保護DataHogo
Security Encyclopedia/Communication Best Practices
lowCWE-312A02:2021

Sensitive Data in Push Notifications

Push notification payloads are visible on the lock screen and logged by notification services — don't include account numbers, balances, or personal identifiers.

How It Works

Push notifications are delivered through Apple APNs or Google FCM servers and cached temporarily. The notification text appears on the device lock screen, visible to anyone nearby. Notification content is also logged by the push delivery service. Including account numbers, exact balances, or full names creates privacy and security risks.

Vulnerable Code
// BAD: sensitive data in push notification body
await admin.messaging().send({
  token: deviceToken,
  notification: {
    title: 'New Transaction',
    body: `$2,450.00 sent from account 4827-xxxx-xxxx-1234 to John Smith` // too much info
  }
});
Secure Code
// GOOD: vague notification that requires app open to see details
await admin.messaging().send({
  token: deviceToken,
  notification: {
    title: 'New Transaction',
    body: 'You have a new transaction. Tap to view.'
    // details only visible inside the authenticated app
  },
  data: { transactionId: 'txn_123' } // app fetches details on open
});

Real-World Example

Banking apps have been criticized for exposing full transaction amounts and recipient names in push notifications. A device left on a desk shows this information to anyone nearby without requiring authentication.

How to Prevent It

  • Keep push notification bodies vague — say 'new message' not 'John sent you: Hey there...'
  • Never include account numbers, exact balances, or full names in notification text
  • Use the notification as a signal to open the app where data is shown behind authentication
  • Offer a notification privacy setting that lets users choose between vague and detailed notifications

Affected Technologies

Node.js

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Sensitive Data in Emails

medium

Sending passwords, full tokens, card details, or excessive personal data in emails exposes that data to email providers, forwarding recipients, and anyone with inbox access.

CWE-312A02:2021

No Rate Limit on Email/SMS Sending

medium

Email and SMS endpoints without rate limiting can be abused to spam users or drain your sending budget through automated requests.

CWE-400A05:2021