Badware Techniques: Notification Spam

I tried visiting an old colleague’s long-expired blog today, just to see what would happen. I got redirected here:

Wat? What is this even talking about? There’s no “Allow” link or button anywhere.

The clue is that tiny bell with a red X in the omnibox– This site tried to ask for permission to spam me with notifications forevermore. The site hopes that I don’t understand the permission prompt, I will assume this is one of the billions of CAPTCHAs on today’s web, and that I will simply click “Allow”.

However, in this case, Edge said “Naw, we’re not even going to bother showing the prompt for this site” and suppressed it by default.

The resulting user experience isn’t an awesome one for the user, but there’s not a ton the browser can do about that in general– websites can always lie to visitors, and the browser’s ability to do anything reasonable in response is limited. The truly bad outcome (a continuous flood of spam notifications appearing inside the OS, leading the user to wonder whether they’ve been hacked for weeks afterward) has been averted because the user never sees the “Shoot self in foot” option.

This “Quieter Notifications” behavior can be found in Edge Settings; you can use the other toggle to turn off Notification permission requests entirely:

edge://settings/content/notifications screenshot

Today, there’s no “Report this site is trying to trick users” feature. The current menu command ... > Help and Feedback > Report Unsafe Site is today only used to report sites that distribute malware or conduct phishing attacks for blocking with SmartScreen.

Published by ericlaw

Impatient optimist. Dad. Author/speaker. Created Fiddler & SlickRun. PM @ MSFT '01-'12, and '18-, working on Office, IE, Edge, and Web Protection. My words are my own, I do not speak for any other entity.

One thought on “Badware Techniques: Notification Spam

  1. The appraisal is correct but sad: “websites can always lie.. a browser’s ability to do anything reasonable.. is limited.” One phishing hoax rampant since Q3 2021, reported by pixm: https://pixmsecurity.com/blog/blog/phishing-tactics-how-a-threat-actor-stole-1m-credentials-in-4-months/, is still active on Facebook, or very similar. Obfuscated by a URL redirect chain the user sees a canned phishing login page ‘to continue’ that, current levels of defense are unable to block. The page mimics true login requests exactly.

    As the persistence of these schemes attests, user education is a poor second choice to system security. This divides the web community into two classes: those that know how to avoid the scams and the rest, to phrase it diplomatically. As the web community ages, the twilight generations become increasingly vulnerable. It’s sad to feel like that driving the web is subject to having your driver’s license revoked because of age (or other health limitations), but that’s what it seems to boil down too.

    Sorry for venting, but given the other advances in AI and analyzing network traffic, it’s hard to believe that more can’t be done. Amazon gives some hope. Shopping there is much safer than on other platforms. [repost 10/1 cmt]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: