/\ndy8h ago
Paco Hope

Holy shit this is detailed. Can you believe the hubris to silently collect all this information on users?

#privacy

https://browsergate.eu/how-it-works/

The Attack: How it works

Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions. The scan probes for thousands of specific extensions by ID, collects the results, encrypts them, and transmits them to LinkedIn’s servers. The entire process happens in the background. There is no consent dialog, no notification, no mention of it in LinkedIn’s privacy policy. This page documents exactly how the system works, with line references and code excerpts from LinkedIn’s production JavaScript bundle.

BrowserGate
8:06pmWeb
Show threadčerný kočky nemňoukaj'8h ago
@paco i worked at major anti-virus company. not only i can believe it, i think it’s default mode of all companies that came into contact with any sellable user data
Show threadYou S Blues2h ago
@cerny_kocky @paco I’ve looked at a couple sites using the builtwith browser extension and wow, I had no idea the quantity of tracking tools used on sites.
Show threadgrrl_aex7h ago

@paco

Kinda makes you wonder what all the other slimy digi-corpos are doing.... this is just one that's been caught after all.

Show threadPaco Hope7h ago

@kitkat_blue Years ago I was working for a retailer in the UK who had only recently built their first mobile app on iOS. Like most apps of that era, it was little more than a webview and it didn't need much permisisons.

Like most developers, they had incorporated some analytics package that was reporting on users' interaction with the app. I'm fairly sure it was a binary library that they linked into their app. I don't think they got source code. I might be wrong.

I could see the telemetry going up in the analytics API calls. Which buttons, which pages, etc.

Then one day they launched an app feature "find a store near me." Now the app needed location permissions. If the user granted location permissions, the analytics library got access to location. Anything the app can do, the analytics library can do. And, sure enough, those analytics telemetry messages started to carry GPS coordinates from the user to this third party. My customer didn't make any change to their code. They didn't turn that on. They just asked for, and got, location permission from the end user for a legit purpose in the app.

I pointed it out, because this was a change in behavior that was not contemplated by their privacy policy. Heck, it's a change in behavior they didn't even know had happened! It wasn't in their code! So they quietly pushed out a small update to the policy that made it OK.

That was probably like 15-16 years ago.

Show threadARGVMI~1.PIF7h ago

@paco

I'm more concerned with the fact that extensions *can* be detected this way. Web pages should not be able to detect the presence of extensions. If they can, that's a security vulnerability.

Show threadNazo4h ago

@argv_minus_one @paco Agreed 1000%. I've heard that this could be done and I've always wondered why browsers didn't prioritize making it an effort to block all of this.

Really there are a scary level of things that just don't get the attention they should. Like why can browsers access your clipboard by default? I don't just mean write stuff. They can use an event to read it... Browsers seriously need to make a better effort to keep sites from getting access to any of this potentially identifying/privacy violating stuff...

Of course Chrome probably does this on purpose.

Show threadARGVMI~1.PIF4h ago

@nazokiyoubinbou

Sites can *read* the clipboard??? Yikes! That could expose passwords!

@paco

Show threadNazo4h ago

@argv_minus_one @paco Yeah. They also can use it to subtly modify clipboard contents. I first became aware of this from a website where it would detect me copying text from it and then modify the clipboard contents to include what I had copied but also inject an advertisement for its own site. (It was especially annoying because it had a character limit, so cropped what I had actually copied.)

In Firefox look for dom.event.clipboardevents.enabled to turn that off. However, bear in mind this denies all direct clipboard access. For example, clicking on "copy link to clipboard" no longer works. It's a two-way street. They can't read or write to the clipboard without that. Some things (like Matrix clients for me) won't let me paste without it.

I don't know the Chromium equivalent

Show threadNazo4h ago

@argv_minus_one @paco BTW, much more than passwords.

For example, if you copy a credit card info to the clipboard such as some managers might do or gift cards or etc. That's a payment info in the clipboard right there... SSNs, IDs, etc could also rarely end up in the clipboard for various reasons.

It's a nightmare waiting to happen.

Show threadFritz Adalis3h ago
@nazokiyoubinbou @argv_minus_one @paco @paco
Or they detect coin wallet addresses and replace them with their own.
Show threadNazo3h ago
@FritzAdalis @argv_minus_one @paco That might be ... interesting... if one is putting it into some sort of payment instead of receiving thing. 😆
Show threadFritz Adalis3h ago

@nazokiyoubinbou @argv_minus_one @paco
I mean it's not just theory

https://www.reddit.com/r/CryptoCurrency/comments/15qx9jt/click_to_copy_exploit_replacing_wallet_addresses/
3 years ago

Show threadNazo3h ago
@FritzAdalis @argv_minus_one @paco I'll admit I didn't know about that, but it absolutely doesn't surprise me. If anyone would jump on exploiting such a thing it's absolutely crypto...
Show threadbobert2h ago

@nazokiyoubinbou @argv_minus_one @paco Granted, browsers can only read the clipboard after user interaction and asking for permission (https://developer.mozilla.org/en-US/docs/Web/API/Clipboard_API#security_considerations ).

But I’ve also not encountered a useful-enough benign example of reading a users clipboard without them actively pasting. Most things like formatting content can be done by just intercepting the paste event.

Clipboard API - Web APIs | MDN

The Clipboard API provides the ability to respond to clipboard commands (cut, copy, and paste), as well as to asynchronously read from and write to the system clipboard.

MDN Web Docs
Show threadjoriki7h ago

@paco

for anyone who'd like a sense of their more common fingerprint, see here:

https://amiunique.org/

I wish this site had 4B entries and not 4M ...

Am I Unique ?

Check if your browser has a unique fingerprint, how identifiable you are on the Internet

Show threadYurkshireLad6h ago
@paco I bet they’re not the only ones that scan your extensions.
Show threadPaco Hope6h ago
@YurkshireLad no. Nearly any mobile app can do this and more.
Show threadMensch, Marina6h ago
@paco But this cannot be legal in Europe/EU!
Show threadPaco Hope6h ago
@energisch_ I’m not a lawyer or European. But that blog makes a very strong argument that you’re right: it sure seems illegal by EU law.
Show threadGeorge Saich6h ago
@paco oops.
Show threadGeorge Saich6h ago
@paco
I am sure the rationale is to identify what is available in the user environment (browser) to provide an optimal user experience.
Show threadAsbestos5h ago
@paco
Someone needs to have someone else take a huge shit in their (i'm sure very expensive) car. My guess is it's going to need to be at least a half dozen people
Show threadAmorpheus5h ago
@paco This is one of the reasons why I opted out to epiphany.
Show threademeritrix5h ago

@paco

but I guess it's all legal in the USA?

Show threadCaptain Jack Sparrow5h ago

@paco

#linkedin #privacybreach #spyware

Show threadNazo4h ago
@paco So, in what way is this differentiated from a hostile virus that would warrant a mass effort to take it down?
Show threadPaco Hope3h ago
@nazokiyoubinbou Shareholder value.
Show threadNazo3h ago

@paco Based on the list of fines that law enforcement in several countries are obligated to raise against them, I'm thinking this actually doesn't meet shareholder value either.

Honestly, if they were hit with the full force of that (god I wish they would be) it would very possibly bankrupt Microsoft. I suppose they'll be hit with a slap on the wrist instead, but still... It's probably going to hurt.

Show threadJulie Hughes4h ago
@paco That's why I left years ago. I am always surprised when I see people use it
Show threadPaco Hope3h ago

@juliehuz I have been trying to explain to our recruiters that there are other ways to find candidates. They are in denial. If you aren’t on LinkedIn, you don’t exist to them.

This was especially infuriating when recruiting in Europe. Because they don’t use it nearly as much as the Americans.

Show threadJulie Hughes32m ago
@paco Forbid them to use Chrome
Show threadwrath01104h ago
@paco time to delete your LinkedIn profile. Overwrite all posts with gibberish first.
Show threadcmars 🅅3h ago
@paco They use compression. I wonder how much payload one could compress into that telemetry?
Show thread$8Troll2h ago

@paco

MSFT probably uses this info to target sales pitches to companies that use competing products.

Show threadJet-B1h ago

@paco

I don't understand why LinkedIn wants to know someone's browser extensions. What could be the purpose?

Show threadPaco Hope1h ago
@jet fingerprinting. It helps recognise the same browser on other sessions. Someone somewhere in the replies here mentions a site that will show you how unique your browser fingerprint is.