upvote

points

by foxes8 hours ago |
comments
upvoteby jwsteigerwalt8 hours ago|
next
[-]
LinkedIn is far from the only actor doing this. Browser extension fingerprinting is not new. LinkedIn‘s size, scope, network effects make this especially concerning.
reply
upvoteby Ajedi328 hours ago|
prev|
next
[-]
Still pretty annoying browsers haven't patched that yet.
reply
upvoteby acorn2218 hours ago|
parent|
next
[-]
They have! It's these developers either not knowing or not caring about it which is the issue! I did a blog post about this a while back showing how they do it, and how you can get around it, it's not very complex for the devs.

https://www.linkedin.com/pulse/how-linkedin-knows-which-chro...

reply
upvoteby victor1068 hours ago|
parent|
next
[-]
> Chrome have fortunately recently released a "extension side panel" mode, and since only DOM changes can be easily identified, using the chrome extension side panel would be virtually un-detectable however this is far less intuitive to use and requires the user to perform some action to open the sidepanel every time they want to use the extension.

As an end user I could not find an option to open the side panel

reply
upvoteby acorn2216 hours ago|
parent|
[-]
Yeah I mean it's not very commonly used by extensions. I quite like it as it's completely isolated and not detectable. I built my first extension which uses it as the primary interface yesterday: https://github.com/Am-I-Being-Pwned/PGP-Tools
reply
upvoteby Ajedi328 hours ago|
parent|
prev|
[-]
`use_dynamic_url` seems like it should be enabled by default, maybe with a phase-out period for backwards compatibility with older extensions.
reply
upvoteby acorn2218 hours ago|
parent|
[-]
Yeah I agree. All new extensions should have this for their web_accessible_resources.

With that said, the chrome web store ecosystem has bigger problems infront of them. For example, loads of extensions outright just send every URL you visit (inc query params) over to their servers. Things like this just shouldn't happen, imagine you installed an extension from a few years back and you forgot about it, that's what happened to me with WhatRuns, which also scraped my AI chats.

I'm working on a tool to let people scan their extensions (https://amibeingpwned.com/) and I've found some utterly outrageous vulnerabilities, widespread affiliate fraud and widespread tracking.

reply
upvoteby halapro8 hours ago|
parent|
prev|
[-]
There's nothing to patch, scanning is not possible.

It's either the extension's choice to become detectable ("externally_connectable" is off by default) or it makes unique changes to websites that allow for its detection.

reply
upvoteby Ajedi328 hours ago|
parent|
[-]
If it were just a matter of detecting changes to the DOM then this could only detect extensions that alter the LinkedIn website itself. I agree that would be much harder to make undetectable, but this seems like it goes beyond that.
reply
upvoteby halapro7 hours ago|
parent|
[-]
As mentioned, there's a way to expose your extension to the web even without making changes. The other way is a key called "web_accessible_resources".

All of these are opt-in by the extensions and MV3 actually force you to specify which domains can access your extension. So, again, each extension must explicitly allow the web to find it.

reply
upvoteby cj8 hours ago|
prev|
next
[-]
This has been going on for at least 5 years. It pops up on HN every so often.
reply
upvoteby sgt8 hours ago|
prev|
next
[-]
Seems like it. Which is serious but far from what I thought when I read the title. I suspect 90% of LinkedIn users don't even have a single browser extension installed.
reply
upvoteby josefritzishere8 hours ago|
parent|
[-]
I would debate that. Most work computers have some extensions installed by default. That's millions of laptops. Ex. Snow Inventory Agent, ad blockers etc.
reply
upvoteby choo-t8 hours ago|
prev|
[-]
Pretty sure that if they could they would, but browsers sandboxing security prevent this to go unnoticed.
reply