165 comments

[ 2.9 ms ] story [ 100 ms ] thread
They only mention this being a potential violation of the DMA. How about north american countries? US and Canada?
It seems it scans your extensions not your system - reading the details. The intro made it a bit unclear.
The title is a complete nonsense.
(comment deleted)
this is a massive violation of trust

> The scan doesn’t just look for LinkedIn-related tools. It identifies whether you use an Islamic content filter (PordaAI — “Blur Haram objects, real-time AI for Islamic values”), whether you’ve installed an anti-Zionist political tagger (Anti-Zionist Tag), or a tool designed for neurodivergent users (simplify).

why would the browser ever expose extensions api to a web page. does firefox does this as well?
The headline seems pretty misleading. Here’s what seems to actually be going on:

> Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions. The scan probes for thousands of specific extensions by ID, collects the results, encrypts them, and transmits them to LinkedIn’s servers.

This does seem invasive. It also seems like what I’d expect to find in modern browser fingerprinting code. I’m not deeply familiar with what APIs are available for detecting extensions, but the fact that it scans for specific extensions sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”).

I’m certainly not endorsing it, do think it’s pretty problematic, and I’m glad it’s getting some visibility. But I do take some issue with the alarmist framing of what’s going on.

I’ve come to mostly expect this behavior from most websites that run advertising code and this is why I run ad blockers.

extensions create so many bug reports, I would do the same
I'm confused, you call this "misleading" then quote the claim, but say it's "what [you'd] expect to find in modern browser fingerprinting code".

So what is it? Misleading, or exactly what you expected to find? It cannot be both.

It sounds more like you object to the negative framing of Microsoft hoovering up as much data as possible for profit, even though this is objectively a crime in the jurisdictions they are being sued in.

"The headline seems pretty misleading."

How? What exactly would a reader be "mislead" to believe

The part about "inherently sinister" seems to be a thought from the mind of an HN commenter not the authors of the submitted web page. The later only describe LinkedIn's actions as illegal, not "sinister". The laws cited by the authors do not appear to consider any "state of mind", e.g., "sinister", or intent as relevant

"But I do take some issue with the alarmist framing of what's going on."

AFAICT, the submitted web page does not suggest that anything LinkedIn does is "dangerous", i.e., cause for "alarm". What it suggests is that LinkedIn's actions _violate European privacy laws_. The authors claim LinkedIn's actions present an opportunity to enforce these laws, i.e., "take action"

https://browsergate.eu/why-its-illegal/

https://browsergate.eu/take-action/

> This does seem invasive. It also seems like what I’d expect to find in modern browser fingerprinting code. I’m not deeply familiar with what APIs are available for detecting extensions, but the fact that it scans for specific extensions sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”).

Working around deliberate API designs that are designed to make it harder to get a list of all installed extensions is inherently sinister. It's very clearly malicious. We absolutely should not accept that kind of behavior from anyone and definitely not from the corporations large enough that we can't realistically avoid depending upon them.

(comment deleted)
I hate the way they just started saying you have a new message when you really don't. Now I'm going to miss when I really have new messages for a while because I'm not going to go to that site anymore when they say that.

And not letting you read your messages when on your mobile phone unless you use their app is particularly mean. Considering again where they are sending all the information they scrape.

This gave someone the opportunity to add in "Jeffery_Epstein_did_not_kill_himself" to linkedin's client facing code base through this. If you open dev tools -> network tab -> network search icon (magnifying glass) -> search for "epstein" and load up linkedin, you should see it for yourself too!

I really don't think they're "illegally" searching your computer, they're checking for sloppy extensions that let linkedin know they're there because of bad design.

I wonder how much of this is also used for audience segmentation for their advertisements? Linkedin ads are some of the most expensive out of any social media platform, but they also tend to have the highest conversion since you can get pretty niche with your targeting.
LinkedIn has been overtly evil for decades, and their power users are the most insufferable sort of middle management yuppy scum. I know job searching can be hard, but I don't go near LinkedIn with a ten foot pole.
How a web site can search one's computer?
(comment deleted)
Reminder for windows control alt shift windows L
I don't like any of this, but I'm not totally clear how this is substantially different from other fingerprinting technologies which I assume are used by every large tech company. Could anyone elaborate? The post isn't very clear why this is different from other data surveillance.
The most obvious reason for this is browser fingerprinting, right? So your visits to other websites can be linked to your Linkedin identity? Or no?
Interesting. I didn't know a extension’s web-accessible resource (e.g. chrome-extension://<id>/...) could be abused to learn about the user's installed extensions by checking whether it resolves or not.
[flagged]
The “how it works” page suggests it only works on chrome based browsers. Anyone able to determine if firefox or safari are affected too?
Doesn't it depend how they're storing the data? If it's sufficiently transformed, it could be considered fair use.
Bait, just look at browser addons, millons of site do it as well
Sounds like containers and potentially adblocking and js blocking prevent this. For my part, I use linked in on my "god dammnit I hate corporate websites so much" browser which is used only for medical bill pay and amazon / wal mart purchases and then monthly bills. Could LinkedIn get something from me there? Potentially, but they're also not really following me around the web. I think given this I'll go install a 3rd browser for linkedin only, or maybe finally just delete my account. It never got me a job and it's a cesspool.