alt Hacker NewsLinkedIn scans for 6,278 extensions and encrypts the results into every request
Comments
> Hundreds of job search extensions are in the scan list. LinkedIn knows which of its users are quietly looking for work before they've told their employer. … Extensions tied to political content, religious practice
Why are these even extensions to begin with? A legit job finding service can be a website, no extension required. If they are nefarious extensions that fake ad clicks or mine cryptocurrency, that they are job search, or political, or religious in name/nature only serves to get rubes to install them. This entire ecosystem is goofed up.
Why doest the browser even allow it?
Runtime of extensions should be blackbox to a website IMO
Here's the most relevant section I could find from the original source:
"Chrome extensions can expose internal files to web pages through the web_accessible_resources field in their manifest.json. When an extension is installed and has exposed a resource, a fetch() request to chrome-extension://{id}/{file} will succeed. When the extension is not installed, Chrome blocks the request and the promise rejects.
LinkedIn tests every extension in the list this way."
"What is not a question is that a criminal investigation is now open." Good. These companies deserve each and every stone thrown at them, and much more.
This is fairly standard practice for device fingerprinting. LI is probably using this to protect its platform from scraping etc, and extension lists have sufficient enough entropy to help identify users and form a useful component of a fingerprint.
Why is my Chrome telling random websites which extensions I have installed?
friends, WHEN you are asked to implement something like this at your job, which will you choose: object (& hold ground, loose job) OR comply (& keep job)
as practitioners, where do we hold the line between telemetry and surveillance?
Is this a hallucination? I can't find this quote anywhere else.
> According to browsergate, Milinda Lakkam confirmed this under oath, saying, "LinkedIn took action against users who had specific extensions installed."
One trick to evade some of LinkedIn's detection:
A big part of its detection relies on finding known extension resources at URLs of the form `chrome-extension://{extension_id}/{file}`
An extension installed from the Chrome store has the same `extension_id` for every user. But, if you just extract the source for that extension, and then load it yourself, you'll get a NEW extension_id. Same extension with the same functionality, but its extension_id will be completely new so impossible for LinkedIn to query.
Granted this won't evade the second type of detection LinkedIn employs, it'll help you evade quite a bit. I often clone extension source code anyway since it mostly protects me from malicious extension updates (by effectively disabling updates).
Well, I deleted my Linkedin account and life is better now.
This is re-posted article from the author's Substack that does a pretty bad job of explaining the situation. The second link in the article is supposed to take you to a "GitHub repository tracking the extension list" but it goes to a GitHub page for a plugin that hasn't been updated in 9 years.
It has a lot of hallmarks of LLM writings ("It's not this, it's that" and feeling like a lot of empty words rehydrated from an outline) while missing the real updates in the story like the German affidavit filed by a LinkedIn engineer who worked on these tools.
A key piece of information that this article omits is that the list of extensions being scanned for doesn't include anything you'd recognize or anything you'd even think to install. It's full of data extraction tools, scrapers, AI spam and recruiting tools (remember all those automated spammy LinkedIn messages you got?), and plugins masquerading as simple things that have been pulled from the extension store for violations.
A lot of articles have been trying hard to distract from this fact by highlighting that the list of extension includes things like a plugin designed to simplify web pages for neurodivergent users or an "anti-Zionist political tagger" to imply that they're trying to do fingerprinting based on those attributes, but they neglect to mention that those plugins were pulled from the extension store most likely because they were data exfiltrators dressed up as simple plugins to get people to install them.
An updated list is available here: https://browsergate.eu/extensions/
But read that site carefully and actually try to click the links. In this section they're trying to direct your attention away from all of the AI spam and data extraction tools with this section:
> The scan doesn’t just look for LinkedIn-related tools. It identifies whether you use an Islamic content filter (PordaAI — “Blur Haram objects, real-time AI for Islamic values”), whether you’ve installed an anti-Zionist political tagger (Anti-Zionist Tag), or a tool designed for neurodivergent users (simplify).
But click the links. They've all been pulled from the store. Extensions like that are often bait to get people to install scrapers that will use your computer and LinkedIn login to extract data and send it back to their servers.
So regardless of where you stand on probing for the presence of these scammy extensions, you should at least understand the facts rather than the story that companies like this are trying to sell you to drive traffic to their product.
I suggest cutting through the ragebait journalism and reading more directly from a recent source, like this affidavit filed in Germany by a LinkedIn engineer familiar with the project: https://browsergate.eu/downloads/Lakam-affidavit-redacted.pd...
and,
recently while trying to decipher why computer was at 98% memory and 65% cpu
one of the culprits is https://li.protechts.net taking 2GB ram and 8% cpu.
DDG searches say this is something for linkedin. - I had two tabs for linkedin open but left behind as I opened other tabs to research.
So I had not reopened these tabs in over 9 hours and they are still just humming along sucking down almost 10% of cpu and a couple gigs of ram for what?
This is firefox with ublock origin - quick searches saw malwarebytes browser guard considered it (protechts.net) malware for a bit and then took it off the list of things it blocked / warned about.
Not sure this is related to the scan mentioned, but it may be related to the overall concerns about data and unknown usage of resources.
I'm considering blocking this at the dns hosts level at this point.
repost of my comment 28 days ago
Interesting, so would Safari prevent this? I tried moving to Safari and honestly loved everything except I use my google accounts now for authenticating with to many services and that was a pain compared to chrome.
> Users who had no idea their software was being inventoried, no idea the inventory was being used against them, and no way to know it was happening because none of it appears in LinkedIn's privacy policy.
As if users are actually reading the privacy policy...
Seems to do this in Microsoft Edge, too.*
* I use Edge bcs of the vertical tabs — Safari's equivalent is a poor substitute. Firefox didn't seem to have vertical tabs last time I checked.
[dupe]
Discussion: https://news.ycombinator.com/item?id=47613981
See also "LinkedIn is searching your browser extensions" (812 comments) https://news.ycombinator.com/item?id=47613981
Fun to have to spin up a whole VM just to use a particular website!
But how is this supposed to help against scraping? This is ridiculously ineffective against scraping. Just pretend to have a standard set of extensions and you are good to go.
Now the 1000s of spammy chrome web extension requests when I opened LinkedIn makes sense
I did that and got logged out of LinkedIn.
I saw the following from linkedIn this morning
> Update to our terms and data use As of November 3, 2025, we are using some of your Linkedin data to improve the content-generating Al that enhances your experience, unless you opt out in your settings. We also updated our terms. See what's new and how to manage your data.
Frankly, it is unacceptable to tell a user "oh we have been using your personal data for 5 months already and will continue to do so unless you explicitly opt out". Are there any transparent alternatives to LinkedIn (not the trust me bro variant)?
now it makes sense with the 1000s of spammy not found requests to chrome extensions i was seeing on linkedin and had claude code debug.
[dead]
Wasn't this specifically some lame-ass attempt to combat some click fraud or something these extensions were doing? And aren't these articles specifically coming from the person doing the fraud (which is why they know about the extension scanning)?
To be clear, LinkedIn shouldn't be scanning your browser extensions, but still. The ultimate problem is that browser extensions are a powerful malware vector and there's a huge market of people buying little utilities off of solo developers to enshittify them.
This is pure speculation. It is a million times more likely that this data is strictly used to combat scraping and fraud.
LinkedIn runs an extension scan against a hardcoded list of 6,278 Chrome extensions on every visit. Detected results are packaged into encrypted telemetry and injected as an HTTP header into every subsequent API request during your session. This data can be used to identify your religious affiliations, tax-bracket, job search intent, and more.
I verified this myself and traced the implementation. Details and the technical breakdown in the article.