Web API Notification Abuse
October 18, 2019
One of the new features is Web API Notifications. The concept is good; however, the API is being abused at high speed. Web API notifications allow the browser to prompt you whenever there is an update from a website, whether you are on the site or not. This is handy for email, IMs and news notifications. Marketers have started to take advantage of this as well, using it to push product information offers to visitors. Marketing is annoying; however, the bad guys are using it as well to lure users to clicking and downloading malware onto their computers.
Before a site can send notifications, the user will be presented with he following box asking for permission:
The problem is many users don’t fully understand what it is or think it is something to do with cookies, and then click Allow. There is little if any explanation as to what it is asking. The bottom line is it needs to be implemented better, with the user’s safety and possibly sanity in mind. Over the past couple of weeks, I’ve taken a huge number of tickets related to popups of all kinds from API notifications.
In the meantime, this is how to disable them in Chrome and Firefox:
- Go to “Settings”
- Under “Privacy and security” click on “Site settings”
- Under “Permissions” click on “Notifications”
- Under “Allow” you will see all the sites with permission. Click on the 3 dots next to each site you want to stop and click on “Block”
- To disable all notifications, switch the toggle for “Ask before sending” to put all in blocked mode.
- Go to “Options”
- Under “Privacy & Security” and find “Permissions”
- Next to “Notifications” click on “Settings”
- Click on “Remove All Websites”
- Check the box at the bottom called “Block new requests asking to allow notifications”
- Click “Save Changes”