SecurityGuard SDK — What we found and what happened next.
1/7 We reverse-engineered Alipay's SecurityGuard SDK (v10.8.30.8000, 89K Java source files). Found 17 vulnerabilities including a whitelist bypass (CVSS 9.3) that makes all 17 remotely exploitable via a single crafted URL.
18 CVEs filed across 4 MITRE tickets. Vendor says: 'normal functionality.'
2/7 Key findings:
- 976 proxy classes intercepting 208 system API categories (GPS, camera, clipboard, crypto)
- 97.1% of internal APIs (396/408) have ZERO access control
- PatchProxy: every security method remotely replaceable without app update
- SM4 encryption remotely disableable by server configFull analysis: github.com/sgInnora/alipay-securityguard-analysis
-
2/7 Key findings:
- 976 proxy classes intercepting 208 system API categories (GPS, camera, clipboard, crypto)
- 97.1% of internal APIs (396/408) have ZERO access control
- PatchProxy: every security method remotely replaceable without app update
- SM4 encryption remotely disableable by server configFull analysis: github.com/sgInnora/alipay-securityguard-analysis
3/7 The cryptographic infrastructure is broken:
- APK signing cert uses MD5+RSA-1024 (collision in 9 seconds)
- 27 server RSA private keys recovered via batch GCD
- Hardcoded DES keys11 verified PoCs: github.com/sgInnora/hash-collision-lab
IACR paper: eprint.iacr.org/2026/526 -
3/7 The cryptographic infrastructure is broken:
- APK signing cert uses MD5+RSA-1024 (collision in 9 seconds)
- 27 server RSA private keys recovered via batch GCD
- Hardcoded DES keys11 verified PoCs: github.com/sgInnora/hash-collision-lab
IACR paper: eprint.iacr.org/2026/5264/7 Then came the censorship.
March 15: 4 research articles deleted from WeChat after Ant Group's law firm filed takedown requests.
WeChat initially REJECTED the complaint. It was resubmitted under China's Cybersecurity Law — articles removed without specific provision cited.
March 20: 4 MORE articles deleted. 8/8 = 100% censored.
-
4/7 Then came the censorship.
March 15: 4 research articles deleted from WeChat after Ant Group's law firm filed takedown requests.
WeChat initially REJECTED the complaint. It was resubmitted under China's Cybersecurity Law — articles removed without specific provision cited.
March 20: 4 MORE articles deleted. 8/8 = 100% censored.
5/7 Cross-platform suppression:
WeChat: 8 articles deleted (March 15-20)
Twitter/X: Account permanently suspended (March 16-17)Meanwhile, the research was independently validated by IACR, MITRE (18 CVEs), Packet Storm (#217089), and acknowledged by 12+ regulatory agencies worldwide.
Full timeline: innora.ai/zfb/article_censorship.html
-
5/7 Cross-platform suppression:
WeChat: 8 articles deleted (March 15-20)
Twitter/X: Account permanently suspended (March 16-17)Meanwhile, the research was independently validated by IACR, MITRE (18 CVEs), Packet Storm (#217089), and acknowledged by 12+ regulatory agencies worldwide.
Full timeline: innora.ai/zfb/article_censorship.html
6/7 Regulatory responses (12+ jurisdictions):
- CSSF Luxembourg: CSSFWB-2026-080
- CNPD Luxembourg: GDPR investigation
- HKMA Hong Kong: CE20260313175412
- PDPC Singapore: #00629724
- BSP Philippines, PCPD HK, BNM Malaysia
- Google Play, CISA/CERT
- MITRE: 18 CVEs across 4 tickets -
6/7 Regulatory responses (12+ jurisdictions):
- CSSF Luxembourg: CSSFWB-2026-080
- CNPD Luxembourg: GDPR investigation
- HKMA Hong Kong: CE20260313175412
- PDPC Singapore: #00629724
- BSP Philippines, PCPD HK, BNM Malaysia
- Google Play, CISA/CERT
- MITRE: 18 CVEs across 4 tickets7/7 All evidence permanently preserved on IPFS:
gateway.pinata.cloud/ipfs/QmWUnbmgHsb3BMLufJWhzVaaZqd8j7XMjN2YVUmAGRGJ4CPlease fork github.com/sgInnora/alipay-securityguard-analysis as backup against further takedowns.
If you've experienced similar vendor retaliation for security research, I'd like to hear from you.
-
R relay@relay.an.exchange shared this topic