Full Disclosure mailing list archives

[This is an update to communications sent March 12-14 regarding Alipay security vulnerabilities.]

---

On March 15, 2026, four WeChat articles documenting security vulnerabilities in Alipay were forcibly deleted from the 
public account AI-security-innora. The deletion was carried out by Tencent at the request of Beijing Geyun Law Firm, 
acting on behalf of Ant Group, citing China's Cybersecurity Law.

The same complaint had been rejected by WeChat four days earlier on grounds of "reputation infringement" -- at that 
point WeChat found it did not meet the threshold for removal. When resubmitted under a different legal theory, the 
articles were deleted without further review.

---

WHAT WAS DELETED

1. "Whitelist bypass as a universal attack key" (当白名单绕过沦为全网攻击的钥匙)
2. "The gag order rejected by WeChat, then reversed" (巨头的封口令被微信驳回)
3. "GPS location silently exfiltrated from 1B+ users' payment app" (位置被秒偷)
4. "Security research vs. a cease-and-desist for an article with zero mentions of Alipay"

---

THE BROADER DISCLOSURE RECORD

The underlying research covers 17 vulnerabilities (CVSS 7.4-9.3) in Alipay for iOS/Android, reported to Ant Group 
through responsible disclosure. Ant Group's formal response: "normal functionality."

Independent verification and institutional acceptance:
- MITRE: 6 CVEs accepted, Ticket #2005801
- Packet Storm: Advisory #217089 published
- CSSF Luxembourg: Whistleblowing case CSSFWB-2026-080
- HKMA Hong Kong: Case CE20260313175412
- PDPC Singapore: Investigation #00629724
- Apple Product Security: Case OE01052449093014
- Google Play: Policy violation review #9-7515000040640
- CIRCL Luxembourg: Case #4782984 (relayed to Alibaba SRC)
- 38+ institutions across 22 jurisdictions have acknowledged the report

Full technical report: https://innora.ai/zfb/
GitHub: https://github.com/sgInnora/alipay-deeplink-research

---

THE CENSORSHIP PATTERN

This escalation follows a documented sequence:

1. Oral denial by vendor ("normal functionality," March 10)
2. Public blog published after disclosure window elapsed (March 11)
3. Cease-and-desist via Beijing Geyun Law Firm (March 11, 4h29m after publication)
4. Initial WeChat complaint REJECTED (reputation infringement standard not met)
5. Re-filed under Cybersecurity Law -- all 4 articles deleted without further notice (March 15)
6. Server-side blocking of PoC demonstration traffic (documented separately)

This pattern is consistent with suppression of security research rather than legitimate legal remedy. disclose.io 
maintains a researcher threats database at https://threats.disclose.io/ that tracks this category of legal and 
platform-based retaliation against good-faith researchers.

A full bilingual analysis of this censorship event is available at: https://innora.ai/zfb/

---

I am available for verification, additional documentation, or technical questions.

Jiqiang Feng
Innora AI Security Research
feng () innora ai
https://innora.ai/zfb/

Attachment: publickey - Jiqiang Feng - 0x7D1A285E.asc
Description:

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

• UPDATE: Ant Group Censors 4 Security Research Articles After Initial Complaint Rejection Jiqiang Feng via Fulldisclosure (Mar 16)