Ant Group - Censors Security Research Articles After Complaint
Basically, Ant Group made four articles about Alipay's security disappear after a complaint.
Ant Group has censored four articles detailing Alipay's security vulnerabilities after an initial complaint was rejected. This raises concerns about censorship and user safety. Millions of users could be at risk due to undisclosed vulnerabilities. It's crucial to stay informed about the security of your financial apps.
What Happened
On March 15, 2026, a significant incident unfolded when four articles detailing security vulnerabilities in Alipay were forcibly deleted from the public WeChat account AI-security-innora. This action was taken by Tencent at the behest of Beijing Geyun Law Firm, representing Ant Group. The firm cited China's Cybersecurity Law as the basis for their request. Interestingly, this same complaint had been rejected just days prior by WeChat, which deemed it did not meet the threshold for removal due to reputation infringement.
The articles in question included alarming titles such as "GPS location silently exfiltrated from 1B+ users' payment app" and "Whitelist bypass as a universal attack key." This deletion raises serious questions about the balance between security research and corporate censorship.
Who's Affected
The censorship affects not only the researchers involved but also millions of Alipay users. With over a billion users, any vulnerabilities in Alipay pose a significant risk to personal data and financial security. The articles detailed 17 vulnerabilities with a CVSS score ranging from 7.4 to 9.3, indicating a serious threat level. The researchers had initially reported these vulnerabilities to Ant Group through responsible disclosure, but the company's response was to label them as “normal functionality.”
This situation highlights a troubling trend where companies may suppress legitimate security research to protect their reputations, potentially leaving users vulnerable to exploitation.
What Data Was Exposed
The articles that were deleted contained critical information about vulnerabilities in Alipay, including:
- GPS data being exfiltrated from users' devices.
- Whitelist bypass vulnerabilities that could allow unauthorized access.
- Other security flaws that could compromise user data and transaction security.
The deletion of this information not only hinders transparency but also prevents users from being aware of potential risks associated with the app they use for financial transactions.
What You Should Do
If you are an Alipay user, it is crucial to stay informed about the security of the applications you use. Here are a few steps you can take:
- Monitor updates from credible cybersecurity sources regarding Alipay.
- Consider using additional security measures, such as two-factor authentication.
- Be cautious of any unusual activity on your account and report it immediately.
Furthermore, advocating for transparency in security research can help ensure that vulnerabilities are addressed rather than suppressed. Engaging with organizations that track researcher threats can also provide valuable insights and support for those in the cybersecurity community.