Paco Hope1d ago

Holy shit this is detailed. Can you believe the hubris to silently collect all this information on users?

#privacy

https://browsergate.eu/how-it-works/

The Attack: How it works

Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions. The scan probes for thousands of specific extensions by ID, collects the results, encrypts them, and transmits them to LinkedIn’s servers. The entire process happens in the background. There is no consent dialog, no notification, no mention of it in LinkedIn’s privacy policy. This page documents exactly how the system works, with line references and code excerpts from LinkedIn’s production JavaScript bundle.

BrowserGate
Show threadARGVMI~1.PIF1d ago

@paco

I'm more concerned with the fact that extensions *can* be detected this way. Web pages should not be able to detect the presence of extensions. If they can, that's a security vulnerability.

Show threadNazo1d ago

@argv_minus_one @paco Agreed 1000%. I've heard that this could be done and I've always wondered why browsers didn't prioritize making it an effort to block all of this.

Really there are a scary level of things that just don't get the attention they should. Like why can browsers access your clipboard by default? I don't just mean write stuff. They can use an event to read it... Browsers seriously need to make a better effort to keep sites from getting access to any of this potentially identifying/privacy violating stuff...

Of course Chrome probably does this on purpose.

Show threadARGVMI~1.PIF1d ago

@nazokiyoubinbou

Sites can *read* the clipboard??? Yikes! That could expose passwords!

@paco

Show threadNazo1d ago

@argv_minus_one @paco Yeah. They also can use it to subtly modify clipboard contents. I first became aware of this from a website where it would detect me copying text from it and then modify the clipboard contents to include what I had copied but also inject an advertisement for its own site. (It was especially annoying because it had a character limit, so cropped what I had actually copied.)

In Firefox look for dom.event.clipboardevents.enabled to turn that off. However, bear in mind this denies all direct clipboard access. For example, clicking on "copy link to clipboard" no longer works. It's a two-way street. They can't read or write to the clipboard without that. Some things (like Matrix clients for me) won't let me paste without it.

I don't know the Chromium equivalent

Show threadNazo1d ago

@argv_minus_one @paco BTW, much more than passwords.

For example, if you copy a credit card info to the clipboard such as some managers might do or gift cards or etc. That's a payment info in the clipboard right there... SSNs, IDs, etc could also rarely end up in the clipboard for various reasons.

It's a nightmare waiting to happen.

Show threadbobert1d ago

@nazokiyoubinbou @argv_minus_one @paco Granted, browsers can only read the clipboard after user interaction and asking for permission (https://developer.mozilla.org/en-US/docs/Web/API/Clipboard_API#security_considerations ).

But I’ve also not encountered a useful-enough benign example of reading a users clipboard without them actively pasting. Most things like formatting content can be done by just intercepting the paste event.

Clipboard API - Web APIs | MDN

The Clipboard API provides the ability to respond to clipboard commands (cut, copy, and paste), as well as to asynchronously read from and write to the system clipboard.

MDN Web Docs
Show threadNazo

@combatwombat @argv_minus_one @paco "After user interaction" maybe. But they don't ask permission... There is no popup...

"User interaction" may be more open than you think too though.

1:02amWeb
Show threadARGVMI~1.PIF9h ago

@nazokiyoubinbou

Yeah, clicking on a web page does not equal consenting to that web page reading my clipboard.

I imagine the reason this API exists is so that you can have Microsoft Word in your browser, paste button and all. But is that really worth giving malicious websites the ability to read the password/credit card/etc right out of your clipboard just by fooling you into clicking a cleverly-disguised button?

I suppose Microsoft thinks it is, but I have to disagree.

@combatwombat @paco

Show threadNazo9h ago

@argv_minus_one @combatwombat @paco Yeah, I don't agree that any should ever have access to the clipboard. We can manually copy stuff with select and copy (though sites like Mastodon are a pain in the rear because they just assume they have clipboard access so don't give you a really obvious "link here" to copy — there is one, it just isn't obvious, and while Glitch makes it easy enough, on mainline Mastodon I usually have to copy from the time field because... ... Anyway that's what I have to copy from. I think most people won't get this.)

I really don't see why any of that needs direct clipboard access even to do that sort of thing.

Really, since I started blocking it it really has only given me actual trouble on maybe two or three sites total. And I can toggle it on the fly.