There is a change to Push Notification behaviour in Android 12, which all apps need to update to by November according to my team mate. So this is likely what it seems - someone made an enhancement and was testing the new behaviour on Android 12 devices.
As another commenter mentioned, it's at least a good marketing campaign, causing me to open the app for the first time in months. Or it might be to gather a baseline of how many people react to their notifications, regardless of their contents? (Perhaps to immediately go to the notifications settings to disable them)
Edit: if the notification is sent by an attacker, does the attacker get access to firebase metrics as well? (Guessing they at least contain info about how many people opened the app)
Interesting, but why would an attacker push a notification like this to so many people?
Or did not many people get it? Could I be targeted, along with the others in this thread?
If the attacker really intended to send the notification to everyone (or even 10%), wouldn't that very likely get the attention of Airbnb, and then they'd know about the issue and be able to mitigate it?
Edit: assuming everyone got it, this seemed much more likely to be a mistake, to me. For example, someone working at Airbnb was testing something and accidentally did it in prod instead of dev. Otherwise, why not camouflage this as something more innocent, like an ad for Airbnb, saying something generic like "Check out our listings near you"?
But if so, why not try to camouflage it as something more generic, to try to avoid notifying Airbnb? I am tech savvy enough and have marketing notifications turned off, but I would assume that they are simply not honouring the setting somehow if I received an ad for Airbnb.
Now Airbnb knows to change their key or something if possible, and I'll be very suspicious of any notifications from any app in the future, especially Airbnb.
If it was a poc they just lost the ability to build the real attack by being way too noticeable. This issue has likely already been mitigated and will be patched up within days if not hours. Much more likely to be an honest mistake.
Oh could the attacker get information about whether or not I opened the app? Is the same key used to send notifications and access metrics that Firebase collects?
Maybe. But given the culture at most of these places I'd expect the junior to be explained that it's ok, everybody makes mistakes. Some engineering manager is probably sweating bigger buckets over their failure to properly secure casual human access to prod stuff, which is definitely not ok. Meanwhile the both of them are really really relieved that the notification contents were completely innocuous and not some sick inside joke that would have been massively offensive out of context.
Everyone is blaming the process, secrets of prod etc. I'm saying, there's a test campaign problem, or, more probably, a lack of a human tester. Someone made a test in dev, it got put to the test, and wen through to prod. No real security leak or anything, just a product not properly tested.
Like 99% of the internet. Who has the time and money to refactor, doc and test?
It's like climate change: let's all drive full speed into a wall, while tinkering with the stereo system of the car.
How big is their dev team? Does their app change much? Could they have contracted it out and now only have one or two people who still push updates to it?
its AirBnB.. they should have this stuff sorted! Dev/prod should be completely separate with the vaults/secrets management in prod having the correct keys with only a few peeps having access (in a break glass situation). Dev's should not have the keys to put into code to push to a prod external service...
There is zero reason why any dev (or worse external dev team) should have access to prod secrets, or the ability to push out via prod. (unless someone cocked up the config for the dev/staging push notification tooling, again requires a level of access)
Got it as well. Sweden. What I noticed was that the airbnb logo was red insured if Grey in the notification. Could it be a test of changing the notification logo color?
Autocorrect kills me I meant to say the airbnb logo was red in the notification instead of grey. Maybe a color change test that wasn't meant to go public?
Its the process, not the dev. A Dev should never have access to prod secrets, it show flaws in ABnB security model and tells me a fair bit around how the work with dev/deployment.
Haha I considered this as a possibility for why it was sent... I don't ever open their app otherwise, I only ever installed it to receive messages from a host on a trip.
At the very least they might have wanted to understand a baseline for how many people will open a notification just to dig into the app and try to disable future notifications, regardless of how annoying the text in the notification was.
https://developer.android.com/about/versions/12/behavior-cha...