[sloshnmosh]

Be VERY careful on accepting push notifications!

There is a huge malvertising campaign targeting mobile users (especially Android) that tricks users into accepting push notifications with fake CAPTCHAs or fake media player buttons that push malicious ads and mobile malware and can even lead to botnet activity.

The risk versus value is too high.

[jabroni_salad]

For the past couple years, every time I visit my mom I borrow her phone and unsubscribe her from a bunch of push notification spam senders. It is way too easy to allow these notifications.

Reading the messages in that bug tracker from ecommerce sites, I really do wonder how many of their customers genuinely want pushes for coupons and ads vs how many just see a "you need to click some button to get on with things" and accept because that's just how computers seem to work for them.

Then again, I'm perpetually cynical on these because I don't want push notifications for anything that doesn't actually warrant an inturruption to my daily life. I'm not 'settling for email' as one ecommerce marketer puts it. If you are sending your email content to notifications, then my notifications will just become another email inbox and lose their value.

[dylan-m]

It's a completely avoidable UI problem, too. There are two kinds of notifications:

- Notifications while I am actively using a thing - for example, "your upload is finished," or "."

- Push notifications from some website I looked at once and accidentally allowed notifications.

Browsers keep treating these as if they're the same thing. Firefox doesn't make any effort to separate them - you get the same "allow notifications" banner whether it's for push notifications or the plain old notifications API (https://developer.mozilla.org/en-US/docs/Web/API/Notificatio... / https://bugzilla.mozilla.org/show_bug.cgi?id=1192458).

But they're obviously different. I don't want to disallow notifications for every website I interact with, but if you aren't telling me what kind of notifications these are, I don't really have much to work with here.

[tata71]

Assume you don't want them, unless your usecase requires them?

[aogaili]

Why not push notification for PWA to start with? the user buys a 1k phone, finds an app that an indie developer/solopreneur built as PWA to lower the cost, install the app willingly on their device but discover the experience is lacking because....:

Apple wants to milk the users and developers for money in the name of privacy. And on top of that, we've outsiders defending them!

[sloshnmosh]

The software being used to push this malware is from Propeller ads and more recently AdMaven but is protected by Russian DDoS services.

[easrng]

Also AdFly does it too. For an example, go to https://firfox.com on Android. Depending on the campaigns active at the moment, you'll probably get pages trying to get you to enable push and or download VPNs or "antivirus" apps. (Especially Norton) On Windows Firefox, you sometimes get the "Your computer has a virus!!! Call our number!!!" sites too.