Google has added a new feature to Chrome 86 that aims to stomp out abusive notification content.
Web notifications are utilized for a variety of applications – such as prompting site visitors to sign up for newsletters. However, they can also be misused for phishing, malware or fake messages that imitate system notifications for the purpose of generating user interactions. Google has taken steps to battle this issue by automatically blocking the web notifications that display abusive or misleading content.
When visitors encounter a webpage with malicious notification content, the webpage will be blocked and a Chrome alert on the upper navigation bar will warn them that the website might be trying to trick them into displaying intrusive notifications. It will ask them to “Continue Blocking” or “Allow” – the latter option will let users continue on to the webpage.
“Abusive notification prompts are one of the top user complaints we receive about Chrome,” according to PJ McLachlan, product manager with Google, on Wednesday. “Our goal with these changes is to improve the experience for Chrome users and to reduce the incentive for abusive sites to misuse the web-notifications feature.”
In order to detect sites that send abusive notification content, Google will first subscribe occasionally to website push notifications (if the push permission is requested) via its automated web crawling service.
Notifications that are sent to the automated Chrome instances will be evaluated for abusive content, and sites sending abusive notifications will be flagged for enforcement if the issue is unresolved, said Google.
When a site is found to be in “failing” status for any type of notification abuse, Google will send a warning email to the registered owners of the site 30 days before cracking down. During this time, websites can address the issue and request another review.
Google first implemented controls that went against abusive notifications with Chrome 80, when it introduced a “quiet notification permission UI [user interface]” feature. Then, in Chrome 84, it announced auto-enrollment in quiet notification UI for websites with abusive-notification permission requests, such as sites that use deceptive patterns to request notification permissions.
However, the new enforcement in Chrome 86 takes it a step further by focusing “on notification content and is triggered by sites that have a history of sending messages containing abusive content,” said Google. “This treatment applies to sites that try to trick users into accepting the notification permission for malicious purposes, for example sites that use web notifications to send malware or to mimic system messages to obtain user login credentials.”
In an upcoming release, Chrome will revert the notification permission status from “granted” to “default” for abusive origins, preventing further notifications unless the user returns to the abusive origin and re-enables them. That’s because “prior to the release of Chrome’s abusive notifications protections, many users have already unintentionally allowed notifications from websites engaging in abusive activity,” it said.
Google this week also warned of an update to its Chrome browser that patches a zero-day vulnerability in the software’s FreeType font rendering library that was actively being exploited in the wild.