Ben Ramsey

RE: https://infosec.exchange/@beyondmachines1/116340430386264988

The story here focuses on LinkedIn, who should definitely be held accountable for what they’re doing with our data, but the real question is “Why does Chromium allow this?”

If Chromium allows this, then anyone—not just LinkedIn—can do this.

Most certainly, Google already knows all of this if you use Chromium. Meta probably does this. I’m sure others do, too.

Apr 3 at 11:51pmWeb
Show threadRoss McKay1d ago

@ramsey seen this? Story was somewhat overblown.

https://social.treehouse.systems/@vantiss/116336811478744261

elle (@[email protected])

since that browsergate site about LinkedIn seems to be gaining traction I figure I should mention: - yes, LinkedIn does do what's being claimed (though, it's that it probes for *specific* extensions you're running, using features in chrome's API - it doesn't "search your computer") - it does seem to have been doing this since at least as far back as [2017](https://github.com/dandrews/nefarious-linkedin), and there has been intermittent reporting on it over the years - I'm fairly confident the copy on the site was generated by (or at least went through) an LLM, so idk that this site is the best way to spread the issue around edit: and as [someone else noted in the replies](https://not-brain.d.on-t.work/notes/akl6hp4gjqcp8d7h), looking through the list of extensions of scans for... they're [pretty much all "AI"/scraper/automation plugins](https://browsergate.eu/extensions/). so, should LinkedIn be doing this, or even *able* to do this in Chrome? no! but also, it does seem like the stuff they're scanning for is all extensions that shouldn't exist to begin with tbh edit 2: please see [this follow-up post](https://social.treehouse.systems/@vantiss/116342005257886265) which proves this is just a shitty campaign by people who made an addon called "Teamfluence" that got blocked by LinkedIn

Treehouse Mastodon
Show threadBen Ramsey1d ago
@webaware That’s sort of my point—and also that Chrome shouldn’t allow websites you visit the ability to see what extensions you have installed.
Show threadRoss McKay1d ago
@ramsey agreed
Show threadmuddle1d ago
@ramsey While it's not as intrusive/invasive in and of itself, browser fingerprinting can also be employed against Firefox (and other browser) users, especially if you don't use JavaScript blockers.
This isn't me letting Chromium off the hook, though. We should be targeting any sort of fingerprinting or persistent IDs that track us across the web.
Show threadGuillaume Rossolini1d ago

@muddle looks like in this case, LinkedIn isn’t doing it as much to fingerprint their users (though that was possibly a nice side effect for them), but rather to actually protect their brand and their users against known scrapers

… and about that, the “whistle blowers” here were apparently the developers of such a scraper that got banned, so they’re just looking to even out the competition

https://fosstodon.org/@webaware/116343475348499438

So yeah I’m all for re-evaluating such permissions that were granted early on and have since stopped making sense

This also goes for the ability to change your number when making a phone call, and so many others

@ramsey

Show threadmuddle1d ago
@GuillaumeRossolini @ramsey it was a fast-moving story so I'm not sure I kept up with all of it, but wasn't there a bit about an initial fingerprint being sent on all subsequent requests?
Show threadGuillaume Rossolini1d ago

@muddle dunno, I guess that’s possible but like I said: 1- it makes sense for them to try and fingerprint their users regardless of current session and this story, and 2- it also makes sense infrastructure wise

@ramsey

Show threadmuddle1d ago
@GuillaumeRossolini @ramsey I think I'll have to have another glance over all of this at a later date and maybe reevaluate/recontextualise. If I do come back and reply negatively to your suggestion that it "makes sense for them to try and fingerprint their users," please don't be too pissed off by that.
Show threadGuillaume Rossolini1d ago

@muddle hahaha that’s funny: I don’t agree that they should do this!

I’m just pointing out that as a company that’s a thing they do, generally speaking and LinkedIn in particular, because there are ways to extract monetary value out of it

And we may have gone full circle to Ben’s first post, if I’m not mistaken

@ramsey

Show threadmuddle1d ago
@GuillaumeRossolini @ramsey yeah, like I said, I'll have to reread things (in context) to figure out what's being said, by whom, and what truths may fall out as a result. Maybe we'll get to talk about the ethics of extracting monetary value from PII.