Mastodawn

"Every time any of LinkedIn’s one billion users visits linkedin.com, hidden code searches their computer for installed software, collects the results, and transmits them to LinkedIn’s servers and to third-party companies including an American-Israeli cybersecurity firm.

The user is never asked. Never told. LinkedIn’s privacy policy does not mention it."

https://browsergate.eu/

LinkedIn Is Illegally Searching Your Computer

Microsoft is running one of the largest corporate espionage operations in modern history. Every time any of LinkedIn’s one billion users visits linkedin.com, hidden code searches their computer for installed software, collects the results, and transmits them to LinkedIn’s servers and to third-party companies including an American-Israeli cybersecurity firm. The user is never asked. Never told. LinkedIn’s privacy policy does not mention it. Because LinkedIn knows each user’s real name, employer, and job title, it is not searching anonymous visitors. It is searching identified people at identified companies. Millions of companies. Every day. All over the world.

BrowserGate

Bruno Miguel 23h ago

I have to find the focus and mental energy to read this LinkedIn stuff top to bottom, but from what I've read so far, it's very, very bad!

Grant_H 22h ago

Avoiding Chrome (Chromium?) browsers seems a possible start to mitigation?

Bruno Miguel 21h ago

@grant_h maybe. But given this on Chromium-based browsers, there's a chance that something similar might exist for other browsers, too

Torf und Schnee 21h ago

@brunomiguel @grant_h details matter, though. Especially as the info tells about browser extensions rather than software (which browser normally should not even offer access to).

Bruno Miguel 20h ago

@torf @grant_h browser extension info can be useful for a malicious actor

Torf und Schnee 19h ago

@brunomiguel @grant_h still, there is a significant difference in the access level.

@brunomiguel @grant_h I agree. If they don't have something like that for Firefox and other browsers, they'll make it.

And don't think for a moment that they're the only ones doing it.

@brunomiguel @grant_h it does. It's called "fingerprinting". This is the norm for large websites that advertise. They do this to assign digital IDs to everyone so they can build advertising profiles & sell all the data. "Age Verification" will make this problem worse because it'll link these profiles to a government ID.

@brunomiguel @grant_h all browsers suffer from this, its a javascript call implemented by all major browser to query installed fonts that can be abused (iirc but its been a while)

Use an extension like CanvasBlocker to spoof these requests: https://github.com/kkapsner/CanvasBlocker

GitHub - kkapsner/CanvasBlocker: A Firefox extension to protect from being fingerprinted.

A Firefox extension to protect from being fingerprinted. - kkapsner/CanvasBlocker

GitHub

Kierkethumbs up convincingly 20h ago

@brunomiguel 💩

@brunomiguel
Even if it were mentioned, I'd have to visit the site to read the privacy policy in order to know about that in the first place. That's the first problem. The second is that there should not be any mechanism in my browser that allows them to do that automatically. That's fucking crazy.

LukefromDC 19h ago

@brunomiguel Let's see them try that on something like Qubea, or where a browser is otherwise run in an isolated VM.

Glad I don't have account and refuse to touch them.

Olivier Burnier 19h ago

@brunomiguel I use a lot #LinkedIn. How can I prevent that and still use LI ?

Pino Carafa 18h ago

@OlivierBurnier @brunomiguel

1. Why would you?

But if you must

2. Use Firefox or one of its forks. If you don't know what "fork" means, don't worry about it and just use Firefox

P.S. I would not be surprised to hear they implemented something equally shitty there.

James Tweedie 9h ago

@rozeboosje @OlivierBurnier @brunomiguel Waterfox is a fork I've been using recently.

Also have Privacy Badger and a Tracker Blocker. Not sure if these block all attempted leaks.

I used LinkedIn on my Fairphone and Waterfox browser. It blocked nearly 100 attempted leaks from LinkedIn web site in 15 minutes on site (leaving all the groups I'd joined).
Need to do final bits of closing account on Laptop, so all tracker blockers will be on!

Pino Carafa 9h ago

@MyricaGale @OlivierBurnier @brunomiguel Indeed I'm not surprised

1. Got good alternative job-seeking sites?

@OlivierBurnier @brunomiguel

Pino Carafa 4h ago

@tuga @OlivierBurnier @brunomiguel

Glassdoor, perhaps?

Not sure, to be honest. As I will shortly be 60 years old I am hoping I will never need to worry about such things again.

Olivier Burnier 57m ago

@tuga @rozeboosje @brunomiguel I use linkedIn to identify and approach prospects. Job sites would not help.

Olivier Burnier 55m ago

@rozeboosje @brunomiguel I use search engine is Qwant, does that help ?

@OlivierBurnier @brunomiguel If you use a clean Chrome install without any browser extensions, there is nothing for them to detect. I believe incognito mode might also work.

Olivier Burnier 56m ago

@luatic @brunomiguel Great thanks.

Nix is Ready for Spring 19h ago

@brunomiguel holy shit this is creepy as fuck

Cairo Braga 19h ago

@brunomiguel I've read the summary and some other parts and: this is some NSA-ass shit!!!

RevPudDudley 19h ago

@brunomiguel It's been so long since I was at netscape,
started to forget why I hate MS so much

Mighty Orbot 18h ago

@brunomiguel “hidden code searches their computer for installed software" — this is a gross exaggeration; it’s searching the browser for installed plugins and browser-accessible hardware. Still bad, but not nearly as all-encompassing as the quote implies.

https://browsergate.eu/how-it-works/

The Attack: How it works

Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions. The scan probes for thousands of specific extensions by ID, collects the results, encrypts them, and transmits them to LinkedIn’s servers. The entire process happens in the background. There is no consent dialog, no notification, no mention of it in LinkedIn’s privacy policy. This page documents exactly how the system works, with line references and code excerpts from LinkedIn’s production JavaScript bundle.

BrowserGate

@mighty_orbot
Yeah, click-bait title.
@brunomiguel

Face Thumb 17h ago

@brunomiguel "hidden code searches their computer for installed software"

Not to defend sleazy behaviour from a sleazy company, but that's not quite true, it detects browser extensions in the current browser, it doesn't break out of browser isolation and go search the hard drive for files like an antivirus for example.

It is still a reason to get off privacy invading software/websites like Chrome/Edge, and Linkedin, though.

@chrisp @brunomiguel yep, thank you for pointing this out.

i agree that this is terrible behavior from linkedin. still, it must not be exaggerated what's going on: it's limited to installed extensions in the browser, specifically those that expose assets to websites.

Bruno Miguel 16h ago

@luatic @chrisp I've read more information about this (still haven't read everything due to health reasons), and they do seem to overstate some stuff. Still, it's creepy af behaviour from LinkedIn

punIssuer 4h ago

@chrisp @brunomiguel fwiw, browser extensions are installed software

Face Thumb 3h ago

@punissuer @brunomiguel Sure, but fingerprinting browser extensions of the browser the page is running in is not the same as reading arbitrary files on the filesystem.

Bruno Miguel 3h ago

@chrisp @punissuer it can be the entry vector for it, though. Of course, this is speculative, but possible nonetheless. I don't think LinkedIn would do it, but I wouldn't bet the third-parties that also get the info will use it ethically

punIssuer 3h ago

@brunomiguel @chrisp I wonder *if* there is an ethical way to use that information

Bruno Miguel 3h ago

@punissuer @chrisp unfortunately, that's a whole rabbit hole on its own

@brunomiguel If only Matrix from R. Hill will be little easier to use it will be maybe not 100 % safe but at least 75% and this is a lot of. Easy to use I mean not extension complicated but how it slow down and block net flow.

Ray McCarthy 17h ago

@brunomiguel
So if I don't visit LinkedIn
Use Firefox with Umatrix blocking most scripts by default.
I'm OK?
I deleted my LinkedIn account years ago when it enabled spammers.
Then deleted Facebook
Not sure if I deleted Twitter before or after Musk took it.

⁂ Fish Id Wardrobe 13h ago

@brunomiguel searches for installed _browser extensions_ , not all the software on your computer. it's bad, but it's not as bad as the headline makes it seem.

Mr Piers G 10h ago

"searches their computer for installed software" is a bit misleading. It searches your Chrome extensions only. I have none, as I suspect do most ppl.

AM💙🏴󠁧󠁢󠁳󠁣󠁴󠁿9h ago

@brunomiguel have had to delete my account more than once

@brunomiguel I run LinkedIn and other info-hungry platforms in a separate browser containers. https://support.mozilla.org/en-US/kb/how-use-firefox-containers

Not perfect ... but it helps till alternatives to these shittified platforms take over.

How to use Firefox containers | Firefox Help

This article explains how to use Firefox containers with the Multi-Account Containers extension, to organize your online activities.