Mastodawn

Holy shit this is detailed. Can you believe the hubris to silently collect all this information on users?

https://browsergate.eu/how-it-works/

The Attack: How it works

Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions. The scan probes for thousands of specific extensions by ID, collects the results, encrypts them, and transmits them to LinkedIn’s servers. The entire process happens in the background. There is no consent dialog, no notification, no mention of it in LinkedIn’s privacy policy. This page documents exactly how the system works, with line references and code excerpts from LinkedIn’s production JavaScript bundle.

BrowserGate

černý kočky nemňoukaj'1d ago

@paco i worked at major anti-virus company. not only i can believe it, i think it’s default mode of all companies that came into contact with any sellable user data

You S Blues 23h ago

@cerny_kocky @paco I’ve looked at a couple sites using the builtwith browser extension and wow, I had no idea the quantity of tracking tools used on sites.

grrl_aex 1d ago

Kinda makes you wonder what all the other slimy digi-corpos are doing.... this is just one that's been caught after all.

Paco Hope 1d ago

@kitkat_blue Years ago I was working for a retailer in the UK who had only recently built their first mobile app on iOS. Like most apps of that era, it was little more than a webview and it didn't need much permisisons.

Like most developers, they had incorporated some analytics package that was reporting on users' interaction with the app. I'm fairly sure it was a binary library that they linked into their app. I don't think they got source code. I might be wrong.

I could see the telemetry going up in the analytics API calls. Which buttons, which pages, etc.

Then one day they launched an app feature "find a store near me." Now the app needed location permissions. If the user granted location permissions, the analytics library got access to location. Anything the app can do, the analytics library can do. And, sure enough, those analytics telemetry messages started to carry GPS coordinates from the user to this third party. My customer didn't make any change to their code. They didn't turn that on. They just asked for, and got, location permission from the end user for a legit purpose in the app.

I pointed it out, because this was a change in behavior that was not contemplated by their privacy policy. Heck, it's a change in behavior they didn't even know had happened! It wasn't in their code! So they quietly pushed out a small update to the policy that made it OK.

That was probably like 15-16 years ago.

ARGVMI~1.PIF 1d ago

I'm more concerned with the fact that extensions *can* be detected this way. Web pages should not be able to detect the presence of extensions. If they can, that's a security vulnerability.

@argv_minus_one @paco Agreed 1000%. I've heard that this could be done and I've always wondered why browsers didn't prioritize making it an effort to block all of this.

Really there are a scary level of things that just don't get the attention they should. Like why can browsers access your clipboard by default? I don't just mean write stuff. They can use an event to read it... Browsers seriously need to make a better effort to keep sites from getting access to any of this potentially identifying/privacy violating stuff...

Of course Chrome probably does this on purpose.

ARGVMI~1.PIF 1d ago

@nazokiyoubinbou

Sites can *read* the clipboard??? Yikes! That could expose passwords!

@argv_minus_one @paco Yeah. They also can use it to subtly modify clipboard contents. I first became aware of this from a website where it would detect me copying text from it and then modify the clipboard contents to include what I had copied but also inject an advertisement for its own site. (It was especially annoying because it had a character limit, so cropped what I had actually copied.)

In Firefox look for dom.event.clipboardevents.enabled to turn that off. However, bear in mind this denies all direct clipboard access. For example, clicking on "copy link to clipboard" no longer works. It's a two-way street. They can't read or write to the clipboard without that. Some things (like Matrix clients for me) won't let me paste without it.

I don't know the Chromium equivalent

@argv_minus_one @paco BTW, much more than passwords.

For example, if you copy a credit card info to the clipboard such as some managers might do or gift cards or etc. That's a payment info in the clipboard right there... SSNs, IDs, etc could also rarely end up in the clipboard for various reasons.

It's a nightmare waiting to happen.

Fritz Adalis 1d ago

@nazokiyoubinbou @argv_minus_one @paco @paco
Or they detect coin wallet addresses and replace them with their own.

@FritzAdalis @argv_minus_one @paco That might be ... interesting... if one is putting it into some sort of payment instead of receiving thing. 😆

Fritz Adalis 1d ago

@nazokiyoubinbou @argv_minus_one @paco
I mean it's not just theory

https://www.reddit.com/r/CryptoCurrency/comments/15qx9jt/click_to_copy_exploit_replacing_wallet_addresses/
3 years ago

@FritzAdalis @argv_minus_one @paco I'll admit I didn't know about that, but it absolutely doesn't surprise me. If anyone would jump on exploiting such a thing it's absolutely crypto...

@nazokiyoubinbou @argv_minus_one @paco Granted, browsers can only read the clipboard after user interaction and asking for permission (https://developer.mozilla.org/en-US/docs/Web/API/Clipboard_API#security_considerations ).

But I’ve also not encountered a useful-enough benign example of reading a users clipboard without them actively pasting. Most things like formatting content can be done by just intercepting the paste event.

Clipboard API - Web APIs | MDN

The Clipboard API provides the ability to respond to clipboard commands (cut, copy, and paste), as well as to asynchronously read from and write to the system clipboard.

MDN Web Docs

@combatwombat @argv_minus_one @paco "After user interaction" maybe. But they don't ask permission... There is no popup...

"User interaction" may be more open than you think too though.

ARGVMI~1.PIF 32m ago

@nazokiyoubinbou

Yeah, clicking on a web page does not equal consenting to that web page reading my clipboard.

I imagine the reason this API exists is so that you can have Microsoft Word in your browser, paste button and all. But is that really worth giving malicious websites the ability to read the password/credit card/etc right out of your clipboard just by fooling you into clicking a cleverly-disguised button?

I suppose Microsoft thinks it is, but I have to disagree.

@combatwombat @paco

@argv_minus_one @combatwombat @paco Yeah, I don't agree that any should ever have access to the clipboard. We can manually copy stuff with select and copy (though sites like Mastodon are a pain in the rear because they just assume they have clipboard access so don't give you a really obvious "link here" to copy — there is one, it just isn't obvious, and while Glitch makes it easy enough, on mainline Mastodon I usually have to copy from the time field because... ... Anyway that's what I have to copy from. I think most people won't get this.)

I really don't see why any of that needs direct clipboard access even to do that sort of thing.

Really, since I started blocking it it really has only given me actual trouble on maybe two or three sites total. And I can toggle it on the fly.

for anyone who'd like a sense of their more common fingerprint, see here:

https://amiunique.org/

I wish this site had 4B entries and not 4M ...

Am I Unique ?

Check if your browser has a unique fingerprint, how identifiable you are on the Internet

YurkshireLad 1d ago

@paco I bet they’re not the only ones that scan your extensions.

Paco Hope 1d ago

@YurkshireLad no. Nearly any mobile app can do this and more.

Mensch, Marina 1d ago

@paco But this cannot be legal in Europe/EU!

Paco Hope 1d ago

@energisch_ I’m not a lawyer or European. But that blog makes a very strong argument that you’re right: it sure seems illegal by EU law.

@paco
@energisch_ but nobody will be held accountable for it, nobody will lose any of their own personal money, nobody will go to jail. They know this is illegal but they don't care. The company will pay the lawsuit and fine with their spare pocket money. They've earned more with it than the fine is going to be. Breaking the law is just a price tag to them.

Mensch, Marina 14h ago

@jomo @paco we need to make it expensive and unprofitable to break data protection laws

U.Lancier 13h ago

@energisch_ @paco it clearly is not only not legal, but explicitly illegal under European Law.

I am sure there will be a lawsuit if not already brought to court.

George Saich 1d ago

@paco oops.

George Saich 1d ago

@paco
I am sure the rationale is to identify what is available in the user environment (browser) to provide an optimal user experience.

Asbestos 1d ago

@paco
Someone needs to have someone else take a huge shit in their (i'm sure very expensive) car. My guess is it's going to need to be at least a half dozen people

Amorpheus 1d ago

@paco This is one of the reasons why I opted out to epiphany.

emeritrix 1d ago

but I guess it's all legal in the USA?

Captain Jack Sparrow 1d ago

#linkedin #privacybreach #spyware

@paco So, in what way is this differentiated from a hostile virus that would warrant a mass effort to take it down?

Paco Hope 1d ago

@nazokiyoubinbou Shareholder value.

@paco Based on the list of fines that law enforcement in several countries are obligated to raise against them, I'm thinking this actually doesn't meet shareholder value either.

Honestly, if they were hit with the full force of that (god I wish they would be) it would very possibly bankrupt Microsoft. I suppose they'll be hit with a slap on the wrist instead, but still... It's probably going to hurt.

Julie Hughes 1d ago

@paco That's why I left years ago. I am always surprised when I see people use it

Paco Hope 1d ago

@juliehuz I have been trying to explain to our recruiters that there are other ways to find candidates. They are in denial. If you aren’t on LinkedIn, you don’t exist to them.

This was especially infuriating when recruiting in Europe. Because they don’t use it nearly as much as the Americans.

Julie Hughes 21h ago

@paco Forbid them to use Chrome

wrath0110 1d ago

@paco time to delete your LinkedIn profile. Overwrite all posts with gibberish first.

cmars 🅅 1d ago

@paco They use compression. I wonder how much payload one could compress into that telemetry?

$8Troll 23h ago

MSFT probably uses this info to target sales pitches to companies that use competing products.

I don't understand why LinkedIn wants to know someone's browser extensions. What could be the purpose?

Paco Hope 22h ago

@jet fingerprinting. It helps recognise the same browser on other sessions. Someone somewhere in the replies here mentions a site that will show you how unique your browser fingerprint is.

Colby Russell 9h ago

@jet @Littlebobbytables LinkedIn sells premium plans.

Ostensibly, they want to be able to detect and disable the accounts of people using what are essentially poweruser tools for enabling seedy behavior (e.g. by recruiters). In reality, it's because they want to sell recruiters those tools, which is obv. difficult if their premium features (e.g. advanced filtering) can be provided instead by a browser extension.

@b_cavello 👆 (the "benign motivation" is, predictably, maximizing revenue).