Michał "rysiek" Woźniak · 🇺🇦1d ago

There is a fresh thing going around about LinkedIn scanning extensions installed in Chrome/Chromium:
https://browsergate.eu/

The website claims "LinkedIn is Illegally Searching Your Computer", and implies the purpose is to find "religious beliefs, political opinions, disabilities".

tl;dr:
- yes, LinkedIn is scanning through a list of 6k+ extensions on Chrome;
- yes, this is bad;
- but the website is disingenuous in making unnecessarily overblown claims.

🧵

#LinkedIn #BrowserGate #Privacy

LinkedIn Is Illegally Searching Your Computer

Microsoft is running one of the largest corporate espionage operations in modern history. Every time any of LinkedIn’s one billion users visits linkedin.com, hidden code searches their computer for installed software, collects the results, and transmits them to LinkedIn’s servers and to third-party companies including an American-Israeli cybersecurity firm. The user is never asked. Never told. LinkedIn’s privacy policy does not mention it. Because LinkedIn knows each user’s real name, employer, and job title, it is not searching anonymous visitors. It is searching identified people at identified companies. Millions of companies. Every day. All over the world.

BrowserGate
Show threadMichał "rysiek" Woźniak · 🇺🇦1d ago

LinkedIn loads a lot of JS. In that JS there is a list of over 6.000 extensions, identified by their ids and with a single file path provided.

The JS then checks if it is running in Chrome or a Chromium-based browser, and cycles through that list, checking if these extensions are installed by doing a fetch() to "chrome-extension://<extension_id>/<file_path>".

If the fetch() succeeds, the extension is installed. If not, it isn't.

🧵

Show threadOrca 🌻 | 🎀 | 🪁 | 🏴🏳️‍⚧️1d ago
@rysiek wtf why does Chrome allows an untrusted website to do that???
Show threadrozie19h ago
@Orca @rysiek This is trusted website. But yes, it's feature by Google, present in Chromium for years - extensions have fixed IDs.
Show threadOrca 🌻 | 🎀 | 🪁 | 🏴🏳️‍⚧️19h ago
@rozie @rysiek
I don't think extensions having static IDs are the problem. My problem is: why is an external website allowed to access extension assets (without extension allowing it explicitly)? That sounds like a security nightmare.
Show threadrozie14h ago

@Orca @rysiek I'll need to take a closer look how exactly it's made.

I was aware of the technique where extension interacting with the site (so, in a way, trusting it, but only in a way) was also allowing this site to interact with own files. With fixed ID it allowed to check if extension is present. And this is one of described techniques. Those extensions probably declare interaction with LI (or any site) via web_accessible_resources.

Without fixed ID it (fetch of the file) wouldn't work.

Show threadMichał "rysiek" Woźniak · 🇺🇦13h ago

@rozie @Orca this is correct. But extensions would have had fixed IDs anyway, these are needed for other things. The problem is making it possible for fetch(chrome-extension://<extension_id>/some/file.ext) to work.

Yes, that requires the extension to declare the file via web_accessible_resources, so yes, this is also partially on the extension vendors. But this is such a glaring privacy problem that one can and should blame Google for not closing this hole.

Show threadrozie12h ago
@rysiek @Orca For what things fixed IDs are necessary? And why Firefox doesn't have fixed IDs, then?
Show threadMichał "rysiek" Woźniak · 🇺🇦

@rozie @Orca Firefox absolutely has fixed IDs for extensions; for example "[email protected]" is the fixed ID for uBlock Origin and you can use it in policies.json to automagically install it and configure it (say, when you are deploying to a fleet of laptops).

For example:
https://support.mozilla.org/gl/questions/1271181

This also answers the question of "why are fixed IDs for extensions necessary".

How to properly implement group policy ExtensionSettings control | Firefox for Enterprise Support Forum | Mozilla Support

9:10pmWeb
Show threadrozie12h ago
@rysiek @Orca Ah, you mean external ID (name? 🤔). I mean internal one. It's random in case of Firefox. But it's fixed and the same as the external external one in Chromium. That's why extension's files can be accessed.
Show threadMichał "rysiek" Woźniak · 🇺🇦12h ago
@rozie @Orca either way, both browsers have fixed IDs for extensions, but only one of the browsers decides to make them available from within the web context.
Show threadrozie12h ago

@rysiek @Orca No, Firefox has random IDs locally: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/web_accessible_resources

It's still accessible, just isn't known. And enumeration would be hard.

web_accessible_resources - Mozilla | MDN

Sometimes you want to package resources—for example, images, HTML, CSS, or JavaScript—with your extension and make them available to web pages and other extensions.

MDN Web Docs