Alipay (1B+ users) DeepLink+JSBridge Attack Chain: Silent GPS Exfiltration, 6 CVEs (CVSS 9.3)

News
Yanac

I discovered 17 vulnerabilities in Alipay, the world’s largest mobile payment app (1B+ users). A single crafted URL silently exfiltrates GPS coordinates (8.8m accuracy, 7 seconds, zero prompt) via DeepLink → WebView → JSBridge chain.Attack flow: ds.alipay.com (trusted domain) open redirect → alipays:// deep link → privileged WebView → AlipayJSBridge.call(getLocation) returns GPS silently. iOS exposes 5 additional APIs including tradePay.Key facts:- 6 CVEs submitted to MITRE CNA-LR (CVSS 7.4-9.3)- Alibaba is a registered CNA but refused to assign CVEs- 308 server-side GPS logs across 3 devices, 3 countries- Vendor security lead’s own GPS captured from Alipay HQ- Vendor: normal functionality. 4hrs later: takedown complaintPoC: https://innora.ai/zfb/poc/trigger.html submitted by /u/feng_sg [link] [comments]Technical Information Security Content & DiscussionRead More