Push notifications were the best thing since sliced bread when they appeared first in Android and later in iOS and iPadOS. Instead of requiring a lot of attention, a notification can appear briefly, is easily dismissed, and can be controlled—you can suppress apps from showing them all together, all the way to allowing Critical Alerts in some apps for events you absolutely don’t want to miss a message about.
Apple gingerly added push notifications to Safari in macOS to let websites access the system-wide notification system because the increasing reliance on web apps (a website that provides an app-like set of features) means you could have a tab open performing tasks that require your attention.
It’s a double-edged sword, though: spammers, scammers, and assorted thieves and ne’er-do-wells take advantage of any opening to try to part you from your money through lies and fear. A malicious site can leverage push notifications to fill the right edge screen with unwanted alerts.
How can this happen? You visit a safe site that, through the vagaries of ad networks, is hosting an advertisement that either you click on without realizing the danger or the bad ad runs illegitimate JavaScript to force open a window or prompt you to open one. You might also visit a URL for a site that has been hijacked or failed to renew its domain registration, and now you’re on a page of no repute.
However you get there, a malicious site incorporates a request in the page you load that triggers Safari to prompt you to ask if you want to enable notifications for the site or not. This is harder to trigger in iOS and iPadOS, which only allow notifications from web pages you’ve added to your home screen.
Misleading messages on macOS Safari
When Apple first introduced the feature to macOS, it only allowed developers to trigger a standard dialog box that said Don’t Allow and Allow, with Allow highlighted. Not long after, Safari began to allow a custom opt-in message and design. The text that appears can be entirely misleading: it’s possible that you would click a button intending to not allow alerts and actually have opted in to them. For instance, the text that misled one Macworld reader says:
[space]ask you
Confirm that you’re not a robot, you need click Allow
I must have been taken in once because I found this entry in Apple menu > System Settings > Notifications on my Mac.
As long as the web page remains open, even if it’s in a window or tab you’re not viewing, it can send you notifications. Because Apple shows the favicon of the website (a small icon set by the site owner), as part of the notification, it can be quite misleading. For example, in the figure below, the favicon is a System Preferences icon with a red dot overlaid. That gives the impression it’s a macOS notification but it’s not.
A reader sent these screens of malicious notifications from the “Ask You” site.
Glenn Moyer
Clicking the notification takes you to the web page trying to sucker you, and then the site tries to lure you into installing malware, typing in your credit-card number, or much worse.
All that said, you can easily defeat the creeps who set you up by disabling notifications. (And find and close that tab or window!)
In macOS:
- In Safari, go to Safari > Settings/Preferences > Websites.
- Find the entry for the website. If you can’t find it by domain, look for the icon, as in the figure below.
- Choose Deny from the popup menu to the right of the site name or select the item and click Remove.
Use Safari’s Websites pane with Notifications selected at left to block sites from popping up alerts.
Foundry
How do you decide whether to choose Deny or click Remove?
- Choosing Deny means if you visit the site again, an alert about wanting to notify you won’t appear.
- Removing the entry means it doesn’t appear in the Notification settings/pane in System Settings/Preferences or in Safari’s Websites list.
You can also use Apple menu > System Settings > Notifications to disable notifications directly. Safari and the Notifications settings don’t seem to communicate directly: I had the malicious site described above set to Deny in Safari, yet in Notifications it was shown as enabled!
The System Settings/Preferences Notifications controls don’t seem to match Safari’s.
Foundry
In iOS/iPadOS:
- Go to Settings > Notifications
- Find the entry for the home page web app by title, and disable notifications for it.
- Also, you might want to remove that from your home screen altogether–that site is sending you unwanted notifications!
This Mac 911 article is in response to a question submitted by Macworld reader Glenn (not the author).
Ask Mac 911
We’ve compiled a list of the questions we get asked most frequently, along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to mac911@macworld.com, including screen captures as appropriate and whether you want your full name used. Not every question will be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.
