skip to main content
10.1145/3627106.3627186acmotherconferencesArticle/Chapter ViewAbstractPublication PagesacsacConference Proceedingsconference-collections
research-article

When Push Comes to Shove: Empirical Analysis of Web Push Implementations in the Wild

Published: 04 December 2023 Publication History

Abstract

Web push notifications are becoming an increasingly prevalent capability of modern web apps, intended to create a direct communication pipeline with users and increase user engagement. The seemingly straightforward functionality of push notifications obscures the complexities of the underlying design and implementation, which deviates from a near-universal practice in the web ecosystem: the ability to access an account (and the associated functionality) from practically any browser or device upon successful completion of the authentication process. Instead, push notifications create a communication endpoint for a specific browser instance. As a result, the challenges of deploying push notifications are further exacerbated due to the integration obstacles that arise from other aspects of web apps and user browsing behaviors (e.g., multi-device environments, account and session management). In this paper, we conduct an empirical analysis of push notification implementations in the wild, and identify common deployment pitfalls. We also demonstrate a series of attacks that target push notification functionality, including a novel subscription-sniffing attack, through a selection of use cases. To better understand current practices in push notifications implementations, we present a large-scale measurement of their deployment and also provide the first, to our knowledge, exploration and analysis of third-party service providers. Finally, we provide guidelines for developers and propose an approach for correctly handling push notifications in multi-browser, post-authentication settings.

References

[1]
2013. w3af. http://w3af.org/.
[2]
2023. Cleverpush. https://cleverpush.com/
[3]
2023. LetReach. https://www.letreach.com/
[4]
2023. Mozilla autopush. https://autopush.readthedocs.io/
[5]
2023. OWASP ZAP. https://www.zaproxy.org/.
[6]
2023. Puppeteer. https://pptr.dev/
[7]
2023. Push API. https://www.w3.org/TR/push-api/
[8]
2023. Push Notifications Usage Distribution in the Top 1 Million Sites. https://trends.builtwith.com/widgets/push-notifications
[9]
2023. Webpushr. https://www.webpushr.com/
[10]
Mir Masood Ali, Binoy Chitale, Mohammad Ghasemisharif, Chris Kanich, Nick Nikiforakis, and Jason Polakis. 2023. Navigating Murky Waters: Automated Browser Feature Testing for Uncovering Tracking Vectors. In NDSS.
[11]
Elham Arshad, Michele Benolli, and Bruno Crispo. 2022. Practical attacks on Login CSRF in OAuth. Computers & Security 121 (2022), 102859.
[12]
Adam Barth, Collin Jackson, and John C Mitchell. 2008. Robust defenses for cross-site request forgery. In Proceedings of the 15th ACM conference on Computer and communications security. 75–88.
[13]
Stefano Calzavara, Mauro Conti, Riccardo Focardi, Alvise Rabitti, and Gabriele Tolomei. 2019. Mitch: A machine learning approach to the black-box detection of CSRF vulnerabilities. In 2019 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 528–543.
[14]
Stefano Calzavara, Hugo Jonker, Benjamin Krumnow, and Alvise Rabitti. 2021. Measuring web session security at scale. Computers & Security 111 (2021), 102472.
[15]
Andrew Clover. 2002. CSS visited pages disclosure. https://lists.w3.org/Archives/Public/www-style/2002Feb/0039.html
[16]
Luca Compagna, Hugo Jonker, Johannes Krochewski, Benjamin Krumnow, and Merve Sahin. 2021. A preliminary study on the adoption and effectiveness of SameSite cookies as a CSRF defence. In 2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). IEEE, 49–59.
[17]
Kostas Drakonakis, Sotiris Ioannidis, and Jason Polakis. 2020. The cookie hunter: Automated black-box auditing for web authentication and authorization flaws. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 1953–1970.
[18]
E. W. Felten and M. A. Schneider. 2000. Timing attacks on web privacy. Proceedings of the ACM Conference on Computer and Communications Security. https://doi.org/10.1145/352600.352606
[19]
Gertjan Franken, Tom Van Goethem, and Wouter Joosen. 2018. Who left open the cookie jar? A comprehensive evaluation of third-party cookie policies. Proceedings of the 27th USENIX Security Symposium.
[20]
Diana Freed, Jackeline Palmer, Diana Minchala, Karen Levy, Thomas Ristenpart, and Nicola Dell. 2018. “A Stalker’s Paradise” How Intimate Partner Abusers Exploit Technology. In Proceedings of the 2018 CHI conference on human factors in computing systems. 1–13.
[21]
Mohammad Ghasemisharif, Chris Kanich, and Jason Polakis. 2022. Towards automated auditing for account and session management flaws in single sign-on deployments. In 2022 IEEE Symposium on Security and Privacy (SP). IEEE, 1774–1790.
[22]
Mario Heiderich, Marcus Niemietz, Felix Schuster, Thorsten Holz, and Jörg Schwenk. 2012. Scriptless attacks - Stealing the pie without touching the sill. Proceedings of the ACM Conference on Computer and Communications Security. https://doi.org/10.1145/2382196.2382276
[23]
M. Heiderich, M. Niemietz, F. Schuster, T. Holz, and J. Schwenk. 2014. Scriptless attacks: Stealing more pie without touching the sill. Journal of Computer Security 22 (2014). Issue 4. https://doi.org/10.3233/JCS-130494
[24]
Sangwon Hyun, Junsung Cho, Geumhwan Cho, and Hyoungshick Kim. 2018. Design and analysis of push notification-based malware on android. Security and Communication Networks 2018 (2018).
[25]
Jordan Jueckstock, Shaown Sarker, Peter Snyder, Aidan Beggs, Panagiotis Papadopoulos, Matteo Varvello, Ben Livshits, and Alexandros Kapravelos. 2021. Towards Realistic and Reproducible Web Crawl Measurements. In Proceedings of The Web Conference (WWW).
[26]
Soroush Karami, Panagiotis Ilia, and Jason Polakis. 2021. Awakening the Web’s Sleeper Agents: Misusing Service Workers for Privacy Leakage. In NDSS.
[27]
Soheil Khodayari and Giancarlo Pellegrino. 2021. JAW: Studying client-side CSRF with hybrid property graphs and declarative traversals. In USENIX Security Symposium.
[28]
KirstenS. 2021. Cross Site Request Forgery (CSRF) | OWASP Foundation.
[29]
Brian Kondracki, Assel Aliyeva, Manuel Egele, Jason Polakis, and Nick Nikiforakis. 2020. Meddling middlemen: Empirical analysis of the risks of data-saving mobile browsers. In 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 810–824.
[30]
Hayoung Lee, Taeho Kang, Sangho Lee, Jong Kim, and Yoonho Kim. 2014. Punobot: Mobile botnet using push notification service in android. In Information Security Applications: 14th International Workshop, WISA 2013, Jeju Island, Korea, August 19-21, 2013, Revised Selected Papers 14. Springer, 124–137.
[31]
Jiyeon Lee, Hayeon Kim, Junghwan Park, Insik Shin, and Sooel Son. 2018. Pride and prejudice in progressive web apps: Abusing native app-like features in Web applications. Proceedings of the ACM Conference on Computer and Communications Security. https://doi.org/10.1145/3243734.3243867
[32]
Sangho Lee, Hyungsub Kim, and Jong Kim. 2015. Identifying Cross-origin Resource Status Using Application Cache. https://doi.org/10.14722/ndss.2015.23027
[33]
Tongxin Li, Xiaoyong Zhou, Luyi Xing, Yeonjoon Lee, Muhammad Naveed, XiaoFeng Wang, and Xinhui Han. 2014. Mayhem in the push clouds: Understanding and mitigating security hazards in mobile push-messaging services. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. 978–989.
[34]
Xu Lin, Panagiotis Ilia, and Jason Polakis. 2020. Fill in the blanks: Empirical analysis of the privacy threats of browser form autofill. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 507–519.
[35]
Tianming Liu, Haoyu Wang, Li Li, Guangdong Bai, Yao Guo, and Guoai Xu. 2019. Dapanda: Detecting aggressive push notifications in android apps. In 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, 66–78.
[36]
Pierpaolo Loreti, Lorenzo Bracciale, and Alberto Caponi. 2018. Push attack: Binding virtual and real identities using mobile push notifications. Future Internet 10 (2018). Issue 2. https://doi.org/10.3390/fi10020013
[37]
Francesco Marcantoni, Michalis Diamantaris, Sotiris Ioannidis, and Jason Polakis. 2019. A large-scale study on the risks of the html5 webapi for mobile sensor-based attacks. In The World Wide Web Conference. 3063–3071.
[38]
Panagiotis Papadopoulos, Panagiotis Ilia, Michalis Polychronakis, Evangelos P. Markatos, Sotiris Ioannidis, and Giorgos Vasiliadis. 2019. Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Computation. https://doi.org/10.14722/ndss.2019.23070
[39]
pushcrew. 2016. The State of Web Push Notifications. https://gallery.mailchimp.com/fccee8d27b3a55c46b81ce8ae/files/The_State_of_Web_Push_Notifications_2016.pdf.
[40]
PushEngage. 2021. Email vs Push Notifications: Statistics & Expert Strategies. https://www.pushengage.com/email-vs-push-notifications-statistics.
[41]
Emil Semastin, Sami Azam, Bharanidharan Shanmugam, Krishnan Kannoorpatti, Mirjam Jonokman, Ganthan Narayana Samy, and Sundresan Perumal. 2018. Preventive measures for cross site request forgery attacks on Web-based Applications. International Journal of Engineering and Technology(UAE) 7 (2018). Issue 4. https://doi.org/10.14419/ijet.v7i4.15.21434
[42]
Michael Smith, Craig Disselkoen, Shravan Narayan, Fraser Brown, and Deian Stefan. 2018. Browser history re:visited. In 12th USENIX Workshop on Offensive Technologies (WOOT 18). USENIX Association, Baltimore, MD. https://www.usenix.org/conference/woot18/presentation/smith
[43]
Marco Squarcina, Stefano Calzavara, and Matteo Maffei. 2021. The Remote on the Local: Exacerbating Web Attacks Via Service Workers Caches. Proceedings - 2021 IEEE Symposium on Security and Privacy Workshops, SPW 2021, 432–443. https://doi.org/10.1109/SPW53761.2021.00062
[44]
Karthika Subramani, Xingzi Yuan, Omid Setayeshfar, Phani Vadrevu, Kyu Hyung Lee, and Roberto Perdisci. 2020. When Push Comes to Ads: Measuring the Rise of (Malicious) Push Advertising. Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC. https://doi.org/10.1145/3419394.3423631
[45]
M Thomson and P Beverloo. 2017. Voluntary Application Server Identification for Web Push. IETF Tools (2017).
[46]
Takuya Watanabe, Eitaro Shioji, Mitsuaki Akiyama, and Tatsuya Mori. 2020. Melting Pot of Origins: Compromising the Intermediary Web Services that Rehost Websites. https://doi.org/10.14722/ndss.2020.24140
[47]
Gilbert Wondracek, Thorsten Holz, Engin Kirda, and Christopher Kruegel. 2010. A practical attack to de-anonymize social network users. Proceedings - IEEE Symposium on Security and Privacy. https://doi.org/10.1109/SP.2010.21
[48]
Shujiang Wu, Jianjia Yu, Min Yang, and Yinzhi Cao. 2022. Rendering Contention Channel Made Practical in Web Browsers. In 31st USENIX Security Symposium (USENIX Security 22). 3183–3199.
[49]
David Zeber, Sarah Bird, Camila Oliveira, Walter Rudametkin, Ilana Segall, Fredrik Wollsén, and Martin Lopatka. 2020. The representativeness of automated web crawls as a surrogate for human browsing. In Proceedings of The Web Conference 2020. 167–178.
[50]
Xiaofeng Zheng, Jian Jiang, Jinjin Liang, Haixin Duan, Shuo Chen, Tao Wan, and Nicholas Weaver. 2015. Cookies Lack Integrity: Real-World Implications. In 24th USENIX Security Symposium (USENIX Security 15).

Cited By

View all

Index Terms

  1. When Push Comes to Shove: Empirical Analysis of Web Push Implementations in the Wild
          Index terms have been assigned to the content through auto-classification.

          Recommendations

          Comments

          Information & Contributors

          Information

          Published In

          cover image ACM Other conferences
          ACSAC '23: Proceedings of the 39th Annual Computer Security Applications Conference
          December 2023
          836 pages
          ISBN:9798400708862
          DOI:10.1145/3627106
          Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          Published: 04 December 2023

          Permissions

          Request permissions for this article.

          Check for updates

          Badges

          Qualifiers

          • Research-article
          • Research
          • Refereed limited

          Funding Sources

          Conference

          ACSAC '23

          Acceptance Rates

          Overall Acceptance Rate 104 of 497 submissions, 21%

          Contributors

          Other Metrics

          Bibliometrics & Citations

          Bibliometrics

          Article Metrics

          • 0
            Total Citations
          • 133
            Total Downloads
          • Downloads (Last 12 months)102
          • Downloads (Last 6 weeks)7
          Reflects downloads up to 20 Feb 2025

          Other Metrics

          Citations

          Cited By

          View all

          View Options

          Login options

          View options

          PDF

          View or Download as a PDF file.

          PDF

          eReader

          View online with eReader.

          eReader

          HTML Format

          View this article in HTML Format.

          HTML Format

          Figures

          Tables

          Media

          Share

          Share

          Share this Publication link

          Share on social media