Got this suspicious notification on Google Hangouts, Microsoft Teams? You’re not alone
The messages didn’t contain any suggested links or demand any action from the recipient as well.
Users around the world got a strange message notification on Google Hangouts and Microsoft Teams. The message stated ‘Test Notification!!!!’. While this came from an anonymous user and seems spammy, Sophos Naked Security states that it might not be as serious as you think. The messages didn’t contain any suggested links or demand any action from the recipient as well. However, a security researcher going by the name ‘Abbs’ tried to replicate the fake notification to see if the anonymous user was trying to make a mass scale move that could have harmed millions of devices at a go.
And as it turns out, the researcher was able to replicate the same experiment. Abss noticed that many mainstream Android apps use a notification interface provided by Google known as FCM, short for Firebase Cloud Messaging. Abss also found a way to deliver rogue messages by making a specific sort of HTTP request to the FCM service interface. This was done using ‘Topics’.
As explained by the report, “Topics are server side attributes that define a collection. For example, an application could define a topic called “news” and group users interested in the news category so as to send them similar notifications at once instead of sending notifications to every individual separately.”
While this was on Google’s Hangouts, Microsoft quickly started investigating the problem when the same message notifications reached Microsoft Teams app. The company however, also tweeted about it and said that it has “isolated the source of the issue and applied a mitigation.”
Our investigation has determined that this issue affects Android users specifically, and we're working on applying a mitigation. We recommend dismissing these notifications without interacting with them.— Microsoft 365 Status (@MSFT365Status) August 27, 2020
The researcher however, says that in case you make or support an app that uses FCM, you will probably have to review who can access your authentication tokens. You may even have to delete your old server keys.