| Research | https://innora.ai/zfb/ |
| Evidence | https://github.com/sgInnora/alipay-securityguard-analysis |
| Paper | https://eprint.iacr.org/2026/526 |
| [email protected] |
Deleted 8 times on WeChat. Permanently suspended on X/Twitter.
The research: 28 CVEs, 3 RCE chains, unauthenticated national digital currency access.
Regulators engaged: CNPD, CSSF, HKMA, PDPC, CNNVD, CIRCL.
Surviving copies:
IPFS: gateway.pinata.cloud/ipfs/QmWUnbmgHsb3BMLufJWhzVaaZqd8j7XMjN2YVUmAGRGJ4C
Web: innora.ai/zfb/
Code: github.com/sgInnora/alipay-securityguard-analysis
If you're in mobile sec: peer review on the Lua VM RCE chain welcome. DMs open.
When the signature verifier is itself remotely replaceable...
PatchProxy controls 146,173 methods in Alipay, including verifyApk() โ the trust anchor recursively under attacker control. Turtles all the way down.
Batch-3 filed (10 new, 28 total):
- PatchProxy RCE: CVSS 9.8
- Lua VM RCE: CVSS 9.8
- Payment auth bypass: CVSS 9.1
Details: innora.ai/zfb/
7/7 All evidence permanently preserved on IPFS:
gateway.pinata.cloud/ipfs/QmWUnbmgHsb3BMLufJWhzVaaZqd8j7XMjN2YVUmAGRGJ4C
Please fork github.com/sgInnora/alipay-securityguard-analysis as backup against further takedowns.
If you've experienced similar vendor retaliation for security research, I'd like to hear from you.
6/7 Regulatory responses (12+ jurisdictions):
- CSSF Luxembourg: CSSFWB-2026-080
- CNPD Luxembourg: GDPR investigation
- HKMA Hong Kong: CE20260313175412
- PDPC Singapore: #00629724
- BSP Philippines, PCPD HK, BNM Malaysia
- Google Play, CISA/CERT
- MITRE: 18 CVEs across 4 tickets
5/7 Cross-platform suppression:
WeChat: 8 articles deleted (March 15-20)
Twitter/X: Account permanently suspended (March 16-17)
Meanwhile, the research was independently validated by IACR, MITRE (18 CVEs), Packet Storm (#217089), and acknowledged by 12+ regulatory agencies worldwide.
Full timeline: innora.ai/zfb/article_censorship.html
4/7 Then came the censorship.
March 15: 4 research articles deleted from WeChat after Ant Group's law firm filed takedown requests.
WeChat initially REJECTED the complaint. It was resubmitted under China's Cybersecurity Law โ articles removed without specific provision cited.
March 20: 4 MORE articles deleted. 8/8 = 100% censored.
3/7 The cryptographic infrastructure is broken:
- APK signing cert uses MD5+RSA-1024 (collision in 9 seconds)
- 27 server RSA private keys recovered via batch GCD
- Hardcoded DES keys
11 verified PoCs: github.com/sgInnora/hash-collision-lab
IACR paper: eprint.iacr.org/2026/526
2/7 Key findings:
- 976 proxy classes intercepting 208 system API categories (GPS, camera, clipboard, crypto)
- 97.1% of internal APIs (396/408) have ZERO access control
- PatchProxy: every security method remotely replaceable without app update
- SM4 encryption remotely disableable by server config
Full analysis: github.com/sgInnora/alipay-securityguard-analysis
THREAD: Alipay SecurityGuard SDK โ What we found and what happened next.
1/7 We reverse-engineered Alipay's SecurityGuard SDK (v10.8.30.8000, 89K Java source files). Found 17 vulnerabilities including a whitelist bypass (CVSS 9.3) that makes all 17 remotely exploitable via a single crafted URL.
18 CVEs filed across 4 MITRE tickets. Vendor says: 'normal functionality.'
#introduction I'm Jiqiang Feng, independent security researcher at Innora AI. I found 17 vulnerabilities (CVSS up to 9.3) in Alipay, a payment app used by 1B+ people. 18 CVEs filed with MITRE. Peer-reviewed paper published by IACR.
My Twitter/X account was permanently suspended during this disclosure. 8 research articles were also deleted from WeChat by the vendor's lawyers.
innora.ai | github.com/sgInnora