The Sleeping Agent Vulnerability: How Web Push Notifications Can Become Silent Attack Vectors

The Silent Threat You Never See Coming

Web Push notifications have become a cornerstone of modern web applications—from real-time collaboration tools to critical alert systems. But what happens when the very mechanism designed to keep users informed becomes a backdoor for silent, persistent attacks?

Enter the Sleeping Agent vulnerability, a sophisticated exploit that weaponizes a timing gap in how browsers enforce Web Push API security requirements.

Understanding the Attack Surface

The Web Push API includes a critical safety feature: userVisibleOnly: true. This requirement is meant to be a "symbolic agreement" between the web application and browser—promising that every push message received will result in a visible notification for the user.

The theory is sound. The implementation? Not so much.

Here's where Sleeping Agent exploits the gap:

A malicious Service Worker receives a push event and immediately performs two API calls in rapid succession:

1. showNotification() - displays the notification
2. notification.close() - removes it from the screen before the user can see it

The notification appears in the browser's internal notification database for a split second, then vanishes. But here's the critical detail: when the browser's enforcement check runs, it queries the notification database rather than the live display surface. The race condition is complete. The browser believes the notification was shown. The user sees nothing. The attacker's command-and-control channel remains active and invisible.

Why This Matters

This vulnerability doesn't just bypass a checkbox—it undermines the trust model of the entire Push API ecosystem:

Silent persistence: Attackers establish long-lived communication channels without user awareness. Traditional malware requires installation and execution. Web Push requires only that a user visits a compromised website once.

Compliance circumvention: Compliance frameworks rely on visible notifications as a trust boundary. This attack erases that boundary.

Cross-device impact: We're talking about multiple browser engines affected—Chrome, Edge, and even pre-26.5 Safari. The vulnerability is reproducible and consistent.

Low barrier to entry: No complex exploit kit needed. The attack is reproducible in five minutes on stable browser versions.

The Technical Deep Dive

The vulnerability exists because browser enforcement happens after the Service Worker completes its execution flow. Here's the sequence:

1. Push event arrives
2. Service Worker executes showNotification() and notification.close() in rapid succession
3. Service Worker completes
4. Browser checks: "Did we show a notification?" by querying the database
5. Database has a record (even though it's already been deleted from display)
6. Enforcement check passes
7. Push event is considered valid

The timing window is tight, but consistent enough to exploit reliably.

What This Means for Developers

If you're building web applications that use Push notifications, several questions deserve your attention:

Are your Service Workers audited for unexpected notification behavior? If a third-party script compromises your service worker, this vulnerability becomes your security problem.

Do you monitor notification lifecycle events? Implementing analytics or monitoring around showNotification() and close() calls could help detect suspicious patterns.

Are you validating the source of push messages? Implement cryptographic verification to ensure push events originate from your legitimate server, not an attacker's command channel.

The Broader Implications

This vulnerability highlights a fundamental challenge in web platform security: the gap between specification intent and implementation reality. The W3C specification clearly states browsers SHOULD enforce user visibility. The enforcement mechanism, however, checks the wrong thing—the database instead of the visible surface.

It's a reminder that security requirements are only as strong as their enforcement mechanisms. Symbolic agreements aren't enough.

Moving Forward

Browser vendors are aware of the issue, and fixes are in progress. If you're running production systems:

1. Monitor your Service Worker behavior for suspicious notification patterns
2. Implement server-side verification of legitimate push senders
3. Keep browsers updated as vendors patch the enforcement checks
4. Consider your threat model when using Web Push for sensitive operations

The Web Push API remains incredibly valuable for legitimate use cases. But like any powerful platform feature, it requires careful consideration of both its benefits and its attack surface.

The Sleeping Agent vulnerability is a wake-up call—literally—that even well-intentioned safety mechanisms can have gaps worth exploiting. Staying informed and implementing defense-in-depth practices is how we keep our applications and users protected.