Mastodawn

Michał "rysiek" Woźniak · 🇺🇦

There is a fresh thing going around about LinkedIn scanning extensions installed in Chrome/Chromium:
https://browsergate.eu/

The website claims "LinkedIn is Illegally Searching Your Computer", and implies the purpose is to find "religious beliefs, political opinions, disabilities".

tl;dr:
- yes, LinkedIn is scanning through a list of 6k+ extensions on Chrome;
- yes, this is bad;
- but the website is disingenuous in making unnecessarily overblown claims.

🧵

#LinkedIn #BrowserGate #Privacy

LinkedIn Is Illegally Searching Your Computer

Microsoft is running one of the largest corporate espionage operations in modern history. Every time any of LinkedIn’s one billion users visits linkedin.com, hidden code searches their computer for installed software, collects the results, and transmits them to LinkedIn’s servers and to third-party companies including an American-Israeli cybersecurity firm. The user is never asked. Never told. LinkedIn’s privacy policy does not mention it. Because LinkedIn knows each user’s real name, employer, and job title, it is not searching anonymous visitors. It is searching identified people at identified companies. Millions of companies. Every day. All over the world.

BrowserGate

Michał "rysiek" Woźniak · 🇺🇦1d ago

LinkedIn loads a lot of JS. In that JS there is a list of over 6.000 extensions, identified by their ids and with a single file path provided.

The JS then checks if it is running in Chrome or a Chromium-based browser, and cycles through that list, checking if these extensions are installed by doing a fetch() to "chrome-extension://<extension_id>/<file_path>".

If the fetch() succeeds, the extension is installed. If not, it isn't.

🧵

Michał "rysiek" Woźniak · 🇺🇦1d ago

Is this bad? Yes. It could allow fingerprinting users, and a specific set of installed extensions (say, a lot related to particular religion) could be revealing, and arguably is illegal based on GDPR.

Is this "Searching Your Computer"? No, this is not what we generally think of when "searching your computer" is mentioned. This framing is way overblown and unnecessary.

BrowserGate site also implies LI's purpose might be to gather this kind of protected data. I don't think this is warranted.

🧵

Michał "rysiek" Woźniak · 🇺🇦1d ago

BrowserGate site quotes a "sworn affidavit from LinkedIn’s Senior Engineering Manager":

> “LinkedIn has invested in extension detection mechanisms without which LinkedIn would not have been able to trace the cause of service impacts and outages.”

I don't trust Big Tech, but this is not an unreasonable explanation – although importantly, it is not a *justification* for this scanning.

In other words: LI should not be doing that. But they might not be after your religion or orientation here.

🧵

Michał "rysiek" Woźniak · 🇺🇦1d ago

The explanation might be reasonable, because extensions do affect how websites work, sometimes negatively, and the list of extensions here seems to contain mostly extensions specifically interfacing with LinkedIn.

But here's my point: this kind of scanning is an overkill. And that alone is already bad enough and infuriating.

There is no need to make overblown, click-baity claims like BrowserGate site does. That just muddies the waters ("wait, how are they scanning my computer?!").

🧵

Michał "rysiek" Woźniak · 🇺🇦1d ago

I was not aware of the technique the scanning employs, but apparently it's a known issue on Chrome and Chromium-based browsers, and has been for years:
https://browserleaks.com/chrome

LinkedIn itself has been using it since 2017:
https://github.com/dandrews/nefarious-linkedin

And I am sure it is used by a lot of shady sites to fingerprint users and actually figure out protected information about them. It can absolutely be used that way, and Google needs to plug this huge privacy hole.

🧵/end

#Chrome #BrowserGate #Privacy

Chrome Extension Detection

Websites can detect the presence of Chrome extensions in a user's browser by sending specific URL requests that use the extension's fixed ID and attempt to access internal extension resources exposed to the web, known as web-accessible resources.

BrowserLeaks

Michał "rysiek" Woźniak · 🇺🇦1d ago

Also go see what @vantiss has to say about it:
https://social.treehouse.systems/@vantiss/116336811478744261

Credit where credit's due, I relied on her research on the earliest known instance of LinkedIn using this technique.

If you want to boost something, go boost her toot!

#BrowserGate #Chrome #Privacy

Michał "rysiek" Woźniak · 🇺🇦1d ago

And thank you to @martijn_grooten for some additional input as well!

🫧 socialcoding..19h ago

It is good and heartening to see nuanced reflections like these. Thank you, Rysiek!

Moses Izumi 1d ago

@rysiek @vantiss
For the record, I'm the guy who pointed her to @kopper 's report.
(no hard feelings about stolen credit)

@moses_izumi @rysiek
huh? he was referring to my link to the 2017 repo, not the stuff from kopper

Moses Izumi 1d ago

@vantiss @rysiek
ehh.
microsoft's malfeasace is bigger than any of us.

Dźwiedziu 1d ago

@rysiek
> The explanation might be reasonable, because extensions do affect how websites work, sometimes negatively, and the list of extensions here seems to contain mostly extensions specifically interfacing with LinkedIn.

I'm on the fence between calling BS because HTTP 4xx codes exist, and just shrugging saying “JavaScript”.

Michał "rysiek" Woźniak · 🇺🇦1d ago

@dzwiedziu the explanation is reasonable in the sense of "I cans ee how somebody thought this is a solution to this problem".

I said before this does not justify this level of scanning though.

*_jߍyrope 1d ago

@Michał "rysiek" Woźniak · 🇺🇦 Can you explain "BrowserGate" to me. Sorry, not a professional here. Thank you!

Joan of Contention 😷16h ago

@rysiek Thank you, I was wondering about a potentially-unlawful-under-GDPR aspect to this. Much obliged.

Michał "rysiek" Woźniak · 🇺🇦16h ago

@clickhere Article 9, the first point:
https://gdpr-info.eu/art-9-gdpr/

> Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

IANAL, I am not saying 100% illegal, but an argument can be made…

Art. 9 GDPR – Processing of special categories of personal data - General Data Protection Regulation (GDPR)

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited. Paragraph 1 … Continue reading Art. 9 GDPR – Processing of special categories of personal data

General Data Protection Regulation (GDPR)

Luka Rubinjoni 1d ago

@rysiek Why does LinkedIn do that?

*_jߍyrope 1d ago

@Luka Rubinjoni Well, of course in order to combine that info with your existing info (when logged in) and have more relevant data to sell to data brokers, of course.

Orca 🌻 | 🎀 | 🪁 | 🏴🏳️‍⚧️1d ago

@rysiek wtf why does Chrome allows an untrusted website to do that???

@Orca @rysiek This is trusted website. But yes, it's feature by Google, present in Chromium for years - extensions have fixed IDs.

Orca 🌻 | 🎀 | 🪁 | 🏴🏳️‍⚧️13h ago

@rozie @rysiek
I don't think extensions having static IDs are the problem. My problem is: why is an external website allowed to access extension assets (without extension allowing it explicitly)? That sounds like a security nightmare.

@Orca @rysiek I'll need to take a closer look how exactly it's made.

I was aware of the technique where extension interacting with the site (so, in a way, trusting it, but only in a way) was also allowing this site to interact with own files. With fixed ID it allowed to check if extension is present. And this is one of described techniques. Those extensions probably declare interaction with LI (or any site) via web_accessible_resources.

Without fixed ID it (fetch of the file) wouldn't work.

Michał "rysiek" Woźniak · 🇺🇦8h ago

@rozie @Orca this is correct. But extensions would have had fixed IDs anyway, these are needed for other things. The problem is making it possible for fetch(chrome-extension://<extension_id>/some/file.ext) to work.

Yes, that requires the extension to declare the file via web_accessible_resources, so yes, this is also partially on the extension vendors. But this is such a glaring privacy problem that one can and should blame Google for not closing this hole.

@rysiek @Orca For what things fixed IDs are necessary? And why Firefox doesn't have fixed IDs, then?

Michał "rysiek" Woźniak · 🇺🇦7h ago

@rozie @Orca Firefox absolutely has fixed IDs for extensions; for example "[email protected]" is the fixed ID for uBlock Origin and you can use it in policies.json to automagically install it and configure it (say, when you are deploying to a fleet of laptops).

For example:
https://support.mozilla.org/gl/questions/1271181

This also answers the question of "why are fixed IDs for extensions necessary".

How to properly implement group policy ExtensionSettings control | Firefox for Enterprise Support Forum | Mozilla Support

@rysiek @Orca Ah, you mean external ID (name? 🤔). I mean internal one. It's random in case of Firefox. But it's fixed and the same as the external external one in Chromium. That's why extension's files can be accessed.

Michał "rysiek" Woźniak · 🇺🇦6h ago

@rozie @Orca either way, both browsers have fixed IDs for extensions, but only one of the browsers decides to make them available from within the web context.

@rysiek @Orca No, Firefox has random IDs locally: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/web_accessible_resources

It's still accessible, just isn't known. And enumeration would be hard.

web_accessible_resources - Mozilla | MDN

Sometimes you want to package resources—for example, images, HTML, CSS, or JavaScript—with your extension and make them available to web pages and other extensions.

MDN Web Docs

schnittchen 🏳️‍🌈 🔜 EasterHegg, GPN 1d ago

@rysiek why ffs is this even possible?

Michał "rysiek" Woźniak · 🇺🇦1d ago

@schnittchen right?!

*_jߍyrope 1d ago

@Michał "rysiek" Woźniak · 🇺🇦 Interesting, that LinkedIn is even a thing still. I thought everyone with a mind got out of this by now.

@rysiek they think “browsergate” is going to stick for one site scanning extensions?

Michał "rysiek" Woźniak · 🇺🇦1d ago

@Laukidh yeah, also had that thought

Jean-Sébastien Guay 1d ago

@rysiek Thanks for this analysis. I saw the BrowserGate thing earlier and it seemed bad but also way overblown, but I was not sure if I was missing something.

Doomstrike 19h ago

@rysiek
The browsergate site is odd.

Fairlinked - Allianz für digitale Fairness e.V that seem to be behind it seem to be some sort of training org made up of folks all with datacentre industry backgrounds, AWS etc.
A few red flags for me in this story

Gytis Repečka 16h ago

@rysiek Thanks for the write-up of the details

Website is classic use case of seeking for attention with clickbait titles - we all can do better than that

It took time to figure out that mentioned fingerprinting is limited to Chromium based browsers and use of extensions