Interesting, but why would an attacker push a notification like this to so many people?

Or did not many people get it? Could I be targeted, along with the others in this thread?

If the attacker really intended to send the notification to everyone (or even 10%), wouldn't that very likely get the attention of Airbnb, and then they'd know about the issue and be able to mitigate it?

Edit: assuming everyone got it, this seemed much more likely to be a mistake, to me. For example, someone working at Airbnb was testing something and accidentally did it in prod instead of dev. Otherwise, why not camouflage this as something more innocent, like an ad for Airbnb, saying something generic like "Check out our listings near you"?

Could be a POC for an attacker. If they got the ability to send out custom push notifications in the future they could contain malicious links.

But if so, why not try to camouflage it as something more generic, to try to avoid notifying Airbnb? I am tech savvy enough and have marketing notifications turned off, but I would assume that they are simply not honouring the setting somehow if I received an ad for Airbnb.

Now Airbnb knows to change their key or something if possible, and I'll be very suspicious of any notifications from any app in the future, especially Airbnb.

If it was a poc they just lost the ability to build the real attack by being way too noticeable. This issue has likely already been mitigated and will be patched up within days if not hours. Much more likely to be an honest mistake.

Why not just send the links. This would tip off Airbnb to patch it.

Oh could the attacker get information about whether or not I opened the app? Is the same key used to send notifications and access metrics that Firebase collects?