When Push Comes to Shove: Empirical Analysis of Web Push Implementations in the Wild
Web push notifications are becoming an increasingly prevalent capability of modern web apps, intended to create a direct communication pipeline with users and increase user engagement. The seemingly straightforward functionality of push notifications obscures the complexities of the underlying design and implementation, which deviates from a near-universal practice in the web ecosystem: the ability to access an account (and the associated functionality) from practically any browser or device upon successful completion of the authentication process. As a result, the challenges of deploying push notifications are further exacerbated due to the integration obstacles that arise from other aspects of web apps and user browsing behaviors (e.g., multi-device environments, account and session management). In this paper, we conduct an empirical analysis of push notification implementations in the wild, and identify common deployment pitfalls. We also demonstrate a series of attacks that target push notification functionality, including a novel history-sniffing attack, through a selection of use cases. To better understand current practices in push notifications implementations, we present a large-scale measurement of their deployment and also provide the first, to our knowledge, exploration and analysis of third-party service providers. Finally, we provide guidelines for developers and propose an approach for correctly handling push notifications in multi-browser, post-authentication settings.