How is probing your browser for installed extensions not "scanning your computer"?

Calling the title misleading because they didn't breach the browser sandbox is wrong when this is clearly a scenario most people didn't think was possible. Chrome added extensionId randomization with the change to V3, so it's clearly not an intended scenario.

> vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”)

They chose to put that particular extension in their target list, how is it not sinister? If the list had only extensions to affect LinkedIn page directly (a good chunk seem to be LinkedIn productivity tools) they would have some plausible deniability, but that's not the case. You're just "nothing ever happens"ing this.

> I’ve come to mostly expect this behavior from most websites that run advertising code and this is why I run ad blockers.

Expecting and accepting this kind of thing is why everyone feels the need to run an ad-blocker.

An ad-blocker also isn’t full protection. It’s a cat and mouse game. Novel ideas on how to extract information about you, and influence behavior, will never be handled by ad-blockers until it becomes known. And even then, it’s a question of if it’s worth the dev time for the maker of the ad-blocker you happen to be using and if that filter list gets enabled… and how much of the web enabling it breaks.

> this is why I run ad blockers.

It's pretty wild that we live in a world where the actual FBI has recommended we use ad blockers to protect ourselves, and if everyone actually listened, much of the Internet (and economy) as we know it would disappear. The FBI is like "you should protect yourself from the way that the third largest company in the world does business", and the average person's response is "nah, that would take at least a couple of minutes of my time, I'll just go ahead and continue to suffer with invasive ads and make sure $GOOG keeps going up".

I disagree, I think we should push back hard on behavior like this. What business is it of LinkedIn's what browser extensions I have installed? I think the framing for this is appropriate.

This has been covered several times including reverse engineering of the code. The list of extensions they check for doesn’t include common extensions like ad blockers. It’s exclusively full of LinkedIn spamming and scraping type of extensions.

They also logically don’t need to fingerprint these users because those people are literally logging in to an account with their credentials.

By all appearances they’re just trying to detect people who are using spam automation and scraping extensions, which honestly I’m not too upset about.

If you never install a LinkedIn scraper or post generator extension you wouldn’t hit any of the extensions in the list they check for, last time I looked.

The bigger problem I see here is browser security and Javascript as a whole. Browsers should not be allowed to extract and send such vast amounts of information in the first place, especially without the user's consent. At most, they should return a few broad things such as browser type (major version), language perhaps, and device type (mobile/desktop). That's it. Other things, such as exact resolutions, time zones, and other hardware identifiers make it trivially easy to track users across the Internet. Now that it's too late to revise Web standards, browsers should default to return spoofed values for all the rest.

> expect to find in modern browser fingerprinting

No. Don't need extensions for that. See how Cloudflare Turnstile does it, recently popped up at https://news.ycombinator.com/item?id=47566865 cause ChatGPT uses it now:

Layer 1: Browser Fingerprint WebGL (8 properties): UNMASKED_VENDOR_WEBGL, UNMASKED_RENDERER_WEBGL, WEBGL_debug_renderer_info, getExtension, getParameter, getContext, canvas, webgl

Screen (8): colorDepth, pixelDepth, width, height, availWidth, availHeight, availLeft, availTop

Hardware (5): hardwareConcurrency, deviceMemory, maxTouchPoints, platform, vendor

Font measurement (4): fontFamily, fontSize, getBoundingClientRect, innerText. Creates a hidden div, sets a font, measures rendered text dimensions, removes the element.

DOM probing (8): createElement, appendChild, removeChild, div, style, position, visibility, ariaHidden

Storage (5): storage, quota, estimate, setItem, usage. Also writes the fingerprint to localStorage under key 6f376b6560133c2c for persistence across page loads.

Scanning for 6000 extensions is anti-competitive, surveillant and immoral.

It is likely in response to scraping. Linked in is heavily scraped by scammers who do the BEC scams. So linked in is trying to find ways to link together banned accounts, to handle their ban evasion.

I run a site which attracts a lot of unsavoury people who need to be banned from our services, and tracking them to reban them when they come back is a big part of what makes our product better than others in the industry. I do not care at all about actually tracking good users, and I am not reselling this data, or anything malicious, it's entire purpose is literally to make the website more enjoyable for the good users.

> But I do take some issue with the alarmist framing of what's going on.

On the contrary, your framing is quite defeatist IMO. The fact that stores get robbed frequently does not mean we should just normalize that and accept it as a fact of life.

How does this scan happen. AFAIK there is no API for a webpage to scan for extensions. The most a page could do is try to figure out indirectly if an extension exists if that extension leaks info into the page.

> I’m not deeply familiar with what APIs are available for detecting extensions, but the fact that it scans for specific extensions sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister

This seems like a really weird argument to make. The fact that the platform doesn't provide a privacy-violating API is not an extenuating circumstance. LinkedIn needed to work around this limitation, so they knew they're doing something sketchy.

For the record, I don't think they're being evil here, but the explanation is different: they're don't seem to be trying to fingerprint users as much as they're trying to detect specific "evil" extensions that do things LinkedIn doesn't want them to do on linkedin.com. I guess that's their prerogative (and it's the prerogative of browsers to take that away).

> The scan probes for thousands of specific extensions by ID, collects the results

Why exactly does Chrome even allow this in the first place!? This is the most surprising takeaway for me here, given browser vendors' focus on hardening against fingerprinting.

Why is JavaScript running in a page even allowed to know what extensions I have? Is this also what sites use to see I've got an ad blocker?

Just run everything in a safe environment that it can't look out of.

> sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”)

Then why search for PordaAI or Deen Shield? Or more specifically, since getAllExtensions() would return them, why would they be on the "scan list", instead of just ignored?

I worked for a company that sold b2b contact data and they had (maybe still have) a linkedIn extension. It basically enriched the linkedIn profile. I wonder if linkedIn is trying to block these, or heavily target, in some way, these types of users to push folks towards their sales navigator.

Just because someone lets the electrician (LinkedIn) into their home (browser) doesn't mean they can do whatever the hell they want that isn't expressly prohibited. If the electrician wants to rifle through my desk drawers, they should ask for permission, and I will politely tell them to leave.

> I’m certainly not endorsing it, do think it’s pretty problematic, and I’m glad it’s getting some visibility. But I do take some issue with the alarmist framing of what’s going on.

Speaking has someone who shares the same lack of surprise, perhaps some alarm is warranted. Just because it’s ubiquitous doesn’t mean it’s ok. This feels very much frog in boiling water for me.

Why do you think the alarmist framing is unwarranted?

Javascript can query chrome extensions [1] and much more [2].

[1] - https://browserleaks.com/chrome

[2] - https://browserleaks.com/javascript

I get the point you're making, but to be clear, "they’re checking to see if you’re a Muslim" vs "they’re checking to see if your fingerprint matches that of known Muslims in our ever-expanding database" are not too far off.

I've been avoiding Chrome-based browsers for many years now but have only recently become aware of how catastrophically low the Firefox market share is. I'm kind of shocked that more people aren't choosing to avoid Chrome.

> It also seems like what I’d expect to find in modern browser fingerprinting code.

Time to figure out if I can make FireFox pretend to be Chrome, and return random browser extensions every time I visit any website to screw up browser fingerprinting...

> the fact that it scans for specific extensions sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”).

Your computer is your private domain. Your house is your private domain. You don't make a "getAllKeysOnPorch()" API, and certainly don't make "getAllBankAccounts()" API. And if you do, you certainly don't make it available to anyone who asks.

It absolutely is sinister.

I agree. The first paragraph on the page implies the javascript can natively search your machine (vs. via Browser Extensions)

> I’ve come to mostly expect this behavior from most websites that run advertising code and this is why I run ad blockers.

We should not normalise nor accept this behaviour in the first place.

> no available getAllExtensions()

Well great there is no avalable 'getAllFiles()' or such either because they'd be scanning your files for "fingerprinting" as well.

> alarmist framing

Well they literally searching your computer for applications/extensions that you have installed? (and to an extent you can infer what are some of the desktop applications you have based on that too)

Your expectations do not matter here frankly. This reads like CFAA to me, unauthorized access.

>this is why I run ad blockers.

It's important to note that this isn't fixed by ad blockers. To avoid this kind of fingerprinting, you need to disable JavaScript or use a browser like Firefox which randomizes extension UUIDs.

I wonder if their motivation for doing this is to detect the LinkedIn automation tools that power all the spam messaging and connection requests?

The tracking described is extremely invasive. You say you are not endorsing it but you are certainly normalizing it. This is unacceptable.

The people behind this URL are trying to hold Microsoft accountable. The power to them.

> i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”

But I bet they could reliably guess your religious affiliation based on the presence of some specific browser extensions.

The next step for a forensic investigator, is to found out how many of those extensions, are actually from a partner or fully owned subsidiary from LinkedIn... When you see a cockroach...

> this is why I run ad blockers.

What's been really obnoxious lately is the number of sites I try to do things on that are straight up broken without turning off my ad-blocker.

> The scan probes for thousands of specific extensions by ID, collects the results, encrypts them, and transmits them to LinkedIn’s servers.

Why is this even possible in the first place? It's nobodies business what extensions I have installed.

>vs. something inherently sinister

This is inherently sinister.

My biggest gripe is why these JS APIs even exist in the first place

Which browsers in which mode (normal/private) are affected?

this is obviously not fingerprinting code to anyone with a brain, it's about scraping

But what would be the benefit of them doing that?

> The headline seems pretty misleading.

Yes. I was expecting LinkedIn was connecting to extensions that are using their exhanced privileges to scan your computer, per the "LinkedIn Is Illegally Searching Your Computer" headline.

Instead, LinkedIn is scanning for extensions.

But I do take some issue with the alarmist framing of what’s going on.

I’ve come to mostly expect this behavior from most websites that run advertising code

We should be alarmed that websites we go to are fingerprinting us and tracking our behavior. This is problematic, full stop. The fact that most websites are doing this doesn't change that.

Your post sounds like "it sounds bad, but it's no different from what others do, so it's not that bad."

I would put it more like: it sounds bad, and it's no different from what others do, so they're all that bad.

The fact that they're working around an API limitation doesn't make this better, it just proves that they're up to no good. The whole reason there isn't an API for this is to prevent exactly this sort of enumeration.

It's clear that companies will do as much bad stuff as they can to make money. The fact that you can do this to work around extension enumeration limits should be treated as a security bug in Chrome, and fixed. And, while it doesn't really make a difference, LinkedIn should be considered to be exploiting a security vulnerability with this code.

There is clear rules around what you can and can't do to fingerprint users. if it's being done overtly, covertly, obscurely, indirectly, all for the same result through direct or indirect or correlated metadata it ends up with the same outcome.

My understanding is the rules and laws are to prevent the outcome, by any means, if it's happening.

I wonder if this is part of the reason why LinkedIn tabs seem to use so much ram, and sometimes run away CPU processes.

> "they're checking to see if you're a Muslim"

This could be easily inferred from the depth, breadth, and interconnectedness of data in the website.

By downplaying it, it's allowing it to exist and do the very thing.

The issue here is this stuff is working likely despite ad blockers.

Fingerprinting technology can do a lot more than just what can be learned from ads.

From the site:

"The scan doesn’t just look for LinkedIn-related tools. It identifies whether you use an Islamic content filter (PordaAI — “Blur Haram objects, real-time AI for Islamic values”), whether you’ve installed an anti-Zionist political tagger (Anti-Zionist Tag), or a tool designed for neurodivergent users (simplify). Under GDPR Article 9, processing data that reveals religious beliefs, political opinions, or health conditions requires explicit consent. LinkedIn obtains none." https://browsergate.eu/extensions/

[dead]

[dead]

> The scan probes for thousands of specific extensions by ID, collects the results, encrypts them, and transmits them

And probably also vibe-coded therefore 2 tabs of LinkedIn take up 1GB of RAM (was on the front page a few days back).