LinkedIn Is Scanning for Browser Extensions
61 points by jkirchartz
61 points by jkirchartz
Why does Chrome even let websites see what extensions users have installed? That feels like a egregious privacy violation.
Anyway, this whole website looks generated by an AI which made lots of mistakes. For example, it says
The user is never asked. Never told. LinkedIn’s privacy policy does not mention it.
But the privacy policy does include this in section 1.5:
We also get information about your network and device (e.g., IP address, proxy server, operating system, web browser and add-ons, device identifier and features, cookie IDs and/or ISP, or your mobile carrier).
Another mistake is Exhibit 4, saying a senior manager contradicted herself when she said both anti-abuse system "do not take the use of any particular browser extension(s) into account" and "LinkedIn’s systems “may have taken action against LinkedIn users that happen to have [XXXXXX] installed.”". But if you read the affidavit, the manager follows that by saying no action was taken on the basis of an extension. There's no contradiction at all.
Also this is one is just a dumb gripe, but they say in Exhibit 1 that 5fdhwcppjcvqvxsawd8pg1n51.js "is the file LinkedIn serves to every Chrome user who visits linkedin.com". C'mon, that's clearly a random filestring, it's not gonna be 5fdhw for everyone
In conclusion, use Firefox.
In conclusion, use Firefox.
and do not use LinkedIn if you can help it.
Wish it were as easy as that. At least I only use it for finding job postings and applying to them. I've told my partner that if they ever see me posting or commenting there, I need an intervention.
I'd love if there existed an actual alternative, that was as commonly used but... there isn't one.
So I keep seeing this take but it just doesn't seem to align with my experience.
Is it actually as unavoidable as you claim it is?
I know a lot of people who use linkedin because they think it will help them find a job.
I know one person who used linkedin and found a job.
I've found several, as have many of my colleagues, and we've gotten some good hires through it.
My current role was found that way.
Anecdata doesn't really help anybody.
Good thing I measured! In 2017 (golden era, mind you), I decided to earn more, which required changing location and employer. I tried to approach it strategically, to have control over it + prediction and also to get some numbers out of it (I love stats).
I have a web page as my CV, so first I reached out 50 recruiters directly on linkedin (25 existing, 25 new connection) and asked them if they have any opportunity, linked my CV. According to analytics, that reachout resulted in 60-70 visitors on my page.
12 days later (to properly see the difference between channels) I advertised myself on twitter, it resulted 180 visits.
4 days after that, I advertised myself on facebook, to my network and 2 tematical groups (job seekers kinda): 200 visits.
Conversion:
(I got 7 offers at the end, 3 considerable - wrote about it: https://cv.co.hu/csabi/sztori.html, unfortunately in hungarian)
Great. But I can't advertise myself on twitter that I'm looking for another role while still employed at my current one.
I agree with the sibling comment. I hate it as much as the next guy but I just can't deny how helpful it's been on many occasions, and there's no alternative to it for many things. I'd be missing out on a lot of things if I weren't there. Just keeping an account open and connecting with friends, colleagues, and some acquaintances, gives you a lot of benefit with practically no issues if you don't visit the site unless you have to. (and then do it on Firefox, with the usual blockers)
Why does Chrome even let websites see what extensions users have installed? That feels like a egregious privacy violation.
It looks like there are two approaches:
chrome-extension://, the site can look for that mutation and infer the extension is installed.There's no "list the extensions" API.
If you’re wondering how this works:
https://browsergate.eu/how-it-works/ -> “The Extension List”
Each entry has two fields: id: A 32-character Chrome Web Store extension ID file: A known file path inside that extension’s package, such as popup.html, icon.png, or manifest.json
AED is a brute-force scan. It attempts to load a known file from each extension using the fetch() API.
Chrome extensions can expose internal files to web pages through the web_accessible_resources field in their manifest.json. When an extension is installed and has exposed a resource, a fetch() request to chrome-extension://{id}/{file} will succeed. When the extension is not installed, Chrome blocks the request and the promise rejects.
LinkedIn tests every extension in the list this way.
You can only assume this is to weed out scrapers and AI agents. This is their moat, and I assume they’ll defend it pretty aggressively.
If LinkedIn actually succeeds at this at scale, does that mean it becomes one of the more common places for human-only discourse?
The irony of that hits pretty hard.
It is impossible for LinkedIn to become "human-only" since they include a "Write with AI" button on every post, and LinkedIn Premium gives you the ability to generate posts and comments using LinkedIn's AI.