Open Bug 1986312 Opened 4 months ago Updated 29 days ago

Malicious website can subscribe a user to notifications by tricking them ("Click Allow to prove you are a human")

Categories

(Core :: DOM: Notifications, enhancement)

Product:
Core
Component:
DOM: Notifications
Version:
Firefox 142
Platform:
Desktop
Windows 11
Type:
enhancement

Tracking

()

People

(Reporter: aiunusov, Unassigned)

References

Details

(Keywords: csectype-spoof)

Attachments

(2 files)

subscription process
112.75 KB, image/png
Details
step 2. Firefox popup was shown
154.93 KB, image/png
Details
Attached image subscription process

I recently misspelled GMail. I simply typed gmail.com, but without the last "l" (Please don't try this unless you know what you're doing!)
This opened a malicious site.
I didn't notice the URL and simply checked the "I'm not a robot" checkbox. As a result, Firefox started spamming me with notifications that my browser was infected. But I didn't want to subscribe for any notifications.

I think we need to investigate this. It could be a security issue or some kind of "gray pattern".
Considering how popular Gmail is, this is a real problem for our users.

Attachment #9510662 - Attachment mime type: text/plain → image/png
OS: Unspecified → Windows 11
Hardware: Unspecified → Desktop
Version: unspecified → Firefox 142

The domain name looks much longer than gmai.com, and opening gmai doesn't do a redirection (maybe it's changed now?)

Manually trying to access https://d2qpmdanaffc73fe84cg.xsv-adguard.pro/x/?clickid=d2qpmdanaffc73fe84cg&lp_key=17567b88e1b8d250ea46ef63b33d37fe6e61632513 gives only 404 for me.

But clicking the checkbox alone can't grant the permission, it opens a permission prompt too and that would grant the permission (via Notification.requestPermission(), unless there's some way to circumvent that.

step 2 shows clearly that Firefox correctly showed permission request.
So, this is just a fishing website

Attachment #9510685 - Attachment description: photo_2025-09-01_16-17-30.jpg → step 2. Firefox popup was shown
Attachment #9510685 - Attachment filename: photo_2025-09-01_16-17-30.jpg → step 2
Group: core-security → dom-core-security
Summary: Malicious website can subscribe a user to notifications without their consent → Malicious website can subscribe a user to notifications by tricking them ("Click Allow to prove you are a human")

So did the site keep spamming those notification permission popups?
Or did you accidentally accept notifications and then got lots of notifications?

Edit, nevermind, others answered.

Flags: needinfo?(aiunusov)
Flags: needinfo?(aiunusov)

I'm unhiding this because this is in fact a fairly popular abuse technique. It's hard to make permission interactions that are sufficient to protect users who mistakenly think they are somewhere else or believe the site that the "Allow" is something other than it is without at the same time making them extremely annoying in the legitimate case.

Maybe the permissions prompts would be more distinctive if they had a big Icon representing what permissions was being granted, although "notifications" are hard to represent.

Group: dom-core-security
Keywords: csectype-spoof, sec-low
Type: defect → enhancement

I'm going to change this to an enhancement. Things are currently working as intended, but the situation is not ideal so it would be good if we could come up with something better.

(In reply to Kagami Rosylight [:saschanaz] (they/them) from comment #1)

The domain name looks much longer than gmai.com, and opening gmai doesn't do a redirection (maybe it's changed now?)

These domains don't stick around long because they expect to get reported and blocked. Unfortunately those mechanisms take hours or days to kick in so the scammers still have lots of potential victims.

Keywords: sec-low
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: