A dark adtech empire fed by fake CAPTCHAs
krebsonsecurity.com235 points by todsacerdoti 5 days ago
235 points by todsacerdoti 5 days ago
> According to Qurium, TacoLoco is a traffic monetization network that uses deceptive tactics to trick Internet users into enabling "push notifications," a cross-platform browser standard that allows websites to show pop-up messages which appear outside of the browser.
An elderly relative of mine was hit by this a couple years back: his computer's desktop was constantly being spammed with messages on startup, and there was no simple way to turn them all off. It turned out that they were all notifications from web workers that he'd inadvertently allowed at some point prior. (I set his browser to auto-deny notifications so it wouldn't happen again.)
The entire idea of push notifications on browsers was obviously toxic from the start, especially the privileged status "Do you want to enable notifications?" popups had.
I think the idea comes from the 2010's hype about Phone-Ifying The Desktop. Someone clearly thought they were recreating the Google Reader / RSS ecosystem (Mozilla had RSS in the browser in a flop)... but everyone else was just enthusiastic about dark patterns that were viable in mobile apps that didn't exist in a desktop browser.
I use this feature all the time and I love it. Not having to install dozens of apps just to see the occasional notification is a dream come true.
The way it's trivial for browsers to fake OS notifications on some platforms is a clear design flaw, though. I get the need for it (PWAs and such) but unless the website sending a notification is a PWA, there's no need for a notification to be that ambiguous.
The current system, where Chrome (the only browser that matters) collects information about websites and only shows the permission popup on some websites has mostly killed useful notification support for a lot of websites.
I can think of exactly two use cases for web browser push notifications:
- Web-based email
- Web-based chat
That’s it. Every other use case seems to be solving a “them” problem (how do we increase engagement?) and not a “me” problem.
Even if I wanted to hear about updates from a website (and I never do), I could sign up for emails. And If I don’t trust a website with my email, I certainly don’t trust them with sending me push notifications.
In fact, let me take chat apps off that list, because if I don’t have the webapp open in a browser window, the chat app should have the option to just email me about someone trying to message me (and ideally, letting the other party know I’m unavailable and letting them choose whether to send me the email.) So no, really just email and that’s it.
I’m super curious what your use cases are if you use web-based push notifications “all the time”.
Youtube uses it well. You can get notifications when people upload videos or to recommend you suggested videos you may like. Sure engagement increases, but that is because I'm watching videos that I find entertaining. It's a win win for YouTube and the users.
I can see that being useful if it’s important to you to start watching someone’s videos within minutes of them posting it, but I’ve never understood why that’s desirable for anyone.
To me, I watch YouTube when I have some time to do so and make the active decision to open the app… then let me know about which of my subscriptions have recent videos. I just can’t imagine being in the middle of something else and dropping everything because someone posted a video. But different people are different I guess.
You don't have to click on notifications right away. I let them build up over the day until I have time to go through them. But there are also some like livestreams or video premiers where being there on time does matter.
Another factor is that videos are not permanent. If you don't watch a video immediately the creator may take it down or private it.
If you’re gonna let them just build up over time, why not just open the app and see the latest videos in there?
Time sensitive stuff I… kinda get. But I would get stressed out if that was actually the norm. I really don’t like the idea of “engage now or you’ll miss out” in my entertainment.
I spend way more time on YouTube than I ought, but it's on a pull basis, not a push basis. I go to YouTube and go to my subscriptions or to recommendations on the Home screen.
I can't imagine wanting YouTube to be able to push content onto my phone at arbitrary times of its choosing. What benefit does that give you over the subscription feed and home screen?
IMO random websites prompting to access your location data is far more problematic
The biggest problem there is that several browsers don't want to remember your response of "No" for more than one day. They want you to be constantly tracked. I'd like to be able to tell all browsers, never track my location or send me a notification from any website but that's not what they want. Orion by Kagi is a breath of fresh air in this department.
DocuSign tracks your location when you sign a document unless you disable it in the browser. Learned that a few years ago.
Its a progressive webapp feature and would be a necessary tool tobescape Apple and Google stores and hardwarw lockin. Like all tech, hindsight is 20/20 with malicious actors.
One of the first settings I change in any new browser is to forbid notification requests from all pages, and disable dom.beforeUnload (stops websites being able to prompt to confirm if I want to close the tab). Those functionalities are probably the most abused browser functionalities and definitely shouldn't be enabled by default (or if so only for a whitelist of sites).
How do you do this? I'm looking to do it for the clipboard API. Browsers should be able to block copy and paste.
In firefox: about:config -> dom.disable_beforeunload=true
For copy-paste: dom.event.clipboardevents.enabled=false I would guess.
A quick google shows this for FF (taken from a thread in StackOverflow):
> In Firefox you can completely disable beforeunload events by setting dom.disable_beforeunload to true in about:config. Extensions may be needed for other browsers.
A word of caution: I'm not 100% sure, but I wonder if some web collaboration tools might use this to ensure data has been synced with a server.
It surely has a lot of legitimate uses, even if it is primarily abused. I’ve used it before to do various cleanup tasks, to have a more timely “user disconnected” event, rather than waiting on some timeout to occur server side.
Having said that, it should never be the end of the world to disable, sites should never have data loss due to this event missing, because if so, they already have a data loss problem when for instance the power goes out.
I am not sure if this is implemented using this functionality but when I am on a console session on proxmox and hit ctrl+w due to muscle memory, it's nice to have a warning telling me the tab will be closed. Same with all kinds of remote access tools. One legit use case I can think of.
I honestly think desktop notifications in their current form are one of the worst features of the modern web. Sure it's nice to get an email alert but on my experience there's probably a thousand confused old people getting spammed for each person that intentionally enabled it.
What's worse is they look like native OS alerts (on Windows) so when one says "SECURYIRT ALERT!! CALL NOW" it's that much more effective at getting people on the phone with scammers.
So many sites ask for permission to send notifications that have zero reason to do so. Why would I want push notifications from a shopping or news site?
Honestly, push notifications from a news site arguably is one of the few sites that I see having a reason to send push notifications.
Communication platforms; messaging apps (Slack, Discord etc); email sites (gmail and co.) also make sense. Financial platforms (banks, Stripe etc)
Once you start getting out of these two categories, then yeah, it gets silly. No way should an airline website even be allowed to ask to send push notifications.
Google does have a way for Chrome users to not show the notification window (https://yespo.io/blog/google-chrome-will-now-block-abusive-b...) by default (https://support.google.com/webtools/answer/9799829?hl=en) but I really wish that this was flipped, so that Google would first need to approve sites to use notifications, similar to the Public Suffix List.
If I trusted airlines to only send me notifications about gate changes, failed payments, delayed flights, maaaybe low prices on route-date combinations I previously expressed interest in, I'd give them notification permissions. I definitely don't trust them to do that, though.
See also: Uber and Uber Eats.
It seems that companies like this can't help but abuse the permissions I grant them, so the result is that they don't get any permissions at all.
See, that's just the point. You see a need for that. I'd never enable push notifications from a news site, I don't need to know NOW that some pupil shot 17 teachers and pupils in the elementary school around the corner. There is nothing I could do anyway. I'm extremely unlikely to enable notifications from async messaging because, you know, they are async. If it's urgent, come over to my desk or use your phone to call me.
Financial data or travel info is something I'm actively watching, when I travel, just like car traffic. Otherwise, why would I need to know? That's a good question to ask anyway anytime you come across an inbox. I have been in management really long now and designing your information flow strategically is crucial to being effective.
> No way should an airline website even be allowed to ask to send push notifications.
Your flight is delayed/now boarding/etc?
The native apps for my phone aren't really reliable enough at letting me know about delays or gate changes, I don't expect a web push notification to be any better at something that's already untrustworthy, especially on a system that lacks a cellular modem to stay online all the time. Even if they did work perfectly and could be trusted to serve that purpose, no company would only send status updates about your flight in the long term, they're unable to restrain themselves and will view it as an advertising avenue just like they do with phone apps.
My guess is it would be just as (un)reliable as an app.
Many airlines now more or less force you to install their bespoke apps, which could have just as well been websites, just to board their planes. I'm less than happy to install them.
I'm rarely at a computer in the airport without my phone
I would prefer to know about a delayed flight before I get to the airport.
Your phone needs a web browser or an app. An app for every airline you ever use? You already have a web browser.
They could SMS but its more expensive to send, often even more so for customers on roaming to receive.
Nothing else is universal.
I think there are much better possible solutions. An open notification standard or reasonable pricing of bulk sending SMS would do it.
We still have eMail in place. If they don't want to spend money on an SMS they can send an eMail.
If browser notification permissions would have a TTL, I'd might considering it. But until this happens I won't allow anyone to send me browser notifications. And even then I'd be very picky.
Emails have essentially become notifications anyway. All my emails are things like "your booking has been confirmed", "your package has been shipped", "your invoice is ready for download", "a login from a new device happened", "your flight is delayed", etc.