Support » Plugin: OneSignal - Web Push Notifications » OneSignal is malware

  • OneSignal malware automatically installs on user computers who merely visit a website (e.g., hungryforever dot com). By visiting the site, users are automatically signed up for a newsletter and annoying popup malware is installed with frequent notifications sent. No user confirmation involved.

    This is malware, pure and simple, and thus, I believe to be a violation of WordPress terms of use, and absolutely should not be made available via the WordPress.org repository.

    Does anyone know how can we remove this malware from users’ pcs? Their site appears to have no information on this topic.

Viewing 11 replies - 1 through 11 (of 11 total)
  • Plugin Author OneSignal

    (@onesignal)

    Dear Websta,

    We’re sincerely sorry you had a bad experience with a site that implemented OneSignal. I can absolutely assure you that OneSignal is not malware. Instead, it is simply a service that helps developers use a new browser feature called Web Push.

    You can read an informative article about Web Push and websites that use it including Facebook, eBay, and Pinterest here: http://techcrunch.com/2015/04/20/facebook-ebay-vice-and-others-first-to-support-chromes-new-push-notifications/#.o5eytr:cLyW

    Web Push will never automatically opt you in. It was specifically designed to require you to click “Allow” in a dialog that your browser presents to you.

    If you have opted-in accidentally and you wish to opt-out, every single notification you receive has an Opt-Out settings button in the corner.

    If you have any questions or concerns I encourage you to reach out to me at contact@onesignal.com.

    That may have been your intent, but user approvals have been bypassed IRL, which would render your product malware.

    For other users, to remove OneSignal-enabled notifications, in Chrome, go to: Settings > Show advanced settings > Privacy > Content settings > Notifications > find onesignal, or others you do not wish to receive popup notifications from, and switch to “Block,” and select “Save.”

    Plugin Author OneSignal

    (@onesignal)

    Hi Websta. Web Push is built into web browsers in such a way that approval is required. Web browsers, including all versions of Google Chrome, do not provide any possible way to bypass this requirement.

    To paraphrase the Web Push specification as implemented by Google Chrome and Firefox:
    1. The browser must not provide Web Push access without the express permission of the user.
    2. Web Push permission must be revokable.

    You can see a screenshot of what the approval prompt looks like in Google Chrome on the website you mentioned here: https://www.dropbox.com/s/dqj6jjxuvb1bvoa/Screenshot%202016-01-19%2011.25.39.png?dl=0

    This guy is just a complainer and does not know what this actually does. It isn’t malware just because you allow notifications. How stupid can you be?

    I was going to re-rank this, based on an offline conversation with Ipstenu.

    But, the plugin has been converted to malware, bypassing user consent. That may not have been OneSignal’s intent, but that is what is happening. They can shore up their code to help prevent that, or not.

    Plus, Michael Bryner, I’m so stupid, why would I?

    I don’t think a plugin can enable the notification without the user consent at least on chrome. therefore, your review is entirely false.

    Yeah dude you don’t know what you’re talking about. There is no way whatsoever for a website/wordpress/plugin to auto-enable push notifications.

    Like, at all.

    It has absolutely _nothing_ to do with the website, but a function of your browser. If there are websites in your notifications settings in Chrome, its because you specifically allowed them.

    I realize that notifications are not supposed to be enabled without consent.

    WordPress staff formally investigated the plugin, including the specific instance it had been used as described above, to be used as a malware platform.

    My findings were replicated and corroborated by WordPress staff.

    However, WordPress doesn’t patrol what people do with plugins once they’re distributed, so it was allowed to remain available here.

    I suggest that the company take a close look at possible exploits and do their best to prevent its use as a malware platform.

    @websta

    Why are you chuntering about Malware? It’s not a Malware.

    FYI Malware is a software which is specifically designed to disrupt or damage a computer system.

    Your review is entirely illogical because the plugin is supposed to popup notification on desktop. And sir, You may have to rethink about the review.
    If you have a problem or query, there’s always a Support Forum.

    Reading posts like this make me die a little on the inside. Sadly it’s not an isolated occurrence.

    It’s not possible for code to bypass a browser dialog in this way. If such vulnerabilities existed then Google would have acknowledged user-reported issues over at: https://bugs.chromium.org/p/chromium/issues/list. Such reports don’t exist.

    Widespread notification spam is not a thing, if it were we would all be bombarded.

    The simple fact is that the user in question blindly consented to receive notifications, forgot, then became morally outraged when a notification popped up. Since that time they’ve lied on behalf of WordPress staff that plugin code could somehow override browser behavior, which is frankly ridiculous. The consent for notifications happens away from the site through the window chrome.

    From what I can see all push-notification plugins have suffered user reports of this kind, even sites which run commercial solutions such as Roost frequently see complaints from users – although most don’t go to such extents to claim innocence.

    WordPress staff formally investigated the plugin, including the specific instance it had been used as described above, to be used as a malware platform.

    My findings were replicated and corroborated by WordPress staff.

    However, WordPress doesn’t patrol what people do with plugins once they’re distributed, so it was allowed to remain available here.

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘OneSignal is malware’ is closed to new replies.