Mastodawn

fuck the browsers for making this even possible. do I have to go and disable all .js???

https://browsergate.eu/

LinkedIn Is Illegally Searching Your Computer

Microsoft is running one of the largest corporate espionage operations in modern history. Every time any of LinkedIn’s one billion users visits linkedin.com, hidden code searches their computer for installed software, collects the results, and transmits them to LinkedIn’s servers and to third-party companies including an American-Israeli cybersecurity firm. The user is never asked. Never told. LinkedIn’s privacy policy does not mention it. Because LinkedIn knows each user’s real name, employer, and job title, it is not searching anonymous visitors. It is searching identified people at identified companies. Millions of companies. Every day. All over the world.

BrowserGate

Shafik Yaghmour 15h ago

You do realize that all of these companies fingerprint your computer in every way imaginable and use it to track you everywhere and we have no laws to prevent this.

It is totally insidious and these ad companies likely could write a biography of each of in such detail that you would be surprised by the conclusions they could make but likely be forced to admit they are correct.

John Regehr 15h ago

@shafik I repeat: fuck the browsers for making this possible

Shafik Yaghmour 15h ago

Yeah, I think back to the days when TCP/IP fingerprinting was state of the art and gosh past me thought it was so cool but we should have realized it was such a dangerous tool back then.

John Regehr 15h ago

@shafik ah we were all little babies about this stuff and there's nothing wrong with that

Shafik Yaghmour 15h ago

Like we so need a Ralph Nader for privacy , where are you? Like "Unsafe at any Speed" but for all the spy tech we are dealing with today.

Cassandrich 15h ago

@shafik @regehr But not compromised.

G. Wozniak 13h ago

@shafik @regehr I have been telling people just how bad this is for a long time, specifically my family members and close friends and, well, no one seems to care. Because they are addicted to convenience.

They will get ads directly targeted at them in ways that really creeps them out. I tell them how it works and... they don't change at all. They complain about how creepy it is but change nothing in their behaviour and say nothing to those taking and selling their info like this.

I'm at the point where I'm ready to become a real asshole about it because frankly, nothing else seems to work. (Being an asshole won't either, but maybe I'll get somebody riled up.) It's either they don't care or they just think that having a computer do cool stuff they saw in science fiction as a kid makes everything worthwhile.

It's very frustrating and may be why no one really contacts me anymore.

Shafik Yaghmour 10h ago

@gwozniak @regehr

Yeah, there are many levels to the apathy here.

I was once deeply involved in infosec and that kind of knowledge really makes you, I think, deeply wary of systems of control. Because you see how things break and can be abused. Most folks don't ever go that deep and so feel like the concerns border on conspiracy talk.

I think there is a degree of, I am so busy and so tired, I can't deal with this crap. Which I deeply respect, most folks just want to live their life.

I think there is a lack of imagination, reading sci-fi and imaging it happening in real life seems too much for most folks. I think if you have not thought about how the whole system works very deeply this makes sense. I am reading through the rest of Vernor Vinge's work and he had a lot of interesting ideas about how things could break that I think deserve more thoughtful examination, in a more abstract sense.

Infosec folks also tend to be more clued into the intelligence side of things and how dark that side really is. I think that bring a degree or practicality. How many decades did most folks just not want to believe Tempest was real.

In many ways the OpSec mindset is really hard, it requires continual vigilance which is not something folks want to do. Once you got kids, who got time for that stuff?

Shafik Yaghmour 10h ago

@gwozniak @regehr

I wish, I was more connected to the infosec/maker community around me but I just have not had the time to figure out where it is.

Shafik Yaghmour 7h ago

@gwozniak @regehr

If you want to be more depressed:

https://infosec.exchange/@katrinakatrinka/116338791597938565

Easy workaround only use LinkedIn from non Chrome browsers, which I have been doing for a while.

Shafik Yaghmour 7h ago

@gwozniak @regehr

apropos

https://coveryourtracks.eff.org/

Cover Your Tracks

See how trackers view your browser

@regehr there are privacy implications regardless, but I think “searching your computer” is kind of strong phrasing for “probing for evidence of Chrome extensions”

Josh Simmons 15h ago

@fay59 @regehr yeah it seems like a classic bug too, revealing the existence of a file by returning an error code on attempting to access it. (Bonus points because the text is written with an llm, which feels somewhat ironical on the privacy front)

Edit: err I misread, chrome fetch actually lets you access extension resources? Seems... Interesting. Maybe they need it for adblocker detection :')

Pascal Costanza 15h ago

@regehr The linked page explicitly mentions only Chrome. Are other browsers also affected?

John Regehr 15h ago

@pascal_costanza I don't know!

Alison Chaiken 15h ago

@regehr @pascal_costanza Has anyone heard of browsergate.eu? Are we sure that the allegation is correct?

I don't use Chrome or visit linkedin.com and I block javascript, so I'm not losing any sleep over the matter.

Shafik Yaghmour 14h ago

@alison @regehr @pascal_costanza

This is not new technology and folks have been talking about this for a while:

https://www.usenix.org/conference/usenixsecurity22/presentation/solomos

Browsers have basically become and extension of ad infrastructure and open up a huge surface area for fingerprinting that was not available w/o the browser aiding and abetting.

Extensions are particularly dangerous b/c they can reveal a lot of sensitive and identifying information about a user.

This is 💯 a symptom of too much concentration, monopsony power and a total abdication of lawmakers to set regulations.

The Dangers of Human Touch: Fingerprinting Browser Extensions through User Actions | USENIX

Alison Chaiken 14h ago

@shafik @regehr @pascal_costanza Browsers are all but dead on phones already, replaced by dozens of mostly crappy "apps." A similar fate may await the desktop.

Shafik Yaghmour 14h ago

@alison @regehr @pascal_costanza

the problem is that most apps use ad frameworks and these frameworks do all the same kind of stuff and so app users are no better off. Unless you 💯 eschew apps that have ads but that level of discipline is too high for most people.

Even if they don't have ads there are non ad frameworks that also do this and feed their data to malicious players. I think the app stores try to weed these out but it is cat and mouse.

W/o laws will real penalties this will not stop.

404 media does a good job of covering a lot of this stuff.

Alison Chaiken 14h ago

@shafik @regehr @pascal_costanza I agree that apps are no better, but simply wonder if browsers will dwindle into insignificance. Also, even programs with no ads may sell or process user data for their own ends: consider Github.

@alison @regehr @pascal_costanza The detailed description on that site says they probe for a list of browser properties and extensions that have known patterns visible to JavaScript. It's still a creepy thing to do, but the headline seems wildly exaggerated.

@regehr @ricci sounds empire strikes back-y

Heath Borders 14h ago

@regehr (if non-rhetorical) it only runs on Chrome browsers, so use Firefox. (In either case) Fuck those guys!

https://browsergate.eu/how-it-works/

The Attack: How it works

Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions. The scan probes for thousands of specific extensions by ID, collects the results, encrypts them, and transmits them to LinkedIn’s servers. The entire process happens in the background. There is no consent dialog, no notification, no mention of it in LinkedIn’s privacy policy. This page documents exactly how the system works, with line references and code excerpts from LinkedIn’s production JavaScript bundle.

BrowserGate

@regehr If you value security and/or privacy, yes.

Jason Petersen (he)12h ago

@regehr pretty irresponsible headline IMO