upvote

points

by z3ratul1630718 hours ago |
comments
upvoteby ceejayoz8 hours ago|
next
[-]
The "The Attack: How it works" section explains how it works. It's not an API.

I am a little surprised something like CORS doesn't apply to it, though.

reply
upvoteby acorn2218 hours ago|
parent|
[-]
So these extensions allow linkedin to do this though, it's literally them saying "yes, this site can ping this resource" - called "web_accessible_resources".

This is fair from Linkedin IMO as I've seen loads of different extensions actually scraping the linkedin session tokens or content on linkedin.

reply
upvoteby entropyneur5 hours ago|
parent|
[-]
It's not the extension developer who should decide this, but the browser user.
reply
upvoteby Panda48 hours ago|
prev|
next
[-]
> Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions.

It's not clear though, either they only tested against chrome-based browsers or Firefox isn't enabling them to do so.

edit: I answered before I go fully through the article but it does say it's only Chrome based.

> The extension scan runs only in Chrome-based browsers. The isUserAgentChrome() function checks for “Chrome” in the user agent string. The isBrowser() function excludes server-side rendering environments. If either check fails, the scan does not execute.

> This means every user visiting LinkedIn with Chrome, Edge, Brave, Opera, Arc, or any other Chromium-based browser is subject to the scan.

reply
upvoteby OoooooooO8 hours ago|
parent|
next
[-]
Firefox uses UUID for the local extension url per extension so you can't search for hardcoded local urls.
reply
upvoteby dylan6048 hours ago|
parent|
prev|
[-]
What is a Chrome-based browser? Isn't Chrome Google's Chromium based browser? How many are based on Chrome?
reply
upvoteby Panda48 hours ago|
parent|
next
[-]
> This means every user visiting LinkedIn with Chrome, Edge, Brave, Opera, Arc, or any other Chromium-based browser is subject to the scan.
reply
upvoteby dylan6046 hours ago|
parent|
[-]
Exactly, so again, what is a Chrome-based browser?
reply
upvoteby Sohcahtoa825 hours ago|
parent|
[-]
A lot of people mistakenly refer to Chromium-based browsers as being Chrome-based.

I feel like this is obvious and you know that this is the exact mistake being made, but rather than drop an actual correction, you take the insufferable approach of pretending you don't know what's happening and forming the correction as a question.

reply
upvoteby JumpCrisscross4 hours ago|
parent|
[-]
> A lot of people mistakenly refer to Chromium-based browsers as being Chrome-based

This seems to be a case where the poison seeps through the cracks. From Google and Chrome to other Chromium-based browsers. In very correct ways, in this case, they are Chrome based.

reply
upvoteby andersonpico8 hours ago|
parent|
prev|
[-]
From "The Attack: How it works", its just checking the user agent string:

function a() { return "undefined" != typeof window && window && "node" !== window.appEnvironment; }

function s() { return window?.navigator?.userAgent?.indexOf("Chrome") > -1; }

if (!a() || !s()) return;

reply
upvoteby thom8 hours ago|
prev|
next
[-]
I was under the impression Firefox randomises extension IDs on install, so hopefully not?
reply
upvoteby hedora7 hours ago|
prev|
next
[-]
The answer to "why would Chrome ever undermine privacy and security?" is always "Google's revenue stream".

I'm happy to see that this doesn't hit firefox. I wonder if safari is impacted.

reply
upvoteby Raed6678 hours ago|
prev|
[-]
they seem to be calling `chrome-extension://.....` so i don't think it applies to firefox
reply