Mastodawn

Holy shit this is detailed. Can you believe the hubris to silently collect all this information on users?

https://browsergate.eu/how-it-works/

The Attack: How it works

Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions. The scan probes for thousands of specific extensions by ID, collects the results, encrypts them, and transmits them to LinkedIn’s servers. The entire process happens in the background. There is no consent dialog, no notification, no mention of it in LinkedIn’s privacy policy. This page documents exactly how the system works, with line references and code excerpts from LinkedIn’s production JavaScript bundle.

BrowserGate

ARGVMI~1.PIF Apr 2

I'm more concerned with the fact that extensions *can* be detected this way. Web pages should not be able to detect the presence of extensions. If they can, that's a security vulnerability.

for anyone who'd like a sense of their more common fingerprint, see here:

https://amiunique.org/

I wish this site had 4B entries and not 4M ...

Am I Unique ?

Check if your browser has a unique fingerprint, how identifiable you are on the Internet

YurkshireLad Apr 2

@paco I bet they’re not the only ones that scan your extensions.

Paco Hope Apr 2

@YurkshireLad no. Nearly any mobile app can do this and more.

George Saich Apr 2

@paco oops.

George Saich Apr 2

@paco
I am sure the rationale is to identify what is available in the user environment (browser) to provide an optimal user experience.

@paco
Someone needs to have someone else take a huge shit in their (i'm sure very expensive) car. My guess is it's going to need to be at least a half dozen people

Amorpheus Apr 2

@paco This is one of the reasons why I opted out to epiphany.

emeritrix Apr 2

but I guess it's all legal in the USA?

Captain Jack Sparrow Apr 2

#linkedin #privacybreach #spyware

Julie Hughes Apr 3

@paco That's why I left years ago. I am always surprised when I see people use it

Paco Hope Apr 3

@juliehuz I have been trying to explain to our recruiters that there are other ways to find candidates. They are in denial. If you aren’t on LinkedIn, you don’t exist to them.

This was especially infuriating when recruiting in Europe. Because they don’t use it nearly as much as the Americans.

Julie Hughes Apr 3

@paco Forbid them to use Chrome

wrath0110 Apr 3

@paco time to delete your LinkedIn profile. Overwrite all posts with gibberish first.

cmars 🅅 Apr 3

@paco They use compression. I wonder how much payload one could compress into that telemetry?

MSFT probably uses this info to target sales pitches to companies that use competing products.

I don't understand why LinkedIn wants to know someone's browser extensions. What could be the purpose?

Paco Hope Apr 3

@jet fingerprinting. It helps recognise the same browser on other sessions. Someone somewhere in the replies here mentions a site that will show you how unique your browser fingerprint is.

Colby Russell Apr 3

@jet @Littlebobbytables LinkedIn sells premium plans.

Ostensibly, they want to be able to detect and disable the accounts of people using what are essentially poweruser tools for enabling seedy behavior (e.g. by recruiters). In reality, it's because they want to sell recruiters those tools, which is obv. difficult if their premium features (e.g. advanced filtering) can be provided instead by a browser extension.

@b_cavello 👆 (the "benign motivation" is, predictably, maximizing revenue).

it's B! Cavello 🐝Apr 4

@colby @jet @Littlebobbytables I think a potential even more benign motive would be related to known spam networks, but agree that it’s super shady that this is being done covertly without any stated purpose.

it's B! Cavello 🐝Apr 4

@colby @jet @Littlebobbytables Wow, more shady stuff here: https://thelocalstack.eu/posts/linkedin-identity-verification-privacy/

I Verified My LinkedIn Identity. Here's What I Actually Handed Over.

I wanted a blue badge on LinkedIn. To get it, I gave a US company my passport, my face, and my biometric data. Then I read the fine print.

THE LOCAL STACK