digitalWestie4d ago

LinkedIn Is Illegally Searching Your Computer

https://browsergate.eu/

LinkedIn Is Illegally Searching Your Computer

Microsoft is running one of the largest corporate espionage operations in modern history. Every time any of LinkedIn’s one billion users visits linkedin.com, hidden code searches their computer for installed software, collects the results, and transmits them to LinkedIn’s servers and to third-party companies including an American-Israeli cybersecurity firm. The user is never asked. Never told. LinkedIn’s privacy policy does not mention it. Because LinkedIn knows each user’s real name, employer, and job title, it is not searching anonymous visitors. It is searching identified people at identified companies. Millions of companies. Every day. All over the world.

BrowserGate
Show threadhaswell4d ago

The headline seems pretty misleading. Here’s what seems to actually be going on:

> Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions. The scan probes for thousands of specific extensions by ID, collects the results, encrypts them, and transmits them to LinkedIn’s servers.

This does seem invasive. It also seems like what I’d expect to find in modern browser fingerprinting code. I’m not deeply familiar with what APIs are available for detecting extensions, but the fact that it scans for specific extensions sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”).

I’m certainly not endorsing it, do think it’s pretty problematic, and I’m glad it’s getting some visibility. But I do take some issue with the alarmist framing of what’s going on.

I’ve come to mostly expect this behavior from most websites that run advertising code and this is why I run ad blockers.

Show threadandersonpico4d ago

How is probing your browser for installed extensions not "scanning your computer"?

Calling the title misleading because they didn't breach the browser sandbox is wrong when this is clearly a scenario most people didn't think was possible. Chrome added extensionId randomization with the change to V3, so it's clearly not an intended scenario.

> vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”)

They chose to put that particular extension in their target list, how is it not sinister? If the list had only extensions to affect LinkedIn page directly (a good chunk seem to be LinkedIn productivity tools) they would have some plausible deniability, but that's not the case. You're just "nothing ever happens"ing this.

Show threadafandian4d ago
When "the browser is the OS", scanning that is a pretty big chunk of "your computer".
Show threadchii4d ago

but the language of "your computer" implies files on your computer, as it would be what people commonly call it. Merely just the extension is not enough.

If it has the ability to scan your bookmarks, or visited site history, that would lend more credence to using the term "computer".

The title ought to have said "linkedIn illegally scans your browser", and that would make clear what is being done without being sensationalist.

Show threadjustonceokay4d ago
Are you defending LinkedIn’s behavior right now or are you just happy to be more technically correct (the best kind of correct!) than those around you? Trying to understand the angle
Show threadImPostingOnHN

The browser fingerprinting described is ubiquitous on the internet, used by players large and small. There are even libraries to do this.

Like OP, I don't consider behavior confined to the browser to be my computer. "Scans your browser" is both technically correct and less misleading. "Scans your computer" was chosen instead, to get more clicks.

Apr 2 at 3:16pmWeb