保護DataHogo
Security Encyclopedia/Email & Communications
lowCWE-74A03:2021

Push Notification Injection

Including unsanitized user input in push notification payloads allows attackers to craft misleading notifications in your app's name.

How It Works

Push notification bodies appear with your app's icon and name on users' lock screens. If an attacker can control the text (via a username, product name, or message field), they can make your app display phishing content, fake payment alerts, or malicious URLs to other users.

Vulnerable Code
// BAD: user-controlled data directly in notification body
await admin.messaging().send({
  token: recipientToken,
  notification: {
    title: `Message from ${user.displayName}`, // attacker controls displayName
    body: messageText  // unvalidated message content
  }
});
Secure Code
// GOOD: sanitize all user-controlled fields in notification content
const safeName = sanitizeText(user.displayName, { maxLength: 50 });
const safeBody = sanitizeText(messageText, { maxLength: 200, noUrls: true });
await admin.messaging().send({
  token: recipientToken,
  notification: { title: `Message from ${safeName}`, body: safeBody }
});

Real-World Example

Messaging apps have been abused to send push notifications with fake system alerts by setting display names to strings like 'Apple Security Alert' or 'URGENT: Your account has been compromised'.

How to Prevent It

  • Sanitize all user-controlled strings used in notification title and body fields
  • Set maximum length limits on notification content
  • Strip URLs from notification bodies if your app design doesn't require them
  • Consider escaping or removing special characters and emoji that could be used to mimic system UI

Affected Technologies

Node.js

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Email Spoofing (Missing SPF/DKIM/DMARC)

medium

Without SPF, DKIM, and DMARC DNS records, anyone can send emails claiming to be from your domain — enabling phishing attacks against your users.

CWE-290A05:2021

SMS Injection

medium

Including unvalidated user input in SMS messages allows attackers to inject newlines and craft fraudulent messages appearing to come from your application.

CWE-74A03:2021