LinkedIn checks for 2953 browser extensions

LinkedIn checks for 2953 browser extensions(github.com)

534 points by mdp 102 days ago | 239 comments

cbsks 102 days ago |

Looks like Firefox is immune.

This works by looking for web accessible resources that are provided by the extensions. For Chrome, these are are available in a webpage via the URL chrome-extension://[PACKAGE ID]/[PATH] https://developer.chrome.com/docs/extensions/reference/manif...

On Firefox, web accessible resources are available at "moz-extension://<extension-UUID>/myfile.png" <extension-UUID> is not your extension's ID. This ID is randomly generated for every browser instance. This prevents websites from fingerprinting a browser by examining the extensions it has installed. https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...

rchaud 102 days ago | |

And they said that using a browser with sub-5% market share would cause us to miss out on the latest and greatest in web technology!

userbinator 101 days ago | | |

The latest and greatest is not great for you, but for them.

cranberryturkey 101 days ago | | |

The real friction in browser hopping isn't features — it's keeping your workflow portable. Bookmarks especially. Each browser has its own sync silo (Chrome → Google, Firefox → Mozilla, Safari → iCloud).

For multi-browser setups (Firefox for fingerprint resistance, Chrome for the sites that only work there), cross-browser bookmark sync is weirdly undersolved. Xbrowsersync, marksyncr, and a few others exist but most people don't know about them.

dana321 102 days ago | | |

chrome was made by ex-firefox devs, chrome is still not as good!

LAC-Tech 101 days ago | |

Anecdotally, I sometimes notice my computer fan spinning ferociously... it's almost always because I have left a firefox tab with linkedin open somewhere.

Are they bit coin mining or are they just incompetent?

kijin 101 days ago | | |

Judging from GP's description of how extension IDs work in Firefox, I wouldn't be surprised if LinkedIn were trying to brute-force those UUIDs!

farhanhubble 101 days ago | | |

If the two are indeed "Linked", I see a case for users-first browsers to show system metrics right along the page.

veyh 101 days ago | | |

I've noticed similar issues with the web version of MS Teams.

You can actually see what tabs are hogging CPU by pressing SHIFT-ESC to open the task manager (about:processes) inside Firefox.

techpression 101 days ago | | |

Considering the app was a battery catastrophe I’m confident in the latter, even if your question could be read as rhetorical.

Bluecobra 101 days ago | | |

It’s probably some feature they sell to recruiters to grab your attention. :)

rob74 101 days ago | | |

Maybe it's trying (and failing) to access your browser extensions? In a loop?

xhcuvuvyc 101 days ago | |

It's ok, they can fingerprint you for using Firefox.

jonners00 101 days ago | | |

Yeah, but they don't know which specific one of Firefox's last dozen users I am.

nilslindemann 101 days ago | |

Yes, is it now?

    https://fingerprint.com/
    https://coveryourtracks.eff.org/
    https://abrahamjuliot.github.io/creepjs/

I don't have Firefox or another browser installed right now, but the last time I checked, every browser was detected, especially on the first link.

Further, When I used Tor, a few sites, like Google, showed me Captchas for a while afterward, when using my _normal_ browser.

Further I heard that sites like PayPal are giving me black karma when I try to avoid Fingerprinting by using e.g. Tor.

nilslindemann 101 days ago | | |

I actually don't even care too much if they try to detect, that I am the X from last time.

The issue is them selling the data, or using it in unrelated locations, or trying to detect me as a person. And their programmers are not enforced and rewarded when they report such behavior to law agencies / the public. And the law is not punishing it.

awesome_dude 102 days ago | |

This is probably a naive question, but...

Doesn't the idea of swapping extension specific IDs to your browser specific extension IDs mean that instead of your browser being identifiable, you become identifiable?

I mean, it goes from "Oh they have X, Y , and Z installed" to "Oh, it's jim bob, only he has that unique set of IDs for extensions"

triceratops 102 days ago | | |

It's not a naive question. This comment says it's not possible to do that: https://news.ycombinator.com/item?id=46905213

mrweasel 101 days ago | | |

Why does the browser even allow a website to query for installed extensions? I really don't see what the point of that would be.

The website should never be able to tell what's running in my browser, or on my computer in general. The browser renders the page, maybe runs a little Javascript, but there's no reason why it should be able to query anything about my environment.

I wonder how much stuff would break if the Chrome sandboxing was extended to preventing access to chrome-extension:// from Javascript loaded of random websites.

b112 102 days ago | | |

Maybe, but how long are the extension ids? And if they are random, how long to scan a trillion random alphanumeric ids, to find matches?

I presume the extension knows when it wants to access resources of its own. But random javascript, doesn't.

calvinmorrison 101 days ago | | |

yes thats how browser fingerprinting works and it is impossible to defeat because there are just too many variations in monitors (relevant for fonts), simple things like user agent, etc.

OJFord 101 days ago | |

Though LinkedIn in Firefox with uBlock Origin allowing just enough (not sure if that's relevant, just haven't run it without) does not last long without rocketing CPU & memory usage, fan spinning up, etc. (ime, anyway)

Tade0 101 days ago | | |

In my case LinkedIn consistently crashes Firefox the first time I navigate there on a given day. After I restart FF, all is fine.

rdoherty 102 days ago |

Skimming the list, looks like most extensions are for scraping or automating LinkedIn usage. Not surprising as there's money to be made with LinkedIn data. Scraping was a problem when I worked there, the abuse teams built some reasonably sophisticated detection & prevention, and it was a constant battle.

bastard_op 102 days ago |

Chrome is the new IE6. Google set themselves up to be the next Microsoft and is "ad friendly" in all the creepy ways because that's what Google IS an ad company. All they've contributed to security is diminishing the capability of adblockers and letting malware to do bad things to you as consumers.

hashstring 101 days ago | |

I fully agree that Chrome is spyware.

However, they do contribute to security: Chrome was first to implement Site Isolation, sandboxing too. These are essential security features for modern browsers. They are also not doing too bad with patching and security testing.

userbinator 101 days ago | |

Chrome has become much worse than IE6. Microsoft was not in the business of tracking users and selling ads back then.

therealdrag0 101 days ago | | |

It certainly doesn’t feel like I have a worse UX, as a daily chrome user.

fragmede 101 days ago | | |

Was.

0xbadcafebee 102 days ago | |

He who controls the Ads, controls the Internet.

themafia 102 days ago | |

> Google set themselves up to be the next Microsoft

Google became a monopoly. All monopolies do this.

cyanydeez 101 days ago | | |

there's a step before that. Google is a pure capitalist enterprize>pure capitalism goes to monopoly>all monopolies do this.

dominicrose 101 days ago | |

Brave feels like using Chrome. The transition was seemless even as a developer who uses the devtools. Obviously that's because it's almost the same code, but Brave is much more privacy friendly right?

bastard_op 101 days ago | | |

Brave was found to be mostly different adware years ago I thought. It's a degoogle'd chrome essentially, but replaced with their adware instead of google's.

If you want a clean chrome, use ungoogled-chromium. Like IE6, some stuff just doesn't work in librewolf (less scummy firefox), so I use ungoogled-chromium when so, and I just don't do anything googleish on it that it latches onto google again.

brianpbeau 101 days ago | |

Imagine being the nerd that is still using Chrome in the YOL 2026.

minkeymaniac 102 days ago |

I can confirm.. open up linkedIn.. hit F12 and watch the error count keep going up and up and up

Screenshots found here https://x.com/DenisGobo/status/2018334684879438150

9021007 102 days ago | |

xcancel link: https://xcancel.com/DenisGobo/status/2018334684879438150

nevf1 101 days ago | |

Yikes, same happening on my PC. This is crazy, nefarious websites constantly intruding in any way they can.

shouldnt_be 102 days ago |

I wrote an article about it a couple of months ago. I also explain why, how and a way to prevent it.

https://javascript.plainenglish.io/the-extensions-you-use-ar...

jmholla 102 days ago | |

To clarify, you talk about why it's possible, not why LinkedIn is doing it, right? Or did I miss something in your article.

shouldnt_be 101 days ago | | |

From the article:

> ... it is used to check for abuse (bot use)

> If you follow a LinkedIn influencer and they get banned, now you know why.

avastel 102 days ago |

I wrote a blog post recently about the technique used by LinkedIn to do extension probing, as well as other ways to do it with less side effects

https://blog.castle.io/detecting-browser-extensions-for-bot-...

direwolf20 101 days ago | |

Patch Firefox so navigator.webdriver is always false, then remote control it. Seems not easily detectable. You could still watch for fast input patterns...

pests 101 days ago | |

Nice write up, definitely exactly this.

Banditoz 101 days ago |

LinkedIn has been employing a lot of strange dark patterns recently:

* Overriding scroll speed on Firefox Web. Not sure why.

* Opening a profile on mobile web, then pressing back to go to last page, takes me to the LinkedIn homepage everytime.

* One of their analytic URLs is a randomly generated path on www.linkedin.com, supposedly to make it harder to block. Regex rules on ublock origin sufficiently stop this.

Anyone know why they could be doing this?

gabeh 101 days ago | |

Giving them the benefit of the doubt here obviously, I know they're in an all out war with the contact database industry. Going from websoup to agents dialing out to rent-a-human services requires different tactics.

duskdozer 101 days ago | |

- scroll speed - unsure of ulterior motives, but i've seen this even on some foss things. i think some people just think it looks cool/modern/"responsive"/whatever

- back - hijacking it seems fairly common on malicious/dark-pattern sites to try to trap you on them. not sure why because you can just leave and it seems it would obviously piss someone off

- analytics paths - not everyone may know about/how to use regex rules for it or may use something else that doesn't support it (the stripped down ublock for chrome? i don't know if it can or not). sites seem to do this with malicious js code as well, presumably to prevent blocking

rpigab 101 days ago | |

I've been wondering why my scroll speed was off in LinkedIn, inspecting scroll-related css without finding an answer, I thought this was a bug. Anyone know what property does this? I might try to fix it with uBO scripts.

I think they want you to feel disoriented.

Why do they do all this bs and not fix the bug that happens when you insert Unicode U+202E in your name?

I've been having loads of fun with that but it's never been fixed. Anyone tagging me in a comment makes their input right-to-left unless they backspace the tag or insert newline. It also jumbles notification text because your name is concatenated to the notification static text.

You can also create an inverted link but it isn't clickable, just like other unicode links which aren't punycode-encoded on LinkedIn but aren't clickable (on the clients I've tried).

ikr678 101 days ago | |

I always assumed mobile webpage misbehavior was to force you to use the app.

small_scombrus 101 days ago | | |

It could very much be confirmation bias, but I do feel like most "please use our app" popups appear after a mobile site breaks or refuses to load something

jmyeet 101 days ago |

I started using Chrome at version 2 I think. It still had the 3D logo. It was such a breath of fresh air and the big innovation was running one process per tab. Firefox existed but the entire browser could (and did) hang. And IE was... well, IE.

I did have a relatively early beef with Chrome though, whcih was I couldn't completely opt out of Flash. As in, I didn't even want it installed. This turned out to be an issue because Flash turned out to be one of the earliest vectors for so-called "zombie cookies".

Fingerprinting in general has been a longstanding problem and has become more and more advanced.

Add to this that Google is, first and foremost, an advertising business and they've become increasingly hostile to ad-bloccking tech for obvious reasons.

Basically what I'm getting at is something I couldn't have imagined a decade ago where I think I really have go switch away from Chrome to something that takes privacy and security seriously so that LinkedIn can't do things like this. And I increasingly don't trust Google to do that.

I actually have more trust in Apple because they have historically been user-focused eg blocking Meta's third party cookies. But obviously Safari isn't an option because it's not cross-platform.

I'm not sure I trust the current state of Mozilla. What's the alternative? Brave? Is Opera still a thing? I honestly don't know.

What I really want is a cross-platform browser written in Rust that black-holes ads out of the box. Why Rust? Memory safety. I simply don't trust a large C/C++ code to never have buffer overruns. Memory safety has become too important.

I don't want my browser to provide information on what extensions I'm using to a site and that shouldn't be a thing I have to ask for or turn on in any way.

direwolf20 101 days ago | |

There's a menagerie of de-mozillaed Firefox forks.

rudhdb773b 101 days ago | | |

My suggestions:

Desktop - Librewolf

Android - Ironfox

mrkramer 102 days ago |

LinkedIn is the worst walled garden of all of them.

wolvoleo 101 days ago | |

I also really don't understand why their subscription is so extremely expensive for someone who is not a recruiter.

It's already a sycophantic cesspool of corporate drones repeating mindless PR. I unfollow everyone who re"tweets" feel-good memes or corporate crap and I have very few people I follow left over :) Critical discussion doesn't exist, if I comment anything that's not 100% celebratory of so-called company successes I get blocked.

grvdrm 101 days ago | |

Close second: conference apps.

They infuriate me. Data harvesting machines in all ways. Incredibly user hostile.

Example: making me scroll endlessly through attendee lists. Lack of good filters. Etc. Can’t download attendee lists.

I finally lost my patience and wrote a Selenium script to page through an app and extract everything. Worked well after some initial trial and error.

mongrelion 102 days ago |

Curious question: why would they check for installed extensions on one's browser?

ddtaylor 101 days ago |

Does anyone know if Brave has any defense against this like Firefox does?

pnw 101 days ago | |

It doesn't seem like Brave's fingerprinting prevention includes extensions, so on my first pass I would say no.

ddtaylor 101 days ago | | |

Good call. I did a test and on Chrome I see the spam and I also see the spam on Brave as well, so they don't seem to be any different.

zahlman 102 days ago |

> This repository documents every extension LinkedIn checks for and provides tools to identify them.

I get that the CSV lists the extensions, and the tools are provided in order to show work (mapping IDs to actual software). But how was it determined that LinkedIn checks for extensions with these IDs?

And is this relevant for non-Chrome users?

usefulposter 102 days ago | |

Technical writeup from a few weeks ago by a vendor that explains how LinkedIn does it, then boasts that their approach is "quieter, harder to notice, and easier to run at scale":

https://blog.castle.io/detecting-browser-extensions-for-bot-...

bitbasher 101 days ago |

Looks like this has been known since 2019.

https://www.nymeria.io/blog/linkedins-war-on-email-finder-ex...

bitbasher 101 days ago |

The list of extensions being scanned for are pretty clear and obvious. What is really interesting to me are the extensions _not_ being scanned for that should be.

The big one that comes to mind is "Contact Out" which is scan-able, but LinkedIn seems to pretend like it doesn't exist? Smells like a deal happened behind the scenes...

https://chromewebstore.google.com/detail/email-finder-by-con...

cxr 101 days ago | |

That extension cannot be fingerprinted by its content-accessible resources. It doesn't declare any in its manifest.

imvyarqoyzcuem 101 days ago | |

interesting to see why they don't block Claude in chrome or even this: https://chromewebstore.google.com/detail/dassi-ai-coworking-...

deathanatos 101 days ago |

LinkedIn has also started sending a great deal of spam:

  A $7.5B chip merger
  Pinterest prepares layoffs
  Healthcare premiums surge
  Autodesk to cut 7% of jobs
  Ozempic keeps getting cheaper

Since the "unsubscribe" link does not lead to a working page, this seems like a trivial violation of even what laughable protections CAN-SPAM alleges to offer.

And what's with some of these? Bad mouthing employers is an odd choice for a platform that makes its money from them? Or perhaps now all the revenue is ad derived?

hasperdi 102 days ago |

Another thing... they alter the localStorage & sessionStorage prototype, by wrapping the native ones with a wrapper that prevent keys that not in their whitelist from being set.

You can try this by opening devtools and setting

  localStorage.setItem('hi', 123)

dwedge 102 days ago |

I wonder if this is why the linkedin feed blocker I installed in Firefox 2 weeks ago stopped working for me within 24 hours

input_sh 102 days ago |

    cut -d',' -f2 chrome_extensions_with_names_all.csv | grep -c "AI"
    474

Only 16%!?

esprehn 101 days ago |

Reading the fingerprint.js is interesting, it's not just the thousands of extensions. It looks like it's also probing for a long list of webgl extensions, fonts, and other capabilities. There's recaptcha v3 references in there too.

Perhaps an overly aggressive attempt to block bots.

ta988 102 days ago |

So it really is espionage at all levels.

tech234a 102 days ago |

See also: a demo page for the same technique that can enumerate many extensions installed in your browser: https://browserleaks.com/chrome

xnx 102 days ago | |

Yuck. Disgusting that extension detection is possible.

duxup 101 days ago |

I miss when websites were, by default, there to provide me content ...

unstatusthequo 102 days ago |

I’m probably on the list. I made a LinkedIn Redactor that allowed you to add keywords and remove posts from your thread that included such words. It’s the X feature but for LinkedIn. Anyway, got a cease and desist from those lame fucks at LI. So I removed from the chrome store but it’s still available on GitHub.

Aurornis 102 days ago |

I suggest everyone take a look at the list of extensions and their names for some very important context: https://github.com/mdp/linkedin-extension-fingerprinting/blo...

I didn't find popular extensions like uBlock or other ad blockers.

The list is full of scammy looking data collection and AI tools, though. Some random names from scrolling through the list:

- LinkedGPT: ChatGPT for LinkedIn

- Apollo Scraper - Extract & Export Apollo B2B Leads

- AI Social Media Assistant

- LinkedIn Engagement Assistant

- LinkedIn Lead Magnet

- LinkedIn Extraction Tool - OutreachSheet

- Highperformr AI - Phone Number and Email Finder

- AI Agent For Jobs

These look like the kind of tools scummy recruiters and sales people use to identify targets for mass spamming. I see several AI auto-application tools in there too.

cxr 101 days ago | |

> I suggest everyone take a look at the list of extensions and their names for some very important context[…] I didn't find popular extensions like uBlock

Unsurprising outcome since uBlock (specifically: uBlock Origin Lite, the only version available for Chrome on the Chrome Web Store) makes itself undetectable using this method. (All of its content-accessible resources have "use_dynamic_url" set to "true" in its extension manifest.) So its absence in this data is not dispositive of any actual intent by LinkedIn to exclude it—because they couldn't have included it even if they wanted to.

NicuCalcea 102 days ago | |

LinkedIn itself provides tools for scummy recruiters to mass spam, so this is just them protecting their business.

Also, not all of them are data collection tools. There are ad blockers listed (Hide LinkedIn Ads, SBlock - Super Ad Blocker) and just general extensions (Ground News - Bias Checker, Jigit Studio - Screen Recorder, RealEyes.ai — Detect Deepfakes Across Online Platforms, Airtable Clipper).

DOM100 101 days ago |

const nameA = getName(a).toLowerCase(); const nameB = getName(b).toLowerCase(); return nameA.localeCompare(nameB);

const msg = createDoneMessage(); msg.style.opacity = '1';

    console.log("Extensions sorted alphabetically!");
    console.table(sortedCards.map(c => ({
        name: getName(c),
        id: c.id || '—'

ece 101 days ago |

Cover your tracks from EFF doesn't seem to check extensions? Are there other fingerprint tests to use?

fHr 101 days ago |

Linkedin is such a shity wanabe HR adult day care recruiting bs platform, if it would go offline tomorrow and never came back not a single tear would be shed by any Engineer.

insin 101 days ago |

So every Chrome extension that wants to avoid being detected this way needs to proxy fetch() on the target site, imagining someone with a bunch of them installed having every legit HTTP request on the target site going through a big stack of proxies

alunchbox 101 days ago |

why would they want this type of check? Like what could it possibly be doing for the end customer or features available?

PaulHoule 101 days ago |

No wonder it is so slow to load.

ramuel 101 days ago |

We live in the best timeline.

lapcat 102 days ago |

[removed]

chocolatkey 102 days ago | |

That’s incorrect, it’s trying to load an asset (hardcoded unique per-extension path) for each extension, there is a huge list of these in the source code: https://raw.githubusercontent.com/mdp/linkedin-extension-fin...

ronsor 102 days ago | |

This is a security vulnerability and should be patched. Sorry, LinkedIn.

(Alternatively extension developers can modify their extensions to block these requests!)

toomuchtodo 102 days ago | | |

Is there no browser setting to defend against this attack? If not, there should be, versus relying on extension authors to configure or enable such a setting.

0cf8612b2e1e 102 days ago | | |

No kidding. I am shocked this works.

Does Firefox have a similar weakness?

MrGilbert 102 days ago | | |

I'm not sure how you'd patch that. Any request that’s made from the current open tab / window is made on behalf of the user. From my point of view, it's impossible for the browser to know, if the request is legit or not.

usefulposter 102 days ago | |

Isn't it enumerating web_accessible_resources? Below static collectFeatures(e, t) there is a mapping of extension IDs to files in the const r (Minified JS, obviously.)

Edit: Confirmed. It's not pinging the Chrome Web Store. https://blog.castle.io/detecting-browser-extensions-for-bot-...

jsheard 102 days ago | |

Looks to me like LinkedIn is fetching chrome-extension://{extension id}/{known filename} and seeing if it succeeds, not pinging the web store.

Should be patched nonetheless though, that's a pretty obscene fingerprinting vector.

what 102 days ago | | |

How do you patch it? The extensions themselves (presumably) need to access the same web accessible resources from their content scripts. How do you differentiate between some extension’s content script requesting the resource and LinkedIn requesting it?

cobertos 102 days ago | |

Wouldn't that mean 2900 requests from fingerprint.js??

halapro 102 days ago | |

If this is true, it's insane that this would work:

- why does CWS respond to cross-site requests?

- why is chrome sending the credentials (or equivalent) in these requests?

- why is the button enabled server-side and not via JS? Google must be confident in knowing the exact and latest state of your installed extensions enough to store it on their servers, I guess

cxr 102 days ago | | |

It's not true. The person you're responding to has a habit of posting implausible-but-plausibly-plausible nonsense, and it's not how this works at all.

DrStartup 102 days ago |

Setup a quick CDP connection. Have Claude Code attach and inject JS into Page.addScriptToEvaluateOnNewDocument. Loads before the page.

Typical early hooks: • fetch wrapper • XMLHttpRequest.prototype.open/send wrapper • WebSocket constructor wrapper • history.pushState/replaceState wrapper • EventTarget.addEventListener wrapper (optional, heavy) • MutationObserver for DOM diffs • Error + unhandledrejection capture

HumanOstrich 102 days ago | |

This is irrelevant to the article and discussions here. Weird copypasta bullet points too.

userbinator 101 days ago | |

Looks like whatever LLM you used is not doing a very good job.

shj2105 102 days ago | |

what would this do?

bluebxrry 101 days ago | | |

It increases the number of jobs at the job factory. You write it into a Chrome extension and name it 2954.