This vulnerability allows local attackers to modify requests on affected installations of Alibaba Alipay. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the handling of URL schemes. The issue resides in the improper validation if a URL Scheme was acted upon by a malicious application. An attacker can leverage this vulnerability to steal tokens and manipulate requests in the context of current user.
This vulnerability is being disclosed publicly without a patch due to lack of vendor response.
08/31/18 - ZDI reported vulnerability to vendor
|lilang wu, moony Li and yuchen zhou of Trend Micro