While preparing to do a system update (Sonoma 14.2.1) on my 24" M3 iMac, I noticed these system notifications. Since macOS runs on a sealed system, this seemed bogus. Running both ClamXav and Malwarebytes (free version) confirmed there were no infections. Clicking on one of the Notifications takes me to a shady website that claims the Mac is infected and to Click Here to clean your Mac. Yeah, no thanks.
I proceeded with the macOS system update. The Notifications continued to appear. Next, I cleared all Safari history and cookies (including one that was associated with the shady web site).
Finally, I did a Safe Boot to clear caches and that seems to have worked.
There is a discussion on the Apple forums ā but the āsolutionā is to turn off Notification rather than to clean up the cookies and other cruft.
Various apps give notifications for events so I would look in that system preference and see if there is some app that was inadvertently downloaded and is giving off these notifications assuming they are fake.
Read the Apple Discussions. It appears that the OP gave permission for a website to post notifications through Safari, and the website has used the Apple System Preferences icon as ātheirā icon, so it shows up in the notifications. Pretty smart if you ask me.
I can sort of understand why you would want notifications āin Safariā to come through even when Safari isnāt running (like, āI want to subscribe to updates to this thread on TidBITsā), but there is a downside when the source of the notification is obscured like this.
The iMac is my wifeās computer so she would have done that. However, in looking through website notification permissions I found none had been granted ā to any site. Once I flushed all the cookies and assorted cruft and did the reboot the problem ended.
And you had looked through the website notification permissions before you flushed everything? If so, then it begs the question of how these notifications could have gotten through.
Hmmmā¦I did clear cookies from within Safari (Settings > Security > Manage Website Dataā¦) as a first attempt. Later, I used Cookie.app to deep clean on cookies and stored databases. Finally, I checked Safari Settings > Websites > Notifications. No sites were listed.
Fairly certain that was the order I did my troubleshooting ā but I didnāt take notes.
This is troubling, but almost appears to be exploiting a sort of social engineering loophole (assuming these Notifications did not come directly from System Prefs or macOS itself). Very curious.
This is another reason why I never use the baked-in browser if at all possible. That is not to say Firefox would never allow something equally dubious, but there is an extra layer of control when the browser is NOT integrated with the system. I also do not permit notifications from browsers as a rule.
This nice example for nefarious behavior suggests Apple might want to change their notifications. They should use one style that is reserved for system notifications, such as updates are available. Use another for all browser-based notifications. That way users can learn to easily distinguish between macOS notifications (likely safe) and notifications from some website (likely garbage). Browser-based notifications such as this one can perhaps spoof a system icon in an attempt to trick users, but they cannot change the overall notification style. Apple controls that and IMHO they should exploit that for cases like this (Iām assuming they actually see value in browser-based notifications and thus are not removing this āfeatureā).
Me personally, I donāt have a single browser-based notification allowed. Any site that has asked me in the past got rejected. Never saw any value in that. I can check myself for updates on sites Iām actually interested in.
I donāt think that will make any difference except annoy people who use browser notifications () and web developers who will complain that Apple is purposely making web apps worse.
The kinds of people who will fall for this kind of scam are not going to notice or pay attention to stylistic differences in app vs web notification bubbles. Theyāll see the notification and click on it.
(Fwiw, I donāt use web notifications much but theyāre useful on for instance Discourse sites like this one. And itās nice that the notifications are ānativeā and not some jarring looking second class citizen.)
Notifications should always indicate the app they come from. Notifications generated by web browsers should always identify the browser. Hiding the notificationās source to pretend that a web site is a top-level app is the root cause of this problem, IMO.
For the Installer, thereās always a button in the upper-right corner you can click on to get the authentication certificate chain, in order to verify the source of the installer. And secure web sites have a link to verify the siteās certificate.
Notifications need a similar link somewhere. This would let you, with a single click/tap identify the source. If itās coming from Apple, you can take one action. And if itās coming from some random malware/ad server in Upper Slobobia, you can take a completely different action.
To expand on this, hereās a very interesting article by Howard Oakley on a different topic (Keychain authentication dialogs), but just see how he demonstrates how many clues these dialogs offer to let users verify theyāre legit. Howard explains in detail how to understand such a panel and what to check for to make sure itās legit.
Iām thinking if notifications (including those coming from websites) offered more detail (instead of just an icon that the potentially malicious website actor gets to choose), it would be much easier to teach people what to look out for to make sure you donāt get duped like in the examples @david_blanchard provided us with here.
Much more useful than the browser would be for them to identify the domain generating the notification (which would align with what @Simon suggests just above this post).