Mastodawn

LinkedIn Is Illegally Searching Your Computer

https://browsergate.eu/

LinkedIn Is Illegally Searching Your Computer

Microsoft is running one of the largest corporate espionage operations in modern history. Every time any of LinkedIn’s one billion users visits linkedin.com, hidden code searches their computer for installed software, collects the results, and transmits them to LinkedIn’s servers and to third-party companies including an American-Israeli cybersecurity firm. The user is never asked. Never told. LinkedIn’s privacy policy does not mention it. Because LinkedIn knows each user’s real name, employer, and job title, it is not searching anonymous visitors. It is searching identified people at identified companies. Millions of companies. Every day. All over the world.

BrowserGate

andersonpico Apr 2

this is a massive violation of trust

> The scan doesn’t just look for LinkedIn-related tools. It identifies whether you use an Islamic content filter (PordaAI — “Blur Haram objects, real-time AI for Islamic values”), whether you’ve installed an anti-Zionist political tagger (Anti-Zionist Tag), or a tool designed for neurodivergent users (simplify).

Almost certainly they are using that for audience segmentation and ad targeting. Clever and disgusting. This isn't the invention of some evil moustache-twirling executive, this was the invention of an employee or group of employees who value money more than morals. We should think of such employees as henchmen.

luxuryballs Apr 2

if they do a better job at showing me an ad that might be relevant to me, how is that disgusting? if I have to see an ad at all I at least want them to give it their best shot

Imagine if someone was following you around with a clipboard writing down everything you do, then rifling through your bookshelf to make note of certain books on the bookshelf, and then using that to target ads at you.

You'd say that's a ridiculous and illegal thing to do without you explicit consent, right?

Maybe you personally don't mind and would be happy to offer that consent. But they're doing it without your consent, regardless of whether you want it or not.

franktankbank Apr 2

What if someone makes an ad thats not an ad at all, maybe its a rabbithole designed to fuck with you. Maybe its designed to enrage you.

I cant believe that people still have the attitude that the trillions of dollars being invested in all this technology and tracking is just to give them a more relevant ad.

Do people really not remember scandals like Cambridge Analytica, and realise that these ads combined with social media feeds can be used to literally control and manipulate peoples decisions and behavoir?

Theres a reason Facebook and Youtube just got sued for being intentionally addictive attention machines.

bethekidyouwant Apr 2

It scans thousands so in thousands, some of them have these weird names

einpoklum Apr 2

If you mean by the website, then - surely not. What basis do you have to trust websites you visit? Especially a social network that owned by Microsoft to boot?

If you mean the _browser_, then I agree in principle, but - it is a browser offered to you by Alphabet. And they are known to mass surveillance and use of personal information for all sorts of purposes, including passing copies to the US intelligence agencies.

But of course, this is what's promoted and suggested to people and installed by default on their phones, so even if it's Google/Alphabet, they should be pressured/coerced into respecting your privacy.

Many extensions designed to scrape data from social media websites are disguised as simple extensions that do something else.

If I had to guess: I sought that automatic content blurrer, neurodivergent website simplifier, or anti-Zionist tagger actually work. They’re all just piggybacking on trending topics to get users to install them and then forget about them, then they exfiltrate the data when you visit LinkedIn.

cryptoegorophy Apr 2

This. Do not install any extension unless you absolutely need. Assume they all leak your browsing data.
Not familiar with Google but if you can just vibe code your own extension then do that.

[flagged]

calgarymicro Apr 2

No, they mean Anti-Zionist Tag[0], an extension that is live on the Chrome Web Store and identifies anti-Zionists for the benefit of Zionists.

[0]https://chromewebstore.google.com/detail/anti-zionist-tag/ek...

Anti-Zionist Tag - Chrome Web Store

An extension that adds a tag to the LinkedIn profiles of Anti-Zionists

[flagged]

The headline seems pretty misleading. Here’s what seems to actually be going on:

> Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions. The scan probes for thousands of specific extensions by ID, collects the results, encrypts them, and transmits them to LinkedIn’s servers.

This does seem invasive. It also seems like what I’d expect to find in modern browser fingerprinting code. I’m not deeply familiar with what APIs are available for detecting extensions, but the fact that it scans for specific extensions sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”).

I’m certainly not endorsing it, do think it’s pretty problematic, and I’m glad it’s getting some visibility. But I do take some issue with the alarmist framing of what’s going on.

I’ve come to mostly expect this behavior from most websites that run advertising code and this is why I run ad blockers.

replwoacause Apr 2

I disagree, I think we should push back hard on behavior like this. What business is it of LinkedIn's what browser extensions I have installed? I think the framing for this is appropriate.

To broaden my point, I think we’d find that many websites we use are doing this.

My point isn’t that this is acceptable or that we shouldn’t push back against it. We should.

My point is that this doesn’t sound particularly surprising or unique to LinkedIn, and that the framing of the article seems a bit misleading as a result.

> To broaden my point, I think we’d find that many websites we use are doing this.

Your point of "I think we’d find that many websites we use are doing this" doesn't make LinkedIn's behavior ok!

By your logic, if our privacy rights are invaded which is illegal in most jurisdiction, and then it become ok because many companies do illegal things??

Absolutely not. At no point am I saying this is ok.

I’m saying that the framing of the article makes this sound like LinkedIn is the Big Bad when the reality is far worse - they’re just one in a sea of entities doing this kind of thing.

If anything, the article undersells the scale of the issue.

You really need to work on your reading comprehension, dude.

Why is it possible for a web site to determine what browser extensions I have installed? If there are legitimate uses, why isn't this gated behind a permission prompt, like things like location and camera?

This, to me, seems like the more salient point. A headline like “Major browsers allow websites to see your installed extensions” seems more appropriate here.

We’ve known for a long time that advertisers/“security” vendors use as many detectable characteristics as possible to constrict unique fingerprints. This seems like a major enabler of even more invasive fingerprinting and that seems like the bigger issue here.

This is a Chrome thing. It’s a safe bet that if you use Google products you don’t care about privacy anyway. “Google product collects info about you: news at 11.”

Google cares deeply about privacy. Google defines privacy as them not giving your private data that they have collected to anyone else unless you ask them to.

Google cares deeply about privacy. Google defines privacy as them not giving your private data that they have collected to anyone who hasn't paid them for it or can compel them to give it up.

There's a fourth amendment case on the Supreme Court docket (Chatrie v. U.S.) about Google searching a massive amount of user data to find people in a location at a specific time, at police request. The case is about whether the police's warrant warranted such a wide scope of search (if general warrants are allowed).

Point being: Google will 100% give your info to the police, regardless of whether the police have the legal right to it or not, and regardless of whether you actually committed a crime or not.

Bonus points: the federal court that ruled on the case said that it likely violated the fourth amendment, but they allowed the police to admit the evidence anyway because of the "good faith" clause, which is a new one for me. Time to add it to the list of horribly abusable exceptions (qualified immunity, civil asset forfeiture, and eminent domain coming to mind).

ImPostingOnHN Apr 2

They knowingly participated in PRISM, too.

Why would the police go to all that hassle of compelling google to give it up when it can simply buy it on the open market.

The breaking point with me that caused me to de-google myself was finding out that Google was buying Mastercard records in order to cross-reference them with Android phone data. That shit is not okay.

Ah yes, I should have said I was describing the official line, not the behaviour. In all fairness the “can compel them to give it up” doesn’t seem to be optional but otherwise, yeah. Agreed.

> This is a Chrome thing.

This is blatant misinformation. Firefox (and all of its derivatives) also does this.

https://bugzilla.mozilla.org/show_bug.cgi?id=1372288

1372288 - [meta] WebExtensions can be used as user fingerprint

NEW (nobody) in WebExtensions - General. Last updated 2026-03-24.

hsuduebc2 Apr 2

Well it would be more appropriate headline if it would be about broken browser behavior.

But this is about major corporation sneakily abusing this to ilegally extract specific sensitive data which they are abusing.

It does two things:

1. Do a request to `chrome-extension://<extension_id>/<file>`. It's unclear to me why this is allowed.

2. Scan the DOM, look for nodes containing "chrome-extension://" within them (for instance because they link to an internal resource)

It's pretty obvious why the second one works, and that "feels alright" - if an extension modifies the DOM, then it's going to leave traces behind that the page might be able to pick up on.

The first one is super problematic to me though, as it means that even extensions that don't interact with the page at all can be detected. It's unclear to me whether an extension can protect itself against it.

> 1. Do a request to `chrome-extension://<extension_id>/<file>`. It's unclear to me why this is allowed.

Big +1 to that.

The charitable interpretation is that this behavior is simply an oversight by Google, a pretty massive one at that, which they have been slow to correct.

The less-charitable interpretation is that it has served Google's interests to maintain this (mis)feature of its browser. Likely, Google or its partners use similar to techniques to what LinkedIn/Microsoft use.

This would be in the same vein as Google Chrome replacing ManifestV2 with ManifestV3, ostensibly for performance- and security-related purposes, when it just so happens that ManifestV3 limits the ability to block ads in Chrome… the major source of revenue for Google.

The more-fully-open-source Mozilla Firefox browser seems to have had no difficulty in recognizing the issues with static extension IDs and randomizing them since forever (https://harshityadav.in/posts/Linkedins-Fingerprinting), just as Firefox continues to support ManifestV2 and more effective ad-blocking, with no issues.

LinkedIn’s Fingerprinting

LinkedIn’s Fingerprinting

Harshit Yadav

warkdarrior Apr 2

> This would be in the same vein as Google Chrome replacing ManifestV2 with ManifestV3, ostensibly for performance- and security-related purposes, when it just so happens that ManifestV3 limits the ability to block ads in Chrome… the major source of revenue for Google.

uBlock Origin Lite (compatible w/ ManifestV3) works quite well for me, I do not see any ads wherever I browse.

Agreed, but also, permission prompts are way overused and often meaningless to anyone at all, even fellow software engineers. “This program [program.exe] wants to do stuff, yes/no?” How should I know what’s safe to say yes to?

I think Android’s ‘permissions’ early on (maybe it’s improved?) and Microsoft’s blanket ‘this program wants to do things’ authorisation pop up have set a standard here that we shouldn’t still be following.

Generally the whole thing needs to be flipped upside down. Extensions is the easy one, there's not reason a random website can list your installed extensions, zero.

For other capabilities, like BlueTooth API, rather than querying the browser, assume that the browser can do it and then have the browser inform the user that the site is attempting to use an unsupported API.

> What business is it of LinkedIn's what browser extensions I have installed?

The list of extensions they scan for has been extracted from the code. It was all extensions related to spamming and scraping LinkedIn last time this was posted: Extensions to scrape your LinkedIn session and extract contact info for lead lists, extensions to generate AI message spam.

That seems like fair game for their business.

And instead LinkedIn is scraping all users computers?

This doesn’t fit the description of scraping by any normal definition. It’s a classic feature probe structure, where the features happen to be scraping extensions.

I think it’s kind of funny that HN has gone so reactionary at tech companies that the comments here have become twisted against the anti-spam measures instituted on a website that will never trigger on any of their PCs, because HN users aren’t installing LinkedIn scrape and spam extensions.

ImPostingOnHN Apr 2

HackerNews users used to be the type that would do the scraping, so they could Hack the data into whatever format or integration they desired.

It's unfortunate to see folks here who don't support that – interoperability is at the heart of the Hacker Ethic. LinkedIn (along with any other big tech companies locking down and crippling their APIs) is wrong to even try to block it.

Is it an issue of the resources scrapers consume? No: Even ordinary users trying to get API access on a registered persistent account linked to their name are stymied in accessing their own data. LinkedIn simply doesn't want you to access your own data via API, or in any manner that isn't blessed by them. That ain't right.

warkdarrior Apr 2

LinkedIn has an API you can use at your convenience:
https://learn.microsoft.com/en-us/linkedin/

Accessing other users' LinkedIn data via the API requires their OAuth consent, as it should be. But you are welcome to access your own data via the API.

LinkedIn API Documentation - LinkedIn

Explore LinkedIn API documentation for Compliance, Consumer, Learning, Marketing, Sales, and Talent Solutions

> I think we should push back hard on behavior like this.

Indeed, so I gather all of you have canceled your LI account over this?

I never made one in the first place because it was pretty clear to me that this company - even before the acquisition - had nothing good in mind.

MikeNotThePope Apr 2

If I had to guess, LinkedIn would be primarily searching for extensions that violate their terms of service (e.g. something that could be used to scrape data). They put a lot of effort into circumventing automated data collection. I could be wrong.

al_borland Apr 2

> I’ve come to mostly expect this behavior from most websites that run advertising code and this is why I run ad blockers.

Expecting and accepting this kind of thing is why everyone feels the need to run an ad-blocker.

An ad-blocker also isn’t full protection. It’s a cat and mouse game. Novel ideas on how to extract information about you, and influence behavior, will never be handled by ad-blockers until it becomes known. And even then, it’s a question of if it’s worth the dev time for the maker of the ad-blocker you happen to be using and if that filter list gets enabled… and how much of the web enabling it breaks.

To be clear, expecting != accepting.

The point was more that the headline frames this as some major revelation about LinkedIn, while the reality is that we’re getting probed and profiled by far more sites than most people realize.

armchairhacker Apr 2

Regulation is also a cat-and-mouse game. Life is a cat-and-mouse game.

[flagged]

andersonpico Apr 2

How is probing your browser for installed extensions not "scanning your computer"?

Calling the title misleading because they didn't breach the browser sandbox is wrong when this is clearly a scenario most people didn't think was possible. Chrome added extensionId randomization with the change to V3, so it's clearly not an intended scenario.

> vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”)

They chose to put that particular extension in their target list, how is it not sinister? If the list had only extensions to affect LinkedIn page directly (a good chunk seem to be LinkedIn productivity tools) they would have some plausible deniability, but that's not the case. You're just "nothing ever happens"ing this.

When "the browser is the OS", scanning that is a pretty big chunk of "your computer".

but the language of "your computer" implies files on your computer, as it would be what people commonly call it. Merely just the extension is not enough.

If it has the ability to scan your bookmarks, or visited site history, that would lend more credence to using the term "computer".

The title ought to have said "linkedIn illegally scans your browser", and that would make clear what is being done without being sensationalist.

blenderob Apr 2

> but the language of "your computer" implies files on your computer, as it would be what people commonly call it. Merely just the extension is not enough.

But the language of "your computer" also implies software on your computer including but not limited to Chrome extensions.

ImPostingOnHN Apr 2

It implies more than just the browser, which is likely why it was used for the post title. If it is exclusively limited to the browser, then "scans your browser" is more correct, and doesn't mislead the reader into thinking something is happening which isn't commonplace on the internet.

Extensions are files installed on your computer, though?

it doesn't have to be files. it could be in memory on the browser. Extensions don't imply files for anyone but the most technical of conversations. Certainly not to the laymen.

Having sensationalist titles should be called out at every opportunity.

blenderob Apr 2

> it doesn't have to be files. it could be in memory on the browser.

How'd that work? If it's in memory, the extensions would vanish everytime I shutdown Chrome? I'll have to reinstall all my extensions again everytime I restart Chrome?

Have you seen any browser that keeps extension in memory? Where they ask the user to reinstall their extensions everytime they start the browser?

justonceokay Apr 2

Are you defending LinkedIn’s behavior right now or are you just happy to be more technically correct (the best kind of correct!) than those around you? Trying to understand the angle

ImPostingOnHN Apr 2

The browser fingerprinting described is ubiquitous on the internet, used by players large and small. There are even libraries to do this.

Like OP, I don't consider behavior confined to the browser to be my computer. "Scans your browser" is both technically correct and less misleading. "Scans your computer" was chosen instead, to get more clicks.

This is just the next iteration of the issues with Linux file permissions, where the original threat model was “the computer is used by many users who need protection from each other”, and which no longer makes much sense in a world of “the computer is used by one or more users who need protection from each other and also from the huge amounts of potentially malicious remote code they constantly execute”.

And I spend a lot of my time at home on my computer. The article should have said LinkedIn is searching my house.

In the same way that scanning and identifying your microwave for food you put inside it is not the same as scanning your house and reading the letters in your postbox.

Your browser is a subset of your computer and lives inside a sandbox. Breaching that sandbox is certainly a much more interesting topic than breaking GDPR by browser fingerprinting.