TLDR: A vector for phishing attacks and malware. Your non-technical family members and friends will likely fall for these at some point. For their sake, disable them.
If you’re the go-to technology person in your family and friend group, this is a reminder to do this over the festive season. I explain how to disable them here. 🎄🎅⛄❄
Pop-up ads were once one of the most frequent ways of
deliberately annoying users spamming users with adverts, and acting as a vector for viruses, malware, and other security risks. However, with modern browsers, pop-ups always need to be manually enabled by the user. As a result, the effectiveness of pop-ups has been significantly reduced.
Today I want to discuss a mechanism that scammers have been using as a new attack vector since browsers introduced the mechanism in 2015 in response to pop-ups being eliminated for the most part.
This “feature” is, of course, browser push notifications. To clear up any possible confusion, this is not related to SSE (Server-Sent Events) or WebSockets, which are two valid mechanisms for real-time communication between a browser/client and a server.
What are browser push notifications?
The Push API gives web applications the ability to receive messages pushed to them from a server, whether or not the web app is in the foreground, or even currently loaded, on a user agent. This lets developers deliver asynchronous notifications and updates to users that opt in, resulting in better engagement with timely new content.
In other words, it’s a way for websites to send notifications even if you’re not on the website. You will recognise this in action when you see this dialog on a site.
As shown in the article image, this is often accompanied by messages such as “Click allow now!” or “Tap here to subscribe now!” positioned just below the dialog. Typically, many additional UX/UI dark patterns are employed to encourage the user further to allow the notifications.
The strong case for disabling them on every device
Not only on your devices but on all devices of your non-technical family members and friends devices. Also, any devices you manage as part of IT in an organisation. Any potential legitimate use case for them has been long over-taken by malicious actors taking advantage of scared users.
They are a delivery mechanism for malware and phishing attacks
The notification itself is just a link to a site. Provided the user never clicks or taps on the notification, then the user won’t be at risk. However, the notification is often accompanied by a message that is designed to scare the user into clicking on the notification.
The notification is often a fake warning that the user’s device is infected with malware or that their bank account has been compromised. The user is then directed to a site that will attempt to install malware or ask for sensitive information such as bank or card details.
They take advantage of non-technical users and frighten them
Invariably the notification will contain a message and image that are crafted in such a way as to trick a user into believing the notification is legitimate. Often these images are obviously not real system notifications, but to a non-technical user, there is no difference. The same technique is used by scammers in emails and text messages.
Non-technical users habitually click “OK”, “Accept”, “Yes” in any dialog
Unfortunately, many non-technical users are used to clicking whatever button they can to make the thing disappear. These users are subconsciously conditioned to proceed without even reading the message.
That habit, coupled with the previously discussed scary messages and images in the notification grabbing their attention, ensuring they click it makes for a very substantial risk.
They are a symptom of the hostile “modern web” and it’s assault on users
The modern web browsing experience seems mostly
still focused on deliberately annoying users about distracting and frustrating users.
Including but not limited to: hiding content behind a series of in-page pop-ups, newsletter signups, dumb cookie privacy prompts, ads, disguised ads, privacy-invading user tracking, back button hijacking, and parts of the page flying around as megabytes of yet more ads and tracking scripts load. Don’t forget the ridiculous “one weird tricks” and “doctors hate him” ads.
I have never seen them used for any legitimate or useful purpose
I have never seen a compelling use case for them. Every time a site has prompted me to allow them, it has been for something useless such as receiving breaking news.
I searched online for legitimate use cases while writing this, and there are absolutely none. Of course, there is the usual spiel that the gross ad-tech industry has written about them.
They don’t have any practical reason to exist and have proven to be a security risk: disable them.
How to disable them
Fortunately it seems that the Edge and Firefox browsers have slightly improved the situation after these problem became very apparent. Firefox will show the notification prompt once and hide it after that. Edge seems to instead have a list of sites users regularly do not allow notifications from. Here is how to disable them in Chrome and Edge.
For organisation-wide blocking of browser push notifications both Edge and Chrome have GPO policies available for Windows.
A message to the browser vendors
Please fix this. It’s a terrible user-hostile feature that is being misused. While you may have improved how the initial notification prompt is handled, the fact that these fake “virus warnings” and the like are still being used clearly indicates that work needs to be done.
There is no reason for messages like these to be in a browser push notification (all taken from actual cases):
- “Your computer is infected with dangerous viruses."
- "Your bank account has been compromised."
- "System Is At Risk"
- "Your might loose your data!”
In the same way that e-mail spam filtering works, so should browser push notification spam filtering. If you don’t implement this, you are complicit in the continued abuse of your users.
If needing to filter browser push notifications for spam seems like a lot of work, then questions need answering about the value of the feature in the first place. Seriously, what is the value of this feature? Were you pressured into it by ad companies? Why is the feature so open to abuse?
Browser push notification prompts should always be hidden by default just like pop-up window requests.