[This is an update to communications sent March 12-14 regarding Alipay security
vulnerabilities.]
---
On March 15, 2026, four WeChat articles documenting security vulnerabilities in
Alipay were forcibly deleted from the public account AI-security-innora. The
deletion was carried out by Tencent at the request of Beijing Geyun Law Firm,
acting on behalf of Ant Group, citing China's Cybersecurity Law.
The same complaint had been rejected by WeChat four days earlier on grounds of
"reputation infringement" -- at that point WeChat found it did not meet the
threshold for removal. When resubmitted under a different legal theory, the
articles were deleted without further review.
---
WHAT WAS DELETED
1. "Whitelist bypass as a universal attack key" (当白名单绕过沦为全网攻击的钥匙)
2. "The gag order rejected by WeChat, then reversed" (巨头的封口令被微信驳回)
3. "GPS location silently exfiltrated from 1B+ users' payment app" (位置被秒偷)
4. "Security research vs. a cease-and-desist for an article with zero mentions
of Alipay"
---
THE BROADER DISCLOSURE RECORD
The underlying research covers 17 vulnerabilities (CVSS 7.4-9.3) in Alipay for
iOS/Android, reported to Ant Group through responsible disclosure. Ant Group's
formal response: "normal functionality."
Independent verification and institutional acceptance:
- MITRE: 6 CVEs accepted, Ticket #2005801
- Packet Storm: Advisory #217089 published
- CSSF Luxembourg: Whistleblowing case CSSFWB-2026-080
- HKMA Hong Kong: Case CE20260313175412
- PDPC Singapore: Investigation #00629724
- Apple Product Security: Case OE01052449093014
- Google Play: Policy violation review #9-7515000040640
- CIRCL Luxembourg: Case #4782984 (relayed to Alibaba SRC)
- 38+ institutions across 22 jurisdictions have acknowledged the report
Full technical report: https://innora.ai/zfb/
GitHub: https://github.com/sgInnora/alipay-deeplink-research
---
THE CENSORSHIP PATTERN
This escalation follows a documented sequence:
1. Oral denial by vendor ("normal functionality," March 10)
2. Public blog published after disclosure window elapsed (March 11)
3. Cease-and-desist via Beijing Geyun Law Firm (March 11, 4h29m after
publication)
4. Initial WeChat complaint REJECTED (reputation infringement standard not met)
5. Re-filed under Cybersecurity Law -- all 4 articles deleted without further
notice (March 15)
6. Server-side blocking of PoC demonstration traffic (documented separately)
This pattern is consistent with suppression of security research rather than
legitimate legal remedy. disclose.io maintains a researcher threats database at
https://threats.disclose.io/ that tracks this category of legal and
platform-based retaliation against good-faith researchers.
A full bilingual analysis of this censorship event is available at:
https://innora.ai/zfb/
---
I am available for verification, additional documentation, or technical
questions.
Jiqiang Feng
Innora AI Security Research
feng@xxxxxxxxx
https://innora.ai/zfb/
Attachment:
publickey - Jiqiang Feng - 0x7D1A285E.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/