By Evan Sangaline | May 31, 2018
I recently stumbled upon an advertisement that was so obnoxious that I felt instantly compelled to share it. The site requested my permission to send notifications using the browser’s Notification API. When I refused, it simply wouldn’t take no for an answer. As they say, a picture is worth a thousand words.
A website typically only gets one chance to request notification permissions. If they get blocked then that’s it. This malicious site worked around this limitation by responding to failed notification requests with immediate redirects to a different subdomain that served up the same content. The new domain allowed them to make a new notification request, and this cycle was allowed to continue on indefinitely by the browser.
This is reminiscent of sites repeatedly opening alert dialogs, but it has thankfully become ubiquitous for browsers to give you a “prevent this page from creating additional dialogs” option when this happens.
That’s a great feature, and it significantly reduces the effectiveness of bad actors repeatedly opening dialogs. It might be time for browsers to implement a similar feature for preventing this notification request pattern given that there are actual sites out there in the wild using this technique.
The ramifications of a user giving in to these notification requests are actually somewhat severe, as it gives the malicious site operator the ability to actually create notifications on a user’s device at the system level. Although you can’t request notification permissions from inside of an iframe, you can send push notifications from inside of one. I haven’t investigated exactly what this particular site does once they get the permission, but I could potentially imagine them using advertisement iframes to send notifications after the permission had initially been granted from a popup.
I was curious to see just how deep this rabbit hole went, so I used nslookup to see how high the incrementing numbers in the domain could go. I have to admit that I tried querying a few specific subdomains before it occurred to me to try this.
So it turns out that “infinitely deep” is the answer. They’re using a wildcard DNS record, and they can just keep incrementing the subdomains as many times as they want.