Web Push userVisibleOnly bypass enabled silent persistent C2 on Chrome, Edge, and pre-26.5 Safari
Disclosure write-up on a Web Push spec violation across 7 browsers and 4 push backends. The userVisibleOnly: true requirement was not enforced at the Service Worker layer - a showNotification() followed by an immediate close() (or zero-byte body, or tag collision) passed the visibility check while displaying nothing to the user. Result: an attacker with notification permission could wake the Service Worker on a server-controlled schedule via FCM/WNS/APNs without any UI indicator, turning Web Push into a covert C2 channel.
Submitted to Apple, Microsoft, Google, and Mozilla in February 2026.
• Apple: shipped a fix in Safari 26.5 on May 11, mention only, no CVE, no bounty.
• Microsoft: closed twice, declined CVE, tied Edge’s fix to the upstream Chromium patch.
• Google: classified the underlying bug (485535962) as Sev-Low. Patch (CL 7767797) is green at patchset 11, CQ+1, awaiting merge. Embargo lifts May 20.
• Mozilla: not affected by the showNotification/close race in the same form.
Total payout across 4 vendors: $0.
Full write-up, PoC video, vendor timelines, and Chrome security team’s reasoning:
https://bountyy.fi/blog/sleeping-agent-web-push