The headline seems pretty misleading. Here’s what seems to actually be going on:
> Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions. The scan probes for thousands of specific extensions by ID, collects the results, encrypts them, and transmits them to LinkedIn’s servers.
This does seem invasive. It also seems like what I’d expect to find in modern browser fingerprinting code. I’m not deeply familiar with what APIs are available for detecting extensions, but the fact that it scans for specific extensions sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”).
I’m certainly not endorsing it, do think it’s pretty problematic, and I’m glad it’s getting some visibility. But I do take some issue with the alarmist framing of what’s going on.
I’ve come to mostly expect this behavior from most websites that run advertising code and this is why I run ad blockers.
lastofthemojito 28 minutes ago [-]
> this is why I run ad blockers.
It's pretty wild that we live in a world where the actual FBI has recommended we use ad blockers to protect ourselves, and if everyone actually listened, much of the Internet (and economy) as we know it would disappear. The FBI is like "you should protect yourself from the way that the third largest company in the world does business", and the average person's response is "nah, that would take at least a couple of minutes of my time, I'll just go ahead and continue to suffer with invasive ads and make sure $GOOG keeps going up".
fallinditch 7 minutes ago [-]
I asked an LLM to create a plan for a 'digital rebirth' in order to minimize privacy harms. It's a lot of work, but increasingly: a worthwhile endeavor.
unmole 9 minutes ago [-]
> and if everyone actually listened, much of the Internet (and economy) as we know it would disappear.
Would it really? It seems to me that most normal users spend most of their time and attention on apps, not in browsers.
j45 18 minutes ago [-]
Ad blockers focus on ads, not fingerprinting.
ronjouch 12 minutes ago [-]
"Ad blockers" nowadays do much more. From the horse’s mouth, which describes itself as a “wide-spectrum content blocker” [1]:
“uBlock Origin (uBO) is a CPU and memory-efficient wide-spectrum content blocker for Chromium and Firefox. It blocks ads, trackers, coin miners, popups, annoying anti-blockers, malware sites, etc., by default using EasyList, EasyPrivacy, Peter Lowe's Blocklist, Online Malicious URL Blocklist, and uBO filter lists. There are many other lists available to block even more [...]
Ads, "unintrusive" or not, are just the visible portion of the privacy-invading means entering your browser when you visit most sites. uBO's primary goal is to help users neutralize these privacy-invading methods in a way that welcomes those users who do not wish to use more technical means.”
Go try it with fingerprint.com. Even post-sanitization, pi-hole, you name it, it will be surprising.
nickburns 14 minutes ago [-]
Is there a meaningful difference?
al_borland 52 minutes ago [-]
> I’ve come to mostly expect this behavior from most websites that run advertising code and this is why I run ad blockers.
Expecting and accepting this kind of thing is why everyone feels the need to run an ad-blocker.
An ad-blocker also isn’t full protection. It’s a cat and mouse game. Novel ideas on how to extract information about you, and influence behavior, will never be handled by ad-blockers until it becomes known. And even then, it’s a question of if it’s worth the dev time for the maker of the ad-blocker you happen to be using and if that filter list gets enabled… and how much of the web enabling it breaks.
haswell 46 minutes ago [-]
[dead]
armchairhacker 21 minutes ago [-]
Regulation is also a cat-and-mouse game. Life is a cat-and-mouse game.
nanocat 8 minutes ago [-]
[flagged]
tpoacher 23 seconds ago [-]
I get the point you're making, but to be clear, "they’re checking to see if you’re a Muslim" vs "they’re checking to see if your fingerprint matches that of known Muslims in our ever-expanding database" are not too far off.
andersonpico 43 minutes ago [-]
How is probing your browser for installed extensions not "scanning your computer"?
Calling the title misleading because they didn't breach the browser sandbox is wrong when this is clearly a scenario most people didn't think was possible. Chrome added extensionId randomization with the change to V3, so it's clearly not an intended scenario.
> vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”)
They chose to put that particular extension in their target list, how is it not sinister? If the list had only extensions to affect LinkedIn page directly (a good chunk seem to be LinkedIn productivity tools) they would have some plausible deniability, but that's not the case. You're just "nothing ever happens"ing this.
haswell 22 minutes ago [-]
> How is probing your browser for installed extensions not "scanning your computer"?
I think most people would interpret “scanning your computer” as breaking out of the confines the browser and gathering information from the computer itself. If this was happening, the magnitude of the scandal would be hard to overstate.
But this is not happening. What actually is happening is still a problem. But the hyperbole undermines what they’re trying to communicate and this is why I objected to the title.
> They chose to put that particular extension in their target list, how is it not sinister?
Alongside thousands of other extensions. If they were scanning for a dozen things and this was one of them, I’d tend to agree with you. But this sounds more like they enumerated known extension IDs for a large number of extensions because getting all installed extensions isn’t possible.
If we step back for a moment and ask the question: “I’ve been tasked with building a unique fingerprint capability to combat (bots/scrapers/known bad actors, etc), how would I leverage installed extensions as part of that fingerprint?”
What the article describes sounds like what many devs would land on given the browser APIs available.
To reiterate, at no point am I saying this is good or acceptable. I think there’s a massive privacy problem in the tech industry that needs to be addressed.
But the authors have chosen to frame this in language that is hyperbolic and alarmist, and in doing so I thing they’re making people focus on the wrong things and actually obscuring the severity of the problem, which is certainly not limited to LinkedIn.
emacdona 8 minutes ago [-]
> I think most people would interpret “scanning your computer” as breaking out of the confines the browser and gathering information from the computer itself.
That is exactly how I interpreted it, and that is why I clicked the link. When I skimmed the article and realized that wasn't the case, I immediately thought "Ugh, clickbait" and came to the HN comments section.
> To reiterate, at no point am I saying this is good or acceptable. I think there’s a massive privacy problem in the tech industry that needs to be addressed.
100% Agree.
So, in summary: what they are doing is awful. Yes, they are collecting a ton of data about you. But, when you post with a headline that makes me think they are scouring my hard drive for data about me... and I realize that's not the case... your credibility suffers.
Also, I think the article would be better served by pointing out that LinkedIn is BY FAR not the only company doing this...
afandian 39 minutes ago [-]
When "the browser is the OS", scanning that is a pretty big chunk of "your computer".
chii 36 minutes ago [-]
but the language of "your computer" implies files on your computer, as it would be what people commonly call it. Merely just the extension is not enough.
If it has the ability to scan your bookmarks, or visited site history, that would lend more credence to using the term "computer".
The title ought to have said "linkedIn illegally scans your browser", and that would make clear what is being done without being sensationalist.
blenderob 31 minutes ago [-]
> but the language of "your computer" implies files on your computer, as it would be what people commonly call it. Merely just the extension is not enough.
But the language of "your computer" also implies software on your computer including but not limited to Chrome extensions.
pqtyw 29 minutes ago [-]
Extensions are files installed on your computer, though?
chii 22 minutes ago [-]
it doesn't have to be files. it could be in memory on the browser. Extensions don't imply files for anyone but the most technical of conversations. Certainly not to the laymen.
Having sensationalist titles should be called out at every opportunity.
latkin 25 minutes ago [-]
And I spend a lot of my time at home on my computer. The article should have said LinkedIn is searching my house.
taneq 34 minutes ago [-]
This is just the next iteration of the issues with Linux file permissions, where the original threat model was “the computer is used by many users who need protection from each other”, and which no longer makes much sense in a world of “the computer is used by one or more users who need protection from each other and also from the huge amounts of potentially malicious remote code they constantly execute”.
1shooner 21 minutes ago [-]
>Calling the title misleading because they didn't breach the browser sandbox is wrong
By this logic we could also say that LinkedIn scans your home network.
injidup 31 minutes ago [-]
In the same way that scanning and identifying your microwave for food you put inside it is not the same as scanning your house and reading the letters in your postbox.
Your browser is a subset of your computer and lives inside a sandbox. Breaching that sandbox is certainly a much more interesting topic than breaking GDPR by browser fingerprinting.
j45 28 minutes ago [-]
There are rules and laws about fingerprinting too, I thought.
replwoacause 59 minutes ago [-]
I disagree, I think we should push back hard on behavior like this. What business is it of LinkedIn's what browser extensions I have installed? I think the framing for this is appropriate.
kps 55 minutes ago [-]
Why is it possible for a web site to determine what browser extensions I have installed? If there are legitimate uses, why isn't this gated behind a permission prompt, like things like location and camera?
haswell 49 minutes ago [-]
This, to me, seems like the more salient point. A headline like “Major browsers allow websites to see your installed extensions” seems more appropriate here.
We’ve known for a long time that advertisers/“security” vendors use as many detectable characteristics as possible to constrict unique fingerprints. This seems like a major enabler of even more invasive fingerprinting and that seems like the bigger issue here.
acheron 25 minutes ago [-]
This is a Chrome thing. It’s a safe bet that if you use Google products you don’t care about privacy anyway. “Google product collects info about you: news at 11.”
armadyl 8 minutes ago [-]
> This is a Chrome thing.
This is blatant misinformation. Firefox (and all of its derivatives) also does this.
Google cares deeply about privacy. Google defines privacy as them not giving your private data that they have collected to anyone else unless you ask them to.
dmoose 12 minutes ago [-]
Google cares deeply about privacy. Google defines privacy as them not giving your private data that they have collected to anyone who hasn't paid them for it or can compel them to give it up.
roblabla 42 minutes ago [-]
It does two things:
1. Do a request to `chrome-extension://<extension_id>/<file>`. It's unclear to me why this is allowed.
2. Scan the DOM, look for nodes containing "chrome-extension://" within them (for instance because they link to an internal resource)
It's pretty obvious why the second one works, and that "feels alright" - if an extension modifies the DOM, then it's going to leave traces behind that the page might be able to pick up on.
The first one is super problematic to me though, as it means that even extensions that don't interact with the page at all can be detected. It's unclear to me whether an extension can protect itself against it.
dlenski 14 minutes ago [-]
> 1. Do a request to `chrome-extension://<extension_id>/<file>`. It's unclear to me why this is allowed.
Big +1 to that.
The charitable interpretation is that this behavior is simply an oversight by Google, a pretty massive one at that, which they have been slow to correct.
The less-charitable interpretation is that it has served Google's interests to maintain this (mis)feature of its browser. Likely, Google or its partners use similar to techniques to what LinkedIn/Microsoft use.
This would be in the same vein as Google Chrome replacing ManifestV2 with ManifestV3, ostensibly for performance- and security-related purposes, when it just so happens that ManifestV3 limits the ability to block ads in Chrome… the major source of revenue for Google.
The more-fully-open-source Mozilla Firefox browser seems to have had no difficulty in recognizing the issues with static extension IDs and randomizing them since forever (https://harshityadav.in/posts/Linkedins-Fingerprinting), just as Firefox continues to support ManifestV2 and more effective ad-blocking, with no issues.
47 minutes ago [-]
taneq 21 minutes ago [-]
Agreed, but also, permission prompts are way overused and often meaningless to anyone at all, even fellow software engineers. “This program [program.exe] wants to do stuff, yes/no?” How should I know what’s safe to say yes to?
I think Android’s ‘permissions’ early on (maybe it’s improved?) and Microsoft’s blanket ‘this program wants to do things’ authorisation pop up have set a standard here that we shouldn’t still be following.
MagicMoonlight 40 minutes ago [-]
Who makes browsers? Ad companies.
Of course Google is going to back door their browser.
chimeracoder 30 minutes ago [-]
> Who makes browsers? Ad companies.
> Of course Google is going to back door their browser.
Aside from the fact that other browsers exist, this makes no sense because Google would stand to gain more by being the only entity that can surveil the user this way, vs. allowing others to collect data on the user without having to go through Google's services (and pay them).
Aurornis 29 minutes ago [-]
> What business is it of LinkedIn's what browser extensions I have installed?
The list of extensions they scan for has been extracted from the code. It was all extensions related to spamming and scraping LinkedIn last time this was posted: Extensions to scrape your LinkedIn session and extract contact info for lead lists, extensions to generate AI message spam.
That seems like fair game for their business.
tartoran 22 minutes ago [-]
And instead LinkedIn is scraping all users computers?
52-6F-62 16 minutes ago [-]
Sounds a little like "OpenAI must protect itself against copyright infringement by any means necessary, including copyright infringement of everyone else"
haswell 55 minutes ago [-]
To broaden my point, I think we’d find that many websites we use are doing this.
My point isn’t that this is acceptable or that we shouldn’t push back against it. We should.
My point is that this doesn’t sound particularly surprising or unique to LinkedIn, and that the framing of the article seems a bit misleading as a result.
devy 49 minutes ago [-]
> To broaden my point, I think we’d find that many websites we use are doing this.
Your point of "I think we’d find that many websites we use are doing this" doesn't make LinkedIn's behavior ok!
By your logic, if our privacy rights are invaded which is illegal in most jurisdiction, and then it become ok because many companies do illegal things??
haswell 40 minutes ago [-]
Absolutely not. At no point am I saying this is ok.
I’m saying that the framing of the article makes this sound like LinkedIn is the Big Bad when the reality is far worse - they’re just one in a sea of entities doing this kind of thing.
If anything, the article undersells the scale of the issue.
13 minutes ago [-]
coldpie 19 minutes ago [-]
You really need to work on your reading comprehension, dude.
casey2 43 minutes ago [-]
[flagged]
VladVladikoff 48 minutes ago [-]
It is likely in response to scraping. Linked in is heavily scraped by scammers who do the BEC scams. So linked in is trying to find ways to link together banned accounts, to handle their ban evasion.
I run a site which attracts a lot of unsavoury people who need to be banned from our services, and tracking them to reban them when they come back is a big part of what makes our product better than others in the industry. I do not care at all about actually tracking good users, and I am not reselling this data, or anything malicious, it's entire purpose is literally to make the website more enjoyable for the good users.
dweinus 37 minutes ago [-]
Understandable, and yet none of that makes it ok.
Aurornis 34 minutes ago [-]
This has been covered several times including reverse engineering of the code. The list of extensions they check for doesn’t include common extensions like ad blockers. It’s exclusively full of LinkedIn spamming and scraping type of extensions.
They also logically don’t need to fingerprint these users because those people are literally logging in to an account with their credentials.
By all appearances they’re just trying to detect people who are using spam automation and scraping extensions, which honestly I’m not too upset about.
If you never install a LinkedIn scraper or post generator extension you wouldn’t hit any of the extensions in the list they check for, last time I looked.
honzaik 25 minutes ago [-]
it apparently scans for something like "PQC Checker", an extension for checking if TLS connection is PQC-enabled? how is that a spam extension (and thats just a random one i saw)
Aurornis 20 minutes ago [-]
Probably compromised extensions or misleading extensions.
It’s common for malware extensions to disguise themselves as something simple and useful to try to trick a large audience into installing them.
That’s why the list includes things like an “Islamic content filter” and “anti-Zionist tagger” as well as “neurodivergent” tools. They look for trending topics and repackage the scraper with a new name. Most people only install extensions but never remove them if they don’t work.
honzaik 19 minutes ago [-]
well if they have evidence why they dont report it? why are these extensions on the store? im sure linkedin has enough motion to report it directly to google
also, having a PQC enabled extension doesnt seem like a good "large user base capture" tactic.
the source code is as usual obfuscated react but that doesnt mean its malicious...
EDIT: i debuged the extension quickly and it doesnt seem to do anything malicious. it only sends https://pqc-extension.vercel.app/?hostname=[domain] request to this backend to which it has permissions. it doesnt seem to exfiltrate anything else
catlifeonmars 9 minutes ago [-]
[delayed]
pqtyw 31 minutes ago [-]
> no available getAllExtensions()
Well great there is no avalable 'getAllFiles()' or such either because they'd be scanning your files for "fingerprinting" as well.
> alarmist framing
Well they literally searching your computer for applications/extensions that you have installed? (and to an extent you can infer what are some of the desktop applications you have based on that too)
RankingMember 12 minutes ago [-]
> this is why I run ad blockers.
What's been really obnoxious lately is the number of sites I try to do things on that are straight up broken without turning off my ad-blocker.
inetknght 29 minutes ago [-]
> the fact that it scans for specific extensions sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”).
Your computer is your private domain. Your house is your private domain. You don't make a "getAllKeysOnPorch()" API, and certainly don't make "getAllBankAccounts()" API. And if you do, you certainly don't make it available to anyone who asks.
It absolutely is sinister.
neya 43 minutes ago [-]
> I’ve come to mostly expect this behavior from most websites that run advertising code and this is why I run ad blockers.
We should not normalise nor accept this behaviour in the first place.
jredwards 30 minutes ago [-]
I've been avoiding Chrome-based browsers for many years now but have only recently become aware of how catastrophically low the Firefox market share is. I'm kind of shocked that more people aren't choosing to avoid Chrome.
wat10000 3 minutes ago [-]
Your post sounds like "it sounds bad, but it's no different from what others do, so it's not that bad."
I would put it more like: it sounds bad, and it's no different from what others do, so they're all that bad.
The fact that they're working around an API limitation doesn't make this better, it just proves that they're up to no good. The whole reason there isn't an API for this is to prevent exactly this sort of enumeration.
It's clear that companies will do as much bad stuff as they can to make money. The fact that you can do this to work around extension enumeration limits should be treated as a security bug in Chrome, and fixed. And, while it doesn't really make a difference, LinkedIn should be considered to be exploiting a security vulnerability with this code.
giancarlostoro 37 minutes ago [-]
> It also seems like what I’d expect to find in modern browser fingerprinting code.
Time to figure out if I can make FireFox pretend to be Chrome, and return random browser extensions every time I visit any website to screw up browser fingerprinting...
nkrisc 42 minutes ago [-]
> i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”
But I bet they could reliably guess your religious affiliation based on the presence of some specific browser extensions.
caminante 25 minutes ago [-]
They already have so much telemetry from your phone, IP, etc.
God forbid they make an educated guess based on your actual LinkedIn connections, name, interests, etc.
MisterTea 36 minutes ago [-]
> The scan probes for thousands of specific extensions by ID, collects the results, encrypts them, and transmits them to LinkedIn’s servers.
Why is this even possible in the first place? It's nobodies business what extensions I have installed.
j45 25 minutes ago [-]
There is clear rules around what you can and can't do to fingerprint users. if it's being done overtly, covertly, obscurely, indirectly, all for the same result through direct or indirect or correlated metadata it ends up with the same outcome.
My understanding is the rules and laws are to prevent the outcome, by any means, if it's happening.
j45 28 minutes ago [-]
I wonder if this is part of the reason why LinkedIn tabs seem to use so much ram, and sometimes run away CPU processes.
j45 18 minutes ago [-]
> "they're checking to see if you're a Muslim"
This could be easily inferred from the depth, breadth, and interconnectedness of data in the website.
By downplaying it, it's allowing it to exist and do the very thing.
The issue here is this stuff is working likely despite ad blockers.
Fingerprinting technology can do a lot more than just what can be learned from ads.
From the site:
"The scan doesn’t just look for LinkedIn-related tools. It identifies whether you use an Islamic content filter (PordaAI — “Blur Haram objects, real-time AI for Islamic values”), whether you’ve installed an anti-Zionist political tagger (Anti-Zionist Tag), or a tool designed for neurodivergent users (simplify). Under GDPR Article 9, processing data that reveals religious beliefs, political opinions, or health conditions requires explicit consent. LinkedIn obtains none." https://browsergate.eu/extensions/
fp64 47 minutes ago [-]
[dead]
mentalgear 55 minutes ago [-]
> The scan probes for thousands of specific extensions by ID, collects the results, encrypts them, and transmits them
And probably also vibe-coded therefore 2 tabs of LinkedIn take up 1GB of RAM (was on the front page a few days back).
tiku 2 minutes ago [-]
I remember the LinkedIn app that got all your contacts from your phone and tried to add them to your network. I had random people from internet-deals (local craigslist) that where popping up. So strange that this was allowed.
VladVladikoff 51 minutes ago [-]
>The user is never asked. Never told. LinkedIn’s privacy policy does not mention it.
OMG is literally every article written with LLMs these days I just can't anymore. It's all so tiring.
grub5000 39 minutes ago [-]
This is incredibly normal language and quite close to how I would write this quote, so what makes you think this is LLM text?
GavinMcG 7 minutes ago [-]
It’s the fake drama. Punchy sentences. Contrast. And then? A banal payoff.
ocimbote 3 minutes ago [-]
You're absolutely right.
an0malous 22 minutes ago [-]
I get it — it can be frustrating to encounter so much low effort AI content these days. But I think it’s worth looking at the bright side here: the increase in our production of entropy from GPU consumption will hasten the heat death of the universe.
Would you like me to suggest some AI summarizer tools you could use to more efficiently read AI generated content in the meantime?
nusl 1 minutes ago [-]
Why don't we train LLMs on the entire internet every day? Then we don't even need to read anything. Reading is something people did in 2025
jijijijij 3 minutes ago [-]
Nice try, but you em-dashed like a filthy human. The drone has been dispatched.
Arubis 25 minutes ago [-]
Reading (and even more so, using the tools to produce) a bunch of LLM-output writing also affects one’s writing style. Ever sat down and blown through 3-4 books by a favorite author, then written something and found yourself using similar structure, word choice, style…? This could very well be a human author that’s been exposed to a lot of LLM output (ie 95% of this site’s audience).
I find myself doing this a lot, and I’m sure even more slips without my notice.
jack_ball 19 minutes ago [-]
I agree that that line reads GPT-like, but it's far from a conclusive tell. One option that I wonder about is if frequent interaction with AI will begin to influence people's organic writing style.
hybrid_study 21 minutes ago [-]
Who cares if it’s LLM written or assisted writing?
What matters is the content!
beejiu 21 minutes ago [-]
LLMs didn't invent the "Rule of Three".
blargh 34 minutes ago [-]
what makes you think that? and what sets your comment appart from beeing created by an llm?
SecretDreams 46 minutes ago [-]
That's the intention. Make the internet so unbelievably shit that you just accept and move on.
ottah 31 minutes ago [-]
How is that quote in any way demonstrative of this being written by LLM? You do know that LLMs were trained on the internet and every digitized text they could get their hands on? You are jumping at shadows, calm down already.
andersonpico 1 hours ago [-]
this is a massive violation of trust
> The scan doesn’t just look for LinkedIn-related tools. It identifies whether you use an Islamic content filter (PordaAI — “Blur Haram objects, real-time AI for Islamic values”), whether you’ve installed an anti-Zionist political tagger (Anti-Zionist Tag), or a tool designed for neurodivergent users (simplify).
Aurornis 26 minutes ago [-]
Many extensions designed to scrape data from social media websites are disguised as simple extensions that do something else.
If I had to guess: I sought that automatic content blurrer, neurodivergent website simplifier, or anti-Zionist tagger actually work. They’re all just piggybacking on trending topics to get users to install them and then forget about them, then they exfiltrate the data when you visit LinkedIn.
egorfine 38 minutes ago [-]
> this is a massive violation of trust
This is not. To violate trust, there should have been some.
chii 35 minutes ago [-]
There's an implicit trust that a site doesn't try to racially profile you, as it is illegal. There's no enforcement, but that's why trust is being violated.
gwerbin 44 minutes ago [-]
Almost certainly they are using that for audience segmentation and ad targeting. Clever and disgusting. This isn't the invention of some evil moustache-twirling executive, this was the invention of an employee or group of employees who value money more than morals. We should think of such employees as henchmen.
einpoklum 34 minutes ago [-]
If you mean by the website, then - surely not. What basis do you have to trust websites you visit? Especially a social network that owned by Microsoft to boot?
If you mean the _browser_, then I agree in principle, but - it is a browser offered to you by Alphabet. And they are known to mass surveillance and use of personal information for all sorts of purposes, including passing copies to the US intelligence agencies.
But of course, this is what's promoted and suggested to people and installed by default on their phones, so even if it's Google/Alphabet, they should be pressured/coerced into respecting your privacy.
bethekidyouwant 43 minutes ago [-]
It scans thousands so in thousands, some of them have these weird names
arafeq 1 hours ago [-]
the part about scanning for 509 job search extensions is especially nasty. imagine getting flagged to your employer because linkedin detected you had a job board extension installed.
al_borland 49 minutes ago [-]
Several years ago I heard the company I worked for say they had a way to get notified if it seemed like an employee might be thinking of leaving, so they could take some kind of action. I now wonder if LinkedIn, or various job sites, were selling them data.
Ajedi32 1 hours ago [-]
LinkedIn is a job board so that seems unlikely.
mikkupikku 1 hours ago [-]
Are you kidding? They've probably been selling a datastream of who in the company has been job searching to company HR departments the whole time. Search for a job on LinkedIn and I bet anybody with a paid corporate account can find that out if they care to.
bdangubic 1 hours ago [-]
LinkedIn is a job board as much as Facebook is picture-sharing website
debesyla 12 minutes ago [-]
Not in Lithuania. While it's not the No1 or 2,3 platform for job advertisements, it's still very popular, especially for IT and management jobs.
So this probably depends on the country.
gburgett 56 minutes ago [-]
The “how it works” page suggests it only works on chrome based browsers. Anyone able to determine if firefox or safari are affected too?
pamcake 51 minutes ago [-]
Firefox-based browsers not affected.
nottorp 29 minutes ago [-]
Hmm I opened linkedin in Firefox and ublock origin showed it blocked 4 items... then switched away and back and the counter was up to 12.
Is that enough blocking, I wonder?
tankenmate 3 minutes ago [-]
Firefox uses randomised IDs for installed extensions, so the method highlighted won't work on Firefox. That's not to say they aren't trying other methods on Firefox.
RunningDroid 50 minutes ago [-]
[dead]
daft_pink 3 minutes ago [-]
I don’t understand how browser security would allow linkedin to search my computer?
z3ratul163071 1 hours ago [-]
why would the browser ever expose extensions api to a web page. does firefox does this as well?
Panda4 57 minutes ago [-]
> Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions.
It's not clear though, either they only tested against chrome-based browsers or Firefox isn't enabling them to do so.
edit: I answered before I go fully through the article but it does say it's only Chrome based.
> The extension scan runs only in Chrome-based browsers. The isUserAgentChrome() function checks for “Chrome” in the user agent string. The isBrowser() function excludes server-side rendering environments. If either check fails, the scan does not execute.
> This means every user visiting LinkedIn with Chrome, Edge, Brave, Opera, Arc, or any other Chromium-based browser is subject to the scan.
OoooooooO 50 minutes ago [-]
Firefox uses UUID for the local extension url per extension so you can't search for hardcoded local urls.
dylan604 50 minutes ago [-]
What is a Chrome-based browser? Isn't Chrome Google's Chromium based browser? How many are based on Chrome?
andersonpico 34 minutes ago [-]
From "The Attack: How it works", its just checking the user agent string:
function s() {
return window?.navigator?.userAgent?.indexOf("Chrome") > -1;
}
if (!a() || !s()) return;
Panda4 27 minutes ago [-]
> This means every user visiting LinkedIn with Chrome, Edge, Brave, Opera, Arc, or any other Chromium-based browser is subject to the scan.
ceejayoz 1 hours ago [-]
The "The Attack: How it works" section explains how it works. It's not an API.
I am a little surprised something like CORS doesn't apply to it, though.
acorn221 52 minutes ago [-]
So these extensions allow linkedin to do this though, it's literally them saying "yes, this site can ping this resource" - called "web_accessible_resources".
This is fair from Linkedin IMO as I've seen loads of different extensions actually scraping the linkedin session tokens or content on linkedin.
thom 56 minutes ago [-]
I was under the impression Firefox randomises extension IDs on install, so hopefully not?
Raed667 47 minutes ago [-]
they seem to be calling `chrome-extension://.....` so i don't think it applies to firefox
hmokiguess 5 minutes ago [-]
Separate question, why isn't this kind of stuff something the browser restricts access to or puts behind an approval gate to the end user?
red_admiral 32 minutes ago [-]
"searching your computer" -> using standard web fingerprinting techniques. They don't actually get to read your home directory, and the authors should be honest about this!
seamossfet 1 hours ago [-]
I wonder how much of this is also used for audience segmentation for their advertisements? Linkedin ads are some of the most expensive out of any social media platform, but they also tend to have the highest conversion since you can get pretty niche with your targeting.
devy 51 minutes ago [-]
LinkedIn has been a weirdest social network for a long time.
What scanning for browser extensions taught me about B2B sales
hmokiguess 45 minutes ago [-]
This website was difficult to follow but I found that this page https://browsergate.eu/extensions/ was the most helpful to understand what they were talking about
Essentially, they are labelling you, like most do, but against some interesting profiles given the kinds of extensions they are scanning for
llacb47 27 minutes ago [-]
This title should be changed as no court found this is illegal, and this is pretty standard, if extensive, browser fingerprinting, however disagreeable it is
caminante 14 minutes ago [-]
I agree.
I'm not convinced by their page explaining "Why it's illegal and potentially criminal" [0]. It's written by security researchers and non-attorneys.
For example, this characterization seems overly broad:
> The Court of Justice of the European Union has ruled, in three separate cases, that data which allows someone to infer or deduce protected characteristics is covered by this prohibition, regardless of whether the company intended to collect sensitive data.
TFA explains it is looking for installed browser extensions (which sites are allowed to do)
mrgoldenbrown 27 minutes ago [-]
TFA goes into a lot of detail explaining why they "allegedly" aren't actually allowed to do so in the EU.
Someone 54 minutes ago [-]
https://browsergate.eu/how-it-works/: “Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions”
⇒ which Chrome allows sites to do.
cedilla 54 minutes ago [-]
Allowed to do? Not prevented from by technical measures, but certainly not allowed to do.
Considering the goal is to identify people, this is undeniably PII. As the article demonstrates, it also pertains sensitive information.
cwillu 53 minutes ago [-]
Well, they're able to do it; “allowed” to do it is an ambiguous enough phrasing that it's practically begging to have an argument whose crux is fundamentally about a differing interpretation.
RajT88 43 minutes ago [-]
The author suggests a legal remedy instead of a technical one.
Which is weird, because that is undeniably the hard way. Lobby Google to add protections to Chromium.
breppp 44 minutes ago [-]
it can in the fantasy world of incorrect headlines
crest 60 minutes ago [-]
The title is clickbaity. The website scans the browser for installed extensions.
esseph 50 minutes ago [-]
While you're at it, you should also find out why a website can scan your internal network...
Joeboy 59 minutes ago [-]
The most obvious reason for this is browser fingerprinting, right? So your visits to other websites can be linked to your Linkedin identity? Or no?
glenstein 48 minutes ago [-]
They also try to profile for things like political beliefs.
Someone 30 minutes ago [-]
I don’t see this article showing that. They query for extensions that could be used to do that, and that likely already is illegal, but those queries could solely be used to uniquely identify users (grabbing more bits makes it less likely to get collisions)
ericyd 60 minutes ago [-]
I don't like any of this, but I'm not totally clear how this is substantially different from other fingerprinting technologies which I assume are used by every large tech company. Could anyone elaborate? The post isn't very clear why this is different from other data surveillance.
cedilla 58 minutes ago [-]
If other people collect data like that it's probably also illegal.
arndt 51 minutes ago [-]
Is there a way to disable the ability for websites to scan for extensions in Chrome?
Nope, which is why Chrome exists, to allow Google to do this. Which is why you should avoid chromium.
mentalgear 57 minutes ago [-]
Interesting. I didn't know a extension’s web-accessible resource (e.g. chrome-extension://<id>/...) could be abused to learn about the user's installed extensions by checking whether it resolves or not.
davidmurdoch 55 minutes ago [-]
You would need to use use_dynamic_url: true in the manifest to create a unique one.
acorn221 52 minutes ago [-]
Yeah, this is the easiest way to get around it
philipwhiuk 28 minutes ago [-]
Or just not allow them to load the URIs at all
nticompass 46 minutes ago [-]
> Every time you open LinkedIn in a Chrome[actually Chromium]-based browser
There's a reason I continue to use Firefox (with uBlock Origin) and will never switch.
Also, when I got laid off from a previous job, I made a LinkedIn profile to help find a new job. Once I found a new job, I haven't logged into LinkedIn since - that was almost 2 years ago.
hnburnsy 27 minutes ago [-]
Go check out QueryAllPackages permission on Android and see which of your apps can scan and know about all the other apps on your Phone. Thanks Google!
pier25 52 minutes ago [-]
I alway use LinkedIn and Meta websites in a different browser altogether.
I hope browsers in the future will need to ask for permission before doing any of that.
dt3ft 45 minutes ago [-]
If you use both from the same IP without using a VPN… the profiles are most certainly grouped. There are commercial datasets on IP addresses with almost 100% accuracy with tags like “school”, “house”, “apartment block” etc. Furthermore, if you ever logged into both sites from within the same browser by accident, the link by fingerprinting was made right there and then. The final profile on you may not be 100% accurate, but certainly is in the 98% range.
gwerbin 41 minutes ago [-]
It's one thing if they have a shadow profile on you (and dozens of companies almost certainly do), but it's another thing if you give them meaningful info about you to enrich that profile with. They can figure out roughly what block you live on, OK fine, but unless you're in a rural area with no neighbors they might not be able to do much better than that.
laughing_snyder 22 minutes ago [-]
Directly on the landing page:
> Microsoft has 33,000 employees
this should probably be LinkedIn, not Microsoft.
1 hours ago [-]
sumanep 55 minutes ago [-]
Bait, just look at browser addons, millons of site do it as well
badgersnake 18 minutes ago [-]
Therefore it’s okay, is that your point? Because I don’t think it is.
1 hours ago [-]
41 minutes ago [-]
39 minutes ago [-]
secretsatan 9 minutes ago [-]
Just use Safari, it won't even load the page half the time.
everdrive 54 minutes ago [-]
Sounds like containers and potentially adblocking and js blocking prevent this. For my part, I use linked in on my "god dammnit I hate corporate websites so much" browser which is used only for medical bill pay and amazon / wal mart purchases and then monthly bills. Could LinkedIn get something from me there? Potentially, but they're also not really following me around the web. I think given this I'll go install a 3rd browser for linkedin only, or maybe finally just delete my account. It never got me a job and it's a cesspool.
notafox 32 minutes ago [-]
You can use Firefox with different profiles and configure it to launch particular profile directly, without launching default profile and using about:profiles.
Firefox with a non-default profile can be created like that:
./firefox -CreateProfile "profile-name /home/user/.mozilla/firefox/profile-dir/"
# For linkedin that would be:
./firefox -CreateProfile "linkedin /home/user/.mozilla/firefox/linkedin/"
And you can launch it like that:
./firefox -profile "/home/user/.mozilla/firefox/profile-dir/"
# For linkedin that would be:
./firefox -profile "/home/user/.mozilla/firefox/linkedin/"
So, given that /usr/bin/firefox is just a shell script, you can
- create a copy of it, say, /usr/bin/firefox-linkedin
- adjust the relevant line, adding the -profile argument
If you use an icon to run firefox (say, /usr/share/applications/firefox.desktop), you'll need to do copy/adjust line for the icon.
Of course, "./firefox" from examples above should be replaced with the actual path to executable. For default installation of Firefox the path would be in /usr/bin/firefox script.
So, you can have a separate profiles for something sensitive/invasive (linkedin, shops, etc.) and then you can have a separate profile for everything else.
And each profile can have its own set of extensions.
mikkupikku 1 hours ago [-]
LinkedIn has been overtly evil for decades, and their power users are the most insufferable sort of middle management yuppy scum. I know job searching can be hard, but I don't go near LinkedIn with a ten foot pole.
anon22981 1 hours ago [-]
I really like going to linkedin daily to play minisudoku and a couple of other puzzles, then never engage the feed or other features
jameskilton 60 minutes ago [-]
Why would you go to LinkedIn to play puzzle games? There's thousands of other places to do so.
butlike 29 minutes ago [-]
This is really delightfully quirky
free_bip 1 hours ago [-]
They only mention this being a potential violation of the DMA. How about north american countries? US and Canada?
1 hours ago [-]
acorn221 1 hours ago [-]
This gave someone the opportunity to add in "Jeffery_Epstein_did_not_kill_himself" to linkedin's client facing code base through this.
If you open dev tools -> network tab -> network search icon (magnifying glass) -> search for "epstein" and load up linkedin, you should see it for yourself too!
I really don't think they're "illegally" searching your computer, they're checking for sloppy extensions that let linkedin know they're there because of bad design.
hcfman 1 hours ago [-]
I hate the way they just started saying you have a new message when you really don't. Now I'm going to miss when I really have new messages for a while because I'm not going to go to that site anymore when they say that.
And not letting you read your messages when on your mobile phone unless you use their app is particularly mean. Considering again where they are sending all the information they scrape.
trey-jones 40 minutes ago [-]
The fact that every job application wants a link to my profile on a platform that tries to push "brain training puzzle and games" on me just makes me angry every single time. I really hate LinkedIn and my active rebellion against it is hurting my ability to find a new job.
I know there has been other LinkedIn hate on HN this week. I know they have some good tools for job searching and hiring. I still wish we as a society could move on and leave this one with MySpace.
Browsers almost need a firewall against websites for the functions and scans being run on it by websites.
Different browsers have various settings available, but do we have a little snitch for a web browser?
maplethorpe 55 minutes ago [-]
Doesn't it depend how they're storing the data? If it's sufficiently transformed, it could be considered fair use.
largbae 52 minutes ago [-]
For my curiosity what would the fair use be?
maplethorpe 7 minutes ago [-]
Research.
cwillu 52 minutes ago [-]
Copyright isn't relevant here.
pjmlp 15 minutes ago [-]
Another good reason not to use extensions, and leave whatever they do for utility apps.
Fokamul 50 minutes ago [-]
This is result of browser fingerprinting.
My guess, Linkedin is used for years as source of valuable information for phishing/spear-phishing.
Maybe their motive is really spying. But more important for them is to fight against people botting Linkedin.
Imho, browser fingerprinting should be banned and EU should require browser companies to actively fight against it, not to help them (Fu Google)
EdoardoIaga 32 minutes ago [-]
The headline seems pretty misleading
donatj 51 minutes ago [-]
If they are genuinely only using the information to detect bad actors and maintain site stability as the affidavit states, and if they can prove it, this seems like potentially a non-issue?
I am not a lawyer, but site stability seems like a GDPR "Legitimate Interest" in my book anyway.
JoelMcCracken 35 minutes ago [-]
This is true/valid in many ways, but the signs of significant AI gen are pretty obvious. And now I wonder how much of the overblown narrative is here.
This reminds me of the slop bug reports plaguing the curl project.
jen729w 52 minutes ago [-]
I can’t take an article seriously that starts:
> Every time any of LinkedIn’s one billion users visits linkedin.com, hidden code searches their computer for installed software
and then proceeds not to explain how it’s doing that to me, a Safari user.
Because, spoiler: it isn’t. Or, it might try to search, and fail, and nothing will be collected.
43 minutes ago [-]
knollimar 1 hours ago [-]
Reminder for windows control alt shift windows L
31 minutes ago [-]
buellerbueller 9 minutes ago [-]
When Aaron Swartz does it, it is the threat of life in prison leading to suicide. When a multibillion dollar company does it, it is just capitalism.
HOLD EXECS LEGALLY ACCOUNTABLE, CRIMINALLY AND CIVILLY, FOR THE CRIMES OF THER CORPORATIONS.
bethekidyouwant 43 minutes ago [-]
Chrome: lets website scan what extensions you have installed for some reason.
foxes 1 hours ago [-]
It seems it scans your extensions not your system - reading the details. The intro made it a bit unclear.
jwsteigerwalt 1 hours ago [-]
LinkedIn is far from the only actor doing this. Browser extension fingerprinting is not new. LinkedIn‘s size, scope, network effects make this especially concerning.
Ajedi32 1 hours ago [-]
Still pretty annoying browsers haven't patched that yet.
acorn221 1 hours ago [-]
They have! It's these developers either not knowing or not caring about it which is the issue!
I did a blog post about this a while back showing how they do it, and how you can get around it, it's not very complex for the devs.
> Chrome have fortunately recently released a "extension side panel" mode, and since only DOM changes can be easily identified, using the chrome extension side panel would be virtually un-detectable however this is far less intuitive to use and requires the user to perform some action to open the sidepanel every time they want to use the extension.
As an end user I could not find an option to open the side panel
Ajedi32 52 minutes ago [-]
`use_dynamic_url` seems like it should be enabled by default, maybe with a phase-out period for backwards compatibility with older extensions.
acorn221 44 minutes ago [-]
Yeah I agree. All new extensions should have this for their web_accessible_resources.
With that said, the chrome web store ecosystem has bigger problems infront of them. For example, loads of extensions outright just send every URL you visit (inc query params) over to their servers.
Things like this just shouldn't happen, imagine you installed an extension from a few years back and you forgot about it, that's what happened to me with WhatRuns, which also scraped my AI chats.
I'm working on a tool to let people scan their extensions (https://amibeingpwned.com/) and I've found some utterly outrageous vulnerabilities, widespread affiliate fraud and widespread tracking.
halapro 55 minutes ago [-]
There's nothing to patch, scanning is not possible.
It's either the extension's choice to become detectable ("externally_connectable" is off by default) or it makes unique changes to websites that allow for its detection.
Ajedi32 49 minutes ago [-]
If it were just a matter of detecting changes to the DOM then this could only detect extensions that alter the LinkedIn website itself. I agree that would be much harder to make undetectable, but this seems like it goes beyond that.
halapro 43 seconds ago [-]
As mentioned, there's a way to expose your extension to the web. The other way is a key called "web_accessible_resources".
All of these are opt-in by the extensions and MV3 actually force you to specify which domains can access your extension. So, again, each extension explicitly allows the web to find it.
cj 1 hours ago [-]
This has been going on for at least 5 years. It pops up on HN every so often.
sgt 1 hours ago [-]
Seems like it. Which is serious but far from what I thought when I read the title. I suspect 90% of LinkedIn users don't even have a single browser extension installed.
josefritzishere 1 hours ago [-]
I would debate that. Most work computers have some extensions installed by default. That's millions of laptops. Ex. Snow Inventory Agent, ad blockers etc.
choo-t 1 hours ago [-]
Pretty sure that if they could they would, but browsers sandboxing security prevent this to go unnoticed.
josefritzishere 1 hours ago [-]
Why can't we have nice things?
mentalgear 1 hours ago [-]
because corporate greed corrupts every nice thing: it pushes the other (maybe more moral) 'nice thing' alternatives out of the ecosystem by subsiding using VC funding to provide 'NiceThing!' for free until 'NiceThing!' is the monopoly or bought by another entity to become part of the monopoly (due to weak/not enforced antitrust laws).
crest 1 hours ago [-]
Because we let them get away with it. Take something they're going to miss and can't replace (e.g. their freedom or their head) and it will stop as long as enforcement is reliable enough that they expect to get caught.
These aren't good people, but if you make the fine to the organisation much more expensive than the expected return, lock up the whole board and leave their families without a pot to piss in we will see this become the exception instead of the norm.
plagiarist 59 minutes ago [-]
Unbounded capitalism.
sourcegrift 35 minutes ago [-]
The only explanation of linkedin being worth 44B is the prominent appearance of both bill gates (who started spending a day a week at MS after nadella became ceo), and reid hoffman appear prominently in epstein files. The deal itself was finalized during Trump's first term. So everything checks out
razkaplan 20 minutes ago [-]
[dead]
ccgb 24 minutes ago [-]
[dead]
esses 56 minutes ago [-]
[flagged]
add-sub-mul-div 37 minutes ago [-]
Maybe it's not and it's just badly written, but we've come to associate the two so strongly that we can't separate them.
_pdp_ 1 hours ago [-]
The title is a complete nonsense.
jb1991 58 minutes ago [-]
So is this comment.
acorn221 1 hours ago [-]
Yeah I agree
nxm 52 minutes ago [-]
Nothing but click-bait.
1 hours ago [-]
Rendered at 14:40:58 GMT+0000 (Coordinated Universal Time) with Vercel.
> Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions. The scan probes for thousands of specific extensions by ID, collects the results, encrypts them, and transmits them to LinkedIn’s servers.
This does seem invasive. It also seems like what I’d expect to find in modern browser fingerprinting code. I’m not deeply familiar with what APIs are available for detecting extensions, but the fact that it scans for specific extensions sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”).
I’m certainly not endorsing it, do think it’s pretty problematic, and I’m glad it’s getting some visibility. But I do take some issue with the alarmist framing of what’s going on.
I’ve come to mostly expect this behavior from most websites that run advertising code and this is why I run ad blockers.
It's pretty wild that we live in a world where the actual FBI has recommended we use ad blockers to protect ourselves, and if everyone actually listened, much of the Internet (and economy) as we know it would disappear. The FBI is like "you should protect yourself from the way that the third largest company in the world does business", and the average person's response is "nah, that would take at least a couple of minutes of my time, I'll just go ahead and continue to suffer with invasive ads and make sure $GOOG keeps going up".
Would it really? It seems to me that most normal users spend most of their time and attention on apps, not in browsers.
“uBlock Origin (uBO) is a CPU and memory-efficient wide-spectrum content blocker for Chromium and Firefox. It blocks ads, trackers, coin miners, popups, annoying anti-blockers, malware sites, etc., by default using EasyList, EasyPrivacy, Peter Lowe's Blocklist, Online Malicious URL Blocklist, and uBO filter lists. There are many other lists available to block even more [...]
Ads, "unintrusive" or not, are just the visible portion of the privacy-invading means entering your browser when you visit most sites. uBO's primary goal is to help users neutralize these privacy-invading methods in a way that welcomes those users who do not wish to use more technical means.”
[1] https://github.com/gorhill/uBlock?tab=readme-ov-file#ublock-...
I thought uBlock Origin was now dead in Chrome?
I remember a few hacks to keep it going but have now migrated to Firefox (or sometimes Edge…) to keep using it.
Expecting and accepting this kind of thing is why everyone feels the need to run an ad-blocker.
An ad-blocker also isn’t full protection. It’s a cat and mouse game. Novel ideas on how to extract information about you, and influence behavior, will never be handled by ad-blockers until it becomes known. And even then, it’s a question of if it’s worth the dev time for the maker of the ad-blocker you happen to be using and if that filter list gets enabled… and how much of the web enabling it breaks.
Calling the title misleading because they didn't breach the browser sandbox is wrong when this is clearly a scenario most people didn't think was possible. Chrome added extensionId randomization with the change to V3, so it's clearly not an intended scenario.
> vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”)
They chose to put that particular extension in their target list, how is it not sinister? If the list had only extensions to affect LinkedIn page directly (a good chunk seem to be LinkedIn productivity tools) they would have some plausible deniability, but that's not the case. You're just "nothing ever happens"ing this.
I think most people would interpret “scanning your computer” as breaking out of the confines the browser and gathering information from the computer itself. If this was happening, the magnitude of the scandal would be hard to overstate.
But this is not happening. What actually is happening is still a problem. But the hyperbole undermines what they’re trying to communicate and this is why I objected to the title.
> They chose to put that particular extension in their target list, how is it not sinister?
Alongside thousands of other extensions. If they were scanning for a dozen things and this was one of them, I’d tend to agree with you. But this sounds more like they enumerated known extension IDs for a large number of extensions because getting all installed extensions isn’t possible.
If we step back for a moment and ask the question: “I’ve been tasked with building a unique fingerprint capability to combat (bots/scrapers/known bad actors, etc), how would I leverage installed extensions as part of that fingerprint?”
What the article describes sounds like what many devs would land on given the browser APIs available.
To reiterate, at no point am I saying this is good or acceptable. I think there’s a massive privacy problem in the tech industry that needs to be addressed.
But the authors have chosen to frame this in language that is hyperbolic and alarmist, and in doing so I thing they’re making people focus on the wrong things and actually obscuring the severity of the problem, which is certainly not limited to LinkedIn.
That is exactly how I interpreted it, and that is why I clicked the link. When I skimmed the article and realized that wasn't the case, I immediately thought "Ugh, clickbait" and came to the HN comments section.
> To reiterate, at no point am I saying this is good or acceptable. I think there’s a massive privacy problem in the tech industry that needs to be addressed.
100% Agree.
So, in summary: what they are doing is awful. Yes, they are collecting a ton of data about you. But, when you post with a headline that makes me think they are scouring my hard drive for data about me... and I realize that's not the case... your credibility suffers.
Also, I think the article would be better served by pointing out that LinkedIn is BY FAR not the only company doing this...
If it has the ability to scan your bookmarks, or visited site history, that would lend more credence to using the term "computer".
The title ought to have said "linkedIn illegally scans your browser", and that would make clear what is being done without being sensationalist.
But the language of "your computer" also implies software on your computer including but not limited to Chrome extensions.
Having sensationalist titles should be called out at every opportunity.
By this logic we could also say that LinkedIn scans your home network.
Your browser is a subset of your computer and lives inside a sandbox. Breaching that sandbox is certainly a much more interesting topic than breaking GDPR by browser fingerprinting.
We’ve known for a long time that advertisers/“security” vendors use as many detectable characteristics as possible to constrict unique fingerprints. This seems like a major enabler of even more invasive fingerprinting and that seems like the bigger issue here.
This is blatant misinformation. Firefox (and all of its derivatives) also does this.
https://bugzilla.mozilla.org/show_bug.cgi?id=1372288
1. Do a request to `chrome-extension://<extension_id>/<file>`. It's unclear to me why this is allowed.
2. Scan the DOM, look for nodes containing "chrome-extension://" within them (for instance because they link to an internal resource)
It's pretty obvious why the second one works, and that "feels alright" - if an extension modifies the DOM, then it's going to leave traces behind that the page might be able to pick up on.
The first one is super problematic to me though, as it means that even extensions that don't interact with the page at all can be detected. It's unclear to me whether an extension can protect itself against it.
Big +1 to that.
The charitable interpretation is that this behavior is simply an oversight by Google, a pretty massive one at that, which they have been slow to correct.
The less-charitable interpretation is that it has served Google's interests to maintain this (mis)feature of its browser. Likely, Google or its partners use similar to techniques to what LinkedIn/Microsoft use.
This would be in the same vein as Google Chrome replacing ManifestV2 with ManifestV3, ostensibly for performance- and security-related purposes, when it just so happens that ManifestV3 limits the ability to block ads in Chrome… the major source of revenue for Google.
The more-fully-open-source Mozilla Firefox browser seems to have had no difficulty in recognizing the issues with static extension IDs and randomizing them since forever (https://harshityadav.in/posts/Linkedins-Fingerprinting), just as Firefox continues to support ManifestV2 and more effective ad-blocking, with no issues.
I think Android’s ‘permissions’ early on (maybe it’s improved?) and Microsoft’s blanket ‘this program wants to do things’ authorisation pop up have set a standard here that we shouldn’t still be following.
Of course Google is going to back door their browser.
> Of course Google is going to back door their browser.
Aside from the fact that other browsers exist, this makes no sense because Google would stand to gain more by being the only entity that can surveil the user this way, vs. allowing others to collect data on the user without having to go through Google's services (and pay them).
The list of extensions they scan for has been extracted from the code. It was all extensions related to spamming and scraping LinkedIn last time this was posted: Extensions to scrape your LinkedIn session and extract contact info for lead lists, extensions to generate AI message spam.
That seems like fair game for their business.
My point isn’t that this is acceptable or that we shouldn’t push back against it. We should.
My point is that this doesn’t sound particularly surprising or unique to LinkedIn, and that the framing of the article seems a bit misleading as a result.
Your point of "I think we’d find that many websites we use are doing this" doesn't make LinkedIn's behavior ok!
By your logic, if our privacy rights are invaded which is illegal in most jurisdiction, and then it become ok because many companies do illegal things??
I’m saying that the framing of the article makes this sound like LinkedIn is the Big Bad when the reality is far worse - they’re just one in a sea of entities doing this kind of thing.
If anything, the article undersells the scale of the issue.
I run a site which attracts a lot of unsavoury people who need to be banned from our services, and tracking them to reban them when they come back is a big part of what makes our product better than others in the industry. I do not care at all about actually tracking good users, and I am not reselling this data, or anything malicious, it's entire purpose is literally to make the website more enjoyable for the good users.
They also logically don’t need to fingerprint these users because those people are literally logging in to an account with their credentials.
By all appearances they’re just trying to detect people who are using spam automation and scraping extensions, which honestly I’m not too upset about.
If you never install a LinkedIn scraper or post generator extension you wouldn’t hit any of the extensions in the list they check for, last time I looked.
It’s common for malware extensions to disguise themselves as something simple and useful to try to trick a large audience into installing them.
That’s why the list includes things like an “Islamic content filter” and “anti-Zionist tagger” as well as “neurodivergent” tools. They look for trending topics and repackage the scraper with a new name. Most people only install extensions but never remove them if they don’t work.
also, having a PQC enabled extension doesnt seem like a good "large user base capture" tactic.
the source code is as usual obfuscated react but that doesnt mean its malicious...
EDIT: i debuged the extension quickly and it doesnt seem to do anything malicious. it only sends https://pqc-extension.vercel.app/?hostname=[domain] request to this backend to which it has permissions. it doesnt seem to exfiltrate anything else
Well great there is no avalable 'getAllFiles()' or such either because they'd be scanning your files for "fingerprinting" as well.
> alarmist framing
Well they literally searching your computer for applications/extensions that you have installed? (and to an extent you can infer what are some of the desktop applications you have based on that too)
What's been really obnoxious lately is the number of sites I try to do things on that are straight up broken without turning off my ad-blocker.
Your computer is your private domain. Your house is your private domain. You don't make a "getAllKeysOnPorch()" API, and certainly don't make "getAllBankAccounts()" API. And if you do, you certainly don't make it available to anyone who asks.
It absolutely is sinister.
We should not normalise nor accept this behaviour in the first place.
I would put it more like: it sounds bad, and it's no different from what others do, so they're all that bad.
The fact that they're working around an API limitation doesn't make this better, it just proves that they're up to no good. The whole reason there isn't an API for this is to prevent exactly this sort of enumeration.
It's clear that companies will do as much bad stuff as they can to make money. The fact that you can do this to work around extension enumeration limits should be treated as a security bug in Chrome, and fixed. And, while it doesn't really make a difference, LinkedIn should be considered to be exploiting a security vulnerability with this code.
Time to figure out if I can make FireFox pretend to be Chrome, and return random browser extensions every time I visit any website to screw up browser fingerprinting...
But I bet they could reliably guess your religious affiliation based on the presence of some specific browser extensions.
God forbid they make an educated guess based on your actual LinkedIn connections, name, interests, etc.
Why is this even possible in the first place? It's nobodies business what extensions I have installed.
My understanding is the rules and laws are to prevent the outcome, by any means, if it's happening.
This could be easily inferred from the depth, breadth, and interconnectedness of data in the website.
By downplaying it, it's allowing it to exist and do the very thing.
The issue here is this stuff is working likely despite ad blockers.
Fingerprinting technology can do a lot more than just what can be learned from ads.
From the site:
"The scan doesn’t just look for LinkedIn-related tools. It identifies whether you use an Islamic content filter (PordaAI — “Blur Haram objects, real-time AI for Islamic values”), whether you’ve installed an anti-Zionist political tagger (Anti-Zionist Tag), or a tool designed for neurodivergent users (simplify). Under GDPR Article 9, processing data that reveals religious beliefs, political opinions, or health conditions requires explicit consent. LinkedIn obtains none." https://browsergate.eu/extensions/
And probably also vibe-coded therefore 2 tabs of LinkedIn take up 1GB of RAM (was on the front page a few days back).
OMG is literally every article written with LLMs these days I just can't anymore. It's all so tiring.
Would you like me to suggest some AI summarizer tools you could use to more efficiently read AI generated content in the meantime?
I find myself doing this a lot, and I’m sure even more slips without my notice.
What matters is the content!
> The scan doesn’t just look for LinkedIn-related tools. It identifies whether you use an Islamic content filter (PordaAI — “Blur Haram objects, real-time AI for Islamic values”), whether you’ve installed an anti-Zionist political tagger (Anti-Zionist Tag), or a tool designed for neurodivergent users (simplify).
If I had to guess: I sought that automatic content blurrer, neurodivergent website simplifier, or anti-Zionist tagger actually work. They’re all just piggybacking on trending topics to get users to install them and then forget about them, then they exfiltrate the data when you visit LinkedIn.
This is not. To violate trust, there should have been some.
If you mean the _browser_, then I agree in principle, but - it is a browser offered to you by Alphabet. And they are known to mass surveillance and use of personal information for all sorts of purposes, including passing copies to the US intelligence agencies.
But of course, this is what's promoted and suggested to people and installed by default on their phones, so even if it's Google/Alphabet, they should be pressured/coerced into respecting your privacy.
So this probably depends on the country.
Is that enough blocking, I wonder?
It's not clear though, either they only tested against chrome-based browsers or Firefox isn't enabling them to do so.
edit: I answered before I go fully through the article but it does say it's only Chrome based.
> The extension scan runs only in Chrome-based browsers. The isUserAgentChrome() function checks for “Chrome” in the user agent string. The isBrowser() function excludes server-side rendering environments. If either check fails, the scan does not execute.
> This means every user visiting LinkedIn with Chrome, Edge, Brave, Opera, Arc, or any other Chromium-based browser is subject to the scan.
function a() { return "undefined" != typeof window && window && "node" !== window.appEnvironment; }
function s() { return window?.navigator?.userAgent?.indexOf("Chrome") > -1; }
if (!a() || !s()) return;
I am a little surprised something like CORS doesn't apply to it, though.
This is fair from Linkedin IMO as I've seen loads of different extensions actually scraping the linkedin session tokens or content on linkedin.
https://hn.algolia.com/?q=linkedin+weird
Essentially, they are labelling you, like most do, but against some interesting profiles given the kinds of extensions they are scanning for
I'm not convinced by their page explaining "Why it's illegal and potentially criminal" [0]. It's written by security researchers and non-attorneys.
For example, this characterization seems overly broad:
> The Court of Justice of the European Union has ruled, in three separate cases, that data which allows someone to infer or deduce protected characteristics is covered by this prohibition, regardless of whether the company intended to collect sensitive data.
[0] https://browsergate.eu/why-its-illegal/
https://news.ycombinator.com/item?id=45349476
⇒ which Chrome allows sites to do.
Considering the goal is to identify people, this is undeniably PII. As the article demonstrates, it also pertains sensitive information.
Which is weird, because that is undeniably the hard way. Lobby Google to add protections to Chromium.
There's a reason I continue to use Firefox (with uBlock Origin) and will never switch.
Also, when I got laid off from a previous job, I made a LinkedIn profile to help find a new job. Once I found a new job, I haven't logged into LinkedIn since - that was almost 2 years ago.
I hope browsers in the future will need to ask for permission before doing any of that.
> Microsoft has 33,000 employees
this should probably be LinkedIn, not Microsoft.
Firefox with a non-default profile can be created like that:
And you can launch it like that: So, given that /usr/bin/firefox is just a shell script, you can If you use an icon to run firefox (say, /usr/share/applications/firefox.desktop), you'll need to do copy/adjust line for the icon.Of course, "./firefox" from examples above should be replaced with the actual path to executable. For default installation of Firefox the path would be in /usr/bin/firefox script.
So, you can have a separate profiles for something sensitive/invasive (linkedin, shops, etc.) and then you can have a separate profile for everything else.
And each profile can have its own set of extensions.
I really don't think they're "illegally" searching your computer, they're checking for sloppy extensions that let linkedin know they're there because of bad design.
And not letting you read your messages when on your mobile phone unless you use their app is particularly mean. Considering again where they are sending all the information they scrape.
I know there has been other LinkedIn hate on HN this week. I know they have some good tools for job searching and hiring. I still wish we as a society could move on and leave this one with MySpace.
Different browsers have various settings available, but do we have a little snitch for a web browser?
My guess, Linkedin is used for years as source of valuable information for phishing/spear-phishing.
Maybe their motive is really spying. But more important for them is to fight against people botting Linkedin.
Imho, browser fingerprinting should be banned and EU should require browser companies to actively fight against it, not to help them (Fu Google)
I am not a lawyer, but site stability seems like a GDPR "Legitimate Interest" in my book anyway.
This reminds me of the slop bug reports plaguing the curl project.
> Every time any of LinkedIn’s one billion users visits linkedin.com, hidden code searches their computer for installed software
and then proceeds not to explain how it’s doing that to me, a Safari user.
Because, spoiler: it isn’t. Or, it might try to search, and fail, and nothing will be collected.
HOLD EXECS LEGALLY ACCOUNTABLE, CRIMINALLY AND CIVILLY, FOR THE CRIMES OF THER CORPORATIONS.
https://www.linkedin.com/pulse/how-linkedin-knows-which-chro...
As an end user I could not find an option to open the side panel
With that said, the chrome web store ecosystem has bigger problems infront of them. For example, loads of extensions outright just send every URL you visit (inc query params) over to their servers. Things like this just shouldn't happen, imagine you installed an extension from a few years back and you forgot about it, that's what happened to me with WhatRuns, which also scraped my AI chats.
I'm working on a tool to let people scan their extensions (https://amibeingpwned.com/) and I've found some utterly outrageous vulnerabilities, widespread affiliate fraud and widespread tracking.
It's either the extension's choice to become detectable ("externally_connectable" is off by default) or it makes unique changes to websites that allow for its detection.
All of these are opt-in by the extensions and MV3 actually force you to specify which domains can access your extension. So, again, each extension explicitly allows the web to find it.
These aren't good people, but if you make the fine to the organisation much more expensive than the expected return, lock up the whole board and leave their families without a pot to piss in we will see this become the exception instead of the norm.