But if so, why not try to camouflage it as something more generic, to try to avoid notifying Airbnb? I am tech savvy enough and have marketing notifications turned off, but I would assume that they are simply not honouring the setting somehow if I received an ad for Airbnb.
Now Airbnb knows to change their key or something if possible, and I'll be very suspicious of any notifications from any app in the future, especially Airbnb.
If it was a poc they just lost the ability to build the real attack by being way too noticeable. This issue has likely already been mitigated and will be patched up within days if not hours. Much more likely to be an honest mistake.
Oh could the attacker get information about whether or not I opened the app? Is the same key used to send notifications and access metrics that Firebase collects?
Now Airbnb knows to change their key or something if possible, and I'll be very suspicious of any notifications from any app in the future, especially Airbnb.