Chrome hits scammers with rate limiting for push notifications
Google is rolling out rate limiting for the Chrome Push API, capping delivery to 1,000 push notifications per minute. The change primarily affects websites that target users individually – a pattern often exploited by scammers who use small pop-ups to alert users of fake viruses, urgent updates, or oversensational breaking news.
Beginning in January, Chrome will start limiting the number of push notification requests a website can make. The rate limiter will activate for sites that send numerous notifications with minimal engagement.
“Many of us have experienced it: a website that bombards us with a constant stream of notifications that aren't relevant or valuable,” Google explains in a blog post.
Push notifications deliver alerts to users even when the website is not open in the browser. For example, an attacker can exploit this feature by tricking users into accepting push notifications on a malicious website and later targeting them individually with misleading pop-ups.
Even legitimate sites can be compromised or change their behavior after permissions are granted.
Due to constant abuse, cybersecurity experts and authorities have long recommended completely disabling push notifications in browser settings.
How will the new rate limiting work?
Google says that the rate-limiting mechanism will be based on user engagement. Once a site is identified as sending a high volume of notifications with very little user engagement, it will be considered disruptive.
Chrome “will limit its ability to send messages to a value no less than 1000 per minute,” Google said.
“Requests above that limit will result in an HTTP 429 response.”
While 1000 push notifications per minute might seem excessive, in realistic abuse scenarios, hackers use the Push API aggressively, sending notifications individually to each user for minor events, such as clicks or other interactions.
Meanwhile, legitimate websites often rely on a single broadcast to push notifications to many users.
The user engagement will be measured by three key factors:
- How many push messages a site has sent per time spent on a site
- How many permission prompts were shown per time spent on the site
- The level of engagement that the user has with the site (based on the site engagement score and number of foreground minutes)
Google also introduces logic to prevent hackers from quickly cycling between malicious and non-malicious behavior. The first day of offense results in a one-day rate limit. The second day of spamming extends it to seven days, and the third day of subsequent offenses applies a rate limit for 14 days.
To reset the count, the website must behave for 42 consecutive days.
“Though this describes our initial approach, the specifics of this calculation may evolve over time as the ecosystem evolves,” Google said.
The tech giant also emphasizes that the change doesn't affect the similar Notifications API, which can be used to send notifications while the website is open.
“Nearly all websites will be unaffected by this change. This initiative is targeted at a small number of sites that are sending an excessive number of low-value notifications,” Google assures.
Chrome on Android also utilizes on-device machine learning to identify and warn users about potentially malicious notifications, automatically revoking notification permissions from websites deemed malicious.
Chrome also removes permissions for sites a user hasn’t interacted with recently.
Unlock exclusive Cybernews content on YouTube
