Airbnb on Android just send a “Test, Test dev" push notification message

66 points by xoffeemuffins23 ↗ HN

99 comments

[ 3.4 ms ] story [ 168 ms ] thread
(comment deleted)
Yeeep they did, I got it too. https://imgur.com/a/Yoa1G4k
What phone do you have? 1 day 23 hours, I'm jealous of your battery life!
Pixel 4a. Recently I've not been using it excessively, so it's got quite an optimistic estimate. But if I'm careful it's possible.
Interesting, I've got a Pixel 4a 5G! I definitely don't get that sort of longevity out of a charge.
Yeah battery isn't so flash if I have cell network on. (reception is shocking here so leave it disable most of the time)
Same here, three minutes ago. Maybe their Key was leaked as well? I recall a similar issue happened with Firebase: https://cybernews.com/security/exposed-google-keys-leaves-bi...
Interesting, but why would an attacker push a notification like this to so many people?

Or did not many people get it? Could I be targeted, along with the others in this thread?

If the attacker really intended to send the notification to everyone (or even 10%), wouldn't that very likely get the attention of Airbnb, and then they'd know about the issue and be able to mitigate it?

Edit: assuming everyone got it, this seemed much more likely to be a mistake, to me. For example, someone working at Airbnb was testing something and accidentally did it in prod instead of dev. Otherwise, why not camouflage this as something more innocent, like an ad for Airbnb, saying something generic like "Check out our listings near you"?

Could be a POC for an attacker. If they got the ability to send out custom push notifications in the future they could contain malicious links.
Why not just send the links. This would tip off Airbnb to patch it.
But if so, why not try to camouflage it as something more generic, to try to avoid notifying Airbnb? I am tech savvy enough and have marketing notifications turned off, but I would assume that they are simply not honouring the setting somehow if I received an ad for Airbnb.

Now Airbnb knows to change their key or something if possible, and I'll be very suspicious of any notifications from any app in the future, especially Airbnb.

Oh could the attacker get information about whether or not I opened the app? Is the same key used to send notifications and access metrics that Firebase collects?
If it was a poc they just lost the ability to build the real attack by being way too noticeable. This issue has likely already been mitigated and will be patched up within days if not hours. Much more likely to be an honest mistake.
Just had the same notification. Can anyone else confirm this isn't some exploit being used?
Lol someone is getting fired!!!
Press F to pay respects
High up yes, not the dev who did this.
I just got that too in the uk
Oh thank god I was freaking out my first name is dev
don't know if related but when i opened it my phone rebooted with the boot logo for the os flashing (running a custom rom)
Did you have developer mode enabled on your device?
got it too. made me open the app. brilliant marketing campaign
Haha I considered this as a possibility for why it was sent... I don't ever open their app otherwise, I only ever installed it to receive messages from a host on a trip.

At the very least they might have wanted to understand a baseline for how many people will open a notification just to dig into the app and try to disable future notifications, regardless of how annoying the text in the notification was.

(comment deleted)
Got it also in France
Got it too in NL. Glad too see even the largest players make mistakes like this :)
Greece here, happened 2 minute ago
yep, just got in the Netherlands. Someone over there f*cked up!
I got this notification too. from usa
Greece here, happened to me 2 minute ago