Jason Coon3d ago
I just read up on "BrowserGate", where LinkedIn is secretly (and illegally) searching users' computers for installed Chrome extensions. So of course I had to create a simple example web page to demonstrate what they're doing.
It uses only client-side javascript and doesn't send your data anywhere: https://jasoncoon.github.io/chrome-ext-list
More info: https://browsergate.eu
Show threadJason Coon3d ago
I've tested this in Brave, and I think this works in all Chromium browsers (Chrome, Edge, Opera, Brave, Vivaldi, etc) as if you needed another reason to switch to one of the few non Chromium browsers: Waterfox, Firefox, Safari, etc.
Firefox explicitly "prevents websites from fingerprinting a browser by examining the extensions it has installed": https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/web_accessible_resources#using_web_accessible_resources
web_accessible_resources - Mozilla | MDN

Sometimes you want to package resources—for example, images, HTML, CSS, or JavaScript—with your extension and make them available to web pages and other extensions.

MDN Web Docs
Show threadAyke van Laethem @ EH23 đź“ž 29532d ago
@jasoncoon didn't read up on it, but: lots of extensions insert bits of HTML or change the current page in some way. For example, ad blockers. This is something that is probably detectable in Firefox?
It would reveal a lot less extensions though, but might still be a problem. It would also be a lot more work to create.
Show threadJason Coon
@ayke yeah, the article shows that LinkedIn is also doing exactly that:
"LinkedIn runs a second detection system that walks the entire DOM tree looking for evidence of extension activity."
https://browsergate.eu/how-it-works/#stage-2-passive-dom-scanning-spectroscopy
The Attack: How it works

Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions. The scan probes for thousands of specific extensions by ID, collects the results, encrypts them, and transmits them to LinkedIn’s servers. The entire process happens in the background. There is no consent dialog, no notification, no mention of it in LinkedIn’s privacy policy. This page documents exactly how the system works, with line references and code excerpts from LinkedIn’s production JavaScript bundle.

BrowserGate
Apr 4 at 9:10pmWeb