There is a fresh thing going around about LinkedIn scanning extensions installed in Chrome/Chromium:https://browsergate.eu/
-
BrowserGate site quotes a "sworn affidavit from LinkedIn’s Senior Engineering Manager":
> “LinkedIn has invested in extension detection mechanisms without which LinkedIn would not have been able to trace the cause of service impacts and outages.”
I don't trust Big Tech, but this is not an unreasonable explanation – although importantly, it is not a *justification* for this scanning.
In other words: LI should not be doing that. But they might not be after your religion or orientation here.
🧵
The explanation might be reasonable, because extensions do affect how websites work, sometimes negatively, and the list of extensions here seems to contain mostly extensions specifically interfacing with LinkedIn.
But here's my point: this kind of scanning is an overkill. And that alone is already bad enough and infuriating.
There is no need to make overblown, click-baity claims like BrowserGate site does. That just muddies the waters ("wait, how are they scanning my computer?!").
🧵
-
@Michał "rysiek" Woźniak ·
Can you explain "BrowserGate" to me. Sorry, not a professional here. Thank you!@jrp literally the only link in this thread, literally in the first toot of the thread.
-
@jrp literally the only link in this thread, literally in the first toot of the thread.
-
The explanation might be reasonable, because extensions do affect how websites work, sometimes negatively, and the list of extensions here seems to contain mostly extensions specifically interfacing with LinkedIn.
But here's my point: this kind of scanning is an overkill. And that alone is already bad enough and infuriating.
There is no need to make overblown, click-baity claims like BrowserGate site does. That just muddies the waters ("wait, how are they scanning my computer?!").
🧵
@rysiek
> The explanation might be reasonable, because extensions do affect how websites work, sometimes negatively, and the list of extensions here seems to contain mostly extensions specifically interfacing with LinkedIn.I'm on the fence between calling BS because HTTP 4xx codes exist, and just shrugging saying “JavaScript”.
-
The explanation might be reasonable, because extensions do affect how websites work, sometimes negatively, and the list of extensions here seems to contain mostly extensions specifically interfacing with LinkedIn.
But here's my point: this kind of scanning is an overkill. And that alone is already bad enough and infuriating.
There is no need to make overblown, click-baity claims like BrowserGate site does. That just muddies the waters ("wait, how are they scanning my computer?!").
🧵
I was not aware of the technique the scanning employs, but apparently it's a known issue on Chrome and Chromium-based browsers, and has been for years:
https://browserleaks.com/chromeLinkedIn itself has been using it since 2017:
https://github.com/dandrews/nefarious-linkedinAnd I am sure it is used by a lot of shady sites to fingerprint users and actually figure out protected information about them. It can absolutely be used that way, and Google needs to plug this huge privacy hole.
🧵/end
-
There is a fresh thing going around about LinkedIn scanning extensions installed in Chrome/Chromium:
https://browsergate.eu/The website claims "LinkedIn is Illegally Searching Your Computer", and implies the purpose is to find "religious beliefs, political opinions, disabilities".
tl;dr:
- yes, LinkedIn is scanning through a list of 6k+ extensions on Chrome;
- yes, this is bad;
- but the website is disingenuous in making unnecessarily overblown claims.🧵
@rysiek they think “browsergate” is going to stick for one site scanning extensions?
-
@rysiek
> The explanation might be reasonable, because extensions do affect how websites work, sometimes negatively, and the list of extensions here seems to contain mostly extensions specifically interfacing with LinkedIn.I'm on the fence between calling BS because HTTP 4xx codes exist, and just shrugging saying “JavaScript”.
@dzwiedziu the explanation is reasonable in the sense of "I cans ee how somebody thought this is a solution to this problem".
I said before this does not justify this level of scanning though.
-
@rysiek they think “browsergate” is going to stick for one site scanning extensions?
@Laukidh yeah, also had that thought
-
There is a fresh thing going around about LinkedIn scanning extensions installed in Chrome/Chromium:
https://browsergate.eu/The website claims "LinkedIn is Illegally Searching Your Computer", and implies the purpose is to find "religious beliefs, political opinions, disabilities".
tl;dr:
- yes, LinkedIn is scanning through a list of 6k+ extensions on Chrome;
- yes, this is bad;
- but the website is disingenuous in making unnecessarily overblown claims.🧵
@rysiek Thanks for this analysis. I saw the BrowserGate thing earlier and it seemed bad but also way overblown, but I was not sure if I was missing something.
-
I was not aware of the technique the scanning employs, but apparently it's a known issue on Chrome and Chromium-based browsers, and has been for years:
https://browserleaks.com/chromeLinkedIn itself has been using it since 2017:
https://github.com/dandrews/nefarious-linkedinAnd I am sure it is used by a lot of shady sites to fingerprint users and actually figure out protected information about them. It can absolutely be used that way, and Google needs to plug this huge privacy hole.
🧵/end
Also go see what @vantiss has to say about it:
https://social.treehouse.systems/@vantiss/116336811478744261Credit where credit's due, I relied on her research on the earliest known instance of LinkedIn using this technique.
If you want to boost something, go boost her toot!
-
LinkedIn loads a lot of JS. In that JS there is a list of over 6.000 extensions, identified by their ids and with a single file path provided.
The JS then checks if it is running in Chrome or a Chromium-based browser, and cycles through that list, checking if these extensions are installed by doing a fetch() to "chrome-extension://<extension_id>/<file_path>".
If the fetch() succeeds, the extension is installed. If not, it isn't.
🧵
@rysiek@mstdn.social wtf why does Chrome allows an untrusted website to do that??? -
LinkedIn loads a lot of JS. In that JS there is a list of over 6.000 extensions, identified by their ids and with a single file path provided.
The JS then checks if it is running in Chrome or a Chromium-based browser, and cycles through that list, checking if these extensions are installed by doing a fetch() to "chrome-extension://<extension_id>/<file_path>".
If the fetch() succeeds, the extension is installed. If not, it isn't.
🧵
@rysiek why ffs is this even possible?
-
Also go see what @vantiss has to say about it:
https://social.treehouse.systems/@vantiss/116336811478744261Credit where credit's due, I relied on her research on the earliest known instance of LinkedIn using this technique.
If you want to boost something, go boost her toot!
-
@moses_izumi @rysiek
huh? he was referring to my link to the 2017 repo, not the stuff from kopper -
@moses_izumi @rysiek
huh? he was referring to my link to the 2017 repo, not the stuff from kopper -
Also go see what @vantiss has to say about it:
https://social.treehouse.systems/@vantiss/116336811478744261Credit where credit's due, I relied on her research on the earliest known instance of LinkedIn using this technique.
If you want to boost something, go boost her toot!
And thank you to @martijn_grooten for some additional input as well!
-
@rysiek why ffs is this even possible?
@schnittchen right?!
-
There is a fresh thing going around about LinkedIn scanning extensions installed in Chrome/Chromium:
https://browsergate.eu/The website claims "LinkedIn is Illegally Searching Your Computer", and implies the purpose is to find "religious beliefs, political opinions, disabilities".
tl;dr:
- yes, LinkedIn is scanning through a list of 6k+ extensions on Chrome;
- yes, this is bad;
- but the website is disingenuous in making unnecessarily overblown claims.🧵
@rysiek
The browsergate site is odd.Fairlinked - Allianz für digitale Fairness e.V that seem to be behind it seem to be some sort of training org made up of folks all with datacentre industry backgrounds, AWS etc.
A few red flags for me in this story -
And thank you to @martijn_grooten for some additional input as well!
It is good and heartening to see nuanced reflections like these. Thank you, Rysiek!
