Dear Websta,
I am replying here as well as on your plugin review.
We’re sincerely sorry you had a bad experience with a site that implemented OneSignal. I can absolutely assure you that OneSignal is not malware. Instead, it is simply a service that helps developers use a new browser feature called Web Push.
You can read an informative article about Web Push and websites that use it including Facebook, eBay, and Pinterest here: http://techcrunch.com/2015/04/20/facebook-ebay-vice-and-others-first-to-support-chromes-new-push-notifications/#.o5eytr:cLyW
Web Push will never automatically opt you in. It was specifically designed to require you to click “Allow” in a dialog that your browser presents to you.
If you have opted-in accidentally and you wish to opt-out, every single notification you receive has an Opt-Out settings button in the corner.
If you have any questions or concerns I encourage you to reach out to me at contact@onesignal.com.
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
Does WordPress officially support malware (because it is)?
Hay, that’s a nice title, very click baity and guaranteed to get a attention. More than a little spammy too.
Now for the Grown Up™ answer: No, WordPress.ORG does not support malware.
If you have evidence of a plugin violating the detailed guidelines then you can report that directly to the plugins team via plugins [at] wordpress.org
https://wordpress.org/plugins/about/guidelines/
I’m wondering about WordPress.org-served plugin, OneSignal, which auto installs popup malware on users’ computers and devices.
That would certainly violate the terms in that link. You’ll need to provide details of course. Just having your site compromised alone is not enough. If you can show the code in the plugin then that would help tremendously.
Thread Starter
websta
(@websta)
Thanks, I searched for contact info but couldn’t find that address. Will report.
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
Please be clear what you mean: Installing a root kit, a key logger, a bot net code etc. now THAT is malware.
If you mean using your browser’s web push capabilities (which must be approved by the user on the browser) then that is not malware.
Thread Starter
websta
(@websta)
User approvals were bypassed, in my experience. Automatic push notifications were enabled.
Background: We visited hungryforever dot com, started getting popups (after a “thank you for subscribing” popup). Later, popup notifications from the site began to appear on our PCs. Looking at source code for that site, in an attempt to figure out what malware we should learn how to disable, showed it was a wordpress site serving onesignal-provided popups.
I don’t know if that particular site will change their settings now/in future, yet in our experience, at least, onesignal.com notifications were automatically “approved” and enabled.
To verify, you may want to try that site and see if your Chrome settings are automatically changed also.
Since this has been reported, and you have multiple posts about this, I’m closing the post.
We’re looking into it official like.
