LinkedIn Faces Spying Allegations Over Browser Extension Scanning

LinkedIn is facing allegations that it quietly scans users' browsers for installed Chrome extensions. The German group Fairlinked e.V. goes so far as to claim that the site is "running one of the largest corporate espionage operations in modern history."

"The program runs silently, without any visible indicator to the user," the group says. "It does not ask for consent. It does not disclose what it is doing. It reports the results to LinkedIn's servers. This is not a one-time check. The scan runs on every page load, for every visitor." PCMag reports: This browser extension "fingerprinting" technique has been spotted before, but it was previously found to probe only 2,000 to 3,000 extensions. Fairlinked alleges that LinkedIn is now scanning for 6,222 extensions that could indicate a user's political opinions or religious views. For example, the extensions LinkedIn will look for include one that flags companies as too "woke," one that can add an "anti-Zionist" tag to LinkedIn profiles, and two others that can block content forbidden under Islamic teachings.

It would also be a cakewalk to tie the collected extension data to specific users, since LinkedIn operates as a vast professional social network that covers people's work history. Fairlinked's concern is that Microsoft and LinkedIn can allegedly use the data to identify which companies use competing products. "LinkedIn has already sent enforcement threats to users of third-party tools, using data obtained through this covert scanning to identify its targets," the group claims. However, LinkedIn claims that Fairlinked mischaracterizes a LinkedIn safeguard designed to prevent web scraping by browser extensions. "We do not use this data to infer sensitive information about members," the company says. "To protect the privacy of our members, their data, and to ensure site stability, we do look for extensions that scrape data without members' consent or otherwise violate LinkedIn's Terms of Service," LinkedIn adds.

[...] The statement goes on to allege that Fairlinked is from a developer whose account was previously suspended for web scraping. One of the group's board members is listed as "S.Morell," which appears to be Steven Morell, the founder of Teamfluence, a tool that helps businesses monitor LinkedIn activity. [...] Still, the Microsoft-owned site is facing some blowback for not clearly disclosing the browser extension scanning in LinkedIn's privacy policy. Fairlinked is soliciting donations for a legal fund to take on Microsoft and is urging the public to encourage local regulators to intervene.

Say after me

[Bruce66423]

DON'T USE CHROME.

In other news the Lutheran church in Rome denied that it had received a membership application from Pope Leo, whilst ursine faecal material continues to found in forested areas.

Re:

[Hentes]

Firefox also uses the Chrome extension API. Not that it matters, as Linkedin just checks the content injected into the site:

Here’s why: some extensions have static resources (images, JavaScript) available to inject into our web pages. We can detect the presence of these extensions by checking if that static resource URL exists,

The only way to defend against this is to disable scripts entirely.

Re:Say after me

[Tybor]

Or avoiding LinkedIn altogether or using a separate profile devoted to LinkedIn if you're required to use it

Re:

[Ol Olsoc]

Firefox also uses the Chrome extension API. Not that it matters, as Linkedin just checks the content injected into the site:

Here’s why: some extensions have static resources (images, JavaScript) available to inject into our web pages. We can detect the presence of these extensions by checking if that static resource URL exists,

The only way to defend against this is to disable scripts entirely.

Yup, I have to approve all scripts, every time. Yup, it can be a pain in the backside.

If you want a little "fun", look up who is running the scripts. Google doesn't hide themselves very much, but some others? Regardless, I have a fundamental issue with having mostly unknown people/groups installing stuff on my computer.

Re:

[killmenow]

So...noscript [mozilla.org] then.

Re:Say after me

[DarkOx]

Exactly Chrome and realistically Chromium is essentially malware. Geeks especially should consider it a civic duty to use basically anything else. Which pretty much leaves Firefox and Safari.

Browser diversity is critical to keeping the web actually open. Even if Chromium is open source, the reality is Google drives the project entirely. It puts them in a powerful position to gatekeep, and that is bad for all the same reasons it was bad when IE-5/6 ruled the web, nearly uncontested.

We don't want a web where the only standard is whatever chromium does.

Re:

[Vlad_the_Inhaler]

What's your position on Brave? Chromium-based but - allegedly - with the spy stuff removed.

Re:Say after me

[DarkOx]

For the individual that is certainly better than Chrome, but from a perspective of does it give Alphabet, any less influence not really much better.

I come back to if we allow Chromium to become essentially the only online HTML Document rendering engine in use, Google makes all the rules. It is really to large a project for any entity not a large corporate to fork.

Just look at the whole plugin architecture(Manifest V2) stuff, Google got their way because the plugin architecture touches so much and nobody maintaining Chromium based alternative browser could realistically keep up with the mainline if they forked or tried to keep a patch set running.

Google basically unilaterally decided what web-plugins are allowed to do; and nobody was able to stop them.

Re:

[christoban]

Brave is successfully maintaining manifest V2 support, so not really.

Re:

[malditaenvidia]

This is absolutely false.

Re:

[thegarbz]

Way to put a bandage on a wound rather than treating the cause of the bleeding. Not using Chrome doesn't help you here. You are being fingerprinted regardless.

Re:

[PPH]

You are being fingerprinted regardless.

Maybe. Why do you think other browsers report installed extensions. Either to the extent Chrome does? Or at all?

Re:

[PPH]

why do you think they don't?

Perhaps someone wrote a browser extension that can log activity between itself and remote systems.

Re:Say after me

[thegarbz]

Who said report? No one. Chrome has no interface to report a list of extensions to a website. Extensions expose management interfaces, this is part of their function, and it's necessary to how they are written, installed, managed, updated, etc. These interfaces can be probed manually if you know the extension ID. So all a website needs to do is load a script and do a call to e.g. chrome-extension://ddkjiahejlhfcafbddmgiahcphecmpfh/. If it gets a 404 error then it knows you have Ublock Lite installed, if it returns ERR_BLOCKED_BY_CLIENT then you know it doesn't exist.

Firefox and other browsers have similar systems in place. It's required for how extensions work. It has always existed. No browser out there has successfully prevented fingerprinting, and Firefox's anti-fingerprinting system actually works by blacklisting browser requests to companies who provide fingerprinting services, not by technical means. In this case according to the report LinkedIn is only doing this on Chrome, but it's a fantasy to think you're magically protected by using an alternate browser for any other reason than not being popular makes you less of a target. -- In which case you should be promoting the use of Chrome as it would actively raise your security.

Chrome isn't just providing a nice easy list of shit to identify you with. It's a game of whack-a-mole, using clever tricks. Always has been.

Case in point, part of the website scans the DOM tree looking for elements that are different to what was served up which would indicate the presence of an extension that is modifying the page. This is trivial to do on *ANY* browser and is completely platform independent. Though it only works for extensions which do something.

Follow the money

[Anonymous Coward]

However, LinkedIn claims that Fairlinked mischaracterizes a LinkedIn safeguard designed to prevent web scraping by browser extensions. "We do not use this data to infer sensitive information about members," the company says.

S'truth. We pinky promise!!!

The statement goes on to allege that Fairlinked is from a developer whose account was previously suspended for web scraping. One of the group's board members is listed as "S.Morell," which appears to be Steven Morell, the founder of Teamfluence, a tool that helps businesses monitor LinkedIn activity. [...] Still, the Microsoft-owned site is facing some blowback for not clearly disclosing the browser extension scanning in LinkedIn's privacy policy.

As we said in politics, the only time you can believe one politician is when he calls another politician a liar. Just because Fairlinked seems to be dirty, doesn't mean Linkedin is squeaky clean.

Fairlinked is soliciting donations for a legal fund to take on Microsoft [...]

OK, and then there is this. It always gets back to this.

Outlived its usefulness

[Ritz_Just_Ritz]

I've pretty much stopped visiting linkedin. First it was the pet videos, then the political nonsense, then an onslaught of spam trying to sell shit to me 24/7. Now it's just a place to park my resume.

Good riddance.

Re:

[fropenn]

Now it's just a place to park my resume

Have you ever received a legitimate job offer, or even a nibble, from an employer that you might actually consider working for, that came through LinkedIn?

Me neither.

You'd be much better served by posting your resume or having it on file with a few employers you would consider and who are legitimate.

Re:Outlived its usefulness

[strike6]

My current job was found via LinkedIn. For the most part I'm not a fan, especially given my hatred for anything Microsoft. I had quit my previous job and wasn't even sure I was going to continue working but thanks to a new law where I live that requires job listings to list the salary range, I saw a job closer to home with a nice salary bump that was what I really wanted to do if I continued working so I applied. And it turned out I was a perfect fit for the job. So yeah you can find legit jobs via LinkedIn. Doesn't make this extension scanning any less shady though.

Re:

[williamyf]

Now it's just a place to park my resume

Have you ever received a legitimate job offer, or even a nibble, from an employer that you might actually consider working for, that came through LinkedIn?

Me neither.

You'd be much better served by posting your resume or having it on file with a few employers you would consider and who are legitimate.

I get no cold offers, or recruiters. But I do get those automated linkedin job offer mails. Applied a couple of times. Entered the proces? Yes. Canonical. Twice. For a couple of Cloud Positions.

Sadly, did not get hired, god knows why

So, yes, LinkedIn still has a little value.

Re:

[fruey]

It's become very "I built this with AI" and "how your business is going to improve with AI" and all sorts of terrible content, and GAMES! WTF.

Re: Outlived its usefulness

[Fons_de_spons]

My version shows all my contacts achieving marvelous goals, people setting sail towards new adventures, taking routes no one has ever tried before... Then you meet them in a bar and you get the real version. It is such a shiny spotless place online, it is getting ridiculous. Especially if you compare it with what happens behind the walls.

Re:

[Daina.0]

I received an email from linkedIn that said someone I knew (my sister, but it didn't know she was my sister) wanted to connect. I asked her if she requested a link and she said no. When linkedIn lied to me that was enough for me to dump them. It's been many years since I've been there. I ignore it completely.

Re:

[gabrieltss]

As one person put it: "Linkedin is just Microsoft Facebook.". This is so true. It's just another Facebook, X, BlueSky, Instagram etc... It's turned into what Microslop does to everything, it's now a giant steaming pile of cr@p!

Man some LinkedIn users are fragile

[FictionPimp]

"the extensions LinkedIn will look for include one that flags companies as too "woke," one that can add an "anti-Zionist" tag to LinkedIn profiles..."

Imagine being so petty and fragile that you need to install a whole plugin to tell you what is woke or anti-zionist.

Re:

[CEC-P]

Or people want the fastest possible way to not give a website or company their money if they don't support the same morals as themselves. That might be it too.

Re:

[FictionPimp]

Those people are living in a fantasy world. Especially if they need a we browser to make that decision for them.

Re:

[Luckyo]

No mention of islam though, which was the next thing filtered.

"and two others that can block content forbidden under Islamic teachings. "

You can tell which one people have learned to fear. Islam is the future, because even anonymously, people have learned to fear them.

Re:

[FictionPimp]

I don't fear islam. I understand how that plugin would help someone who believes in the bullshit of religion meet the needs of the bullshit. So it wasn't worth mentioning.

Re:

[RUs1729]

I don't fear islam.

I do. I fear Christianity as well, or any other religious group with a historical penchant to force their religious beliefs on everybody, the easy way or the hard way.

Re:

[Luckyo]

Stated performance vs revealed performance.

Latter trumps former every time.

How is this possible?

[HnT]

How is this even possible, why would a browser allow a website to ask for details about installed software???

Re:How is this possible?

[fuzzyfuzzyfungus]

According to the writeup; there are two methods: it is possible for an extension to mark some parts of itself as 'web accessible'; and linkedin has assembled at least one characteristic file for 6,1000-odd extension IDs and attempts to fetch it to confirm/deny the extension's presence.

The other is based on the fact that the whole point of many extensions is to modify the site in some way; but the site normally has largely unfettered access to inspect itself, so they have theirs set up to walk the entire DOM looking for any references to "chrome-extension://" and snagging the IDs if found.

Not exactly a 'declare installed extensions'; but it looks like, out of some combination of supporting the use cases where an extension and page actively interact by design and either not wanting the possibility or not wanting the complexity of trying to enable 'invisible' edits(presumably some sort of 'shadow' DOM mechanism where as far as the site and everything delivered with it knows only its unedited DOM and resources exist; but the one the user sees is an extension-modified copy of that one, which sounds like it could get messy), inferential attacks are fairly easy and powerful.

Re:

[PPH]

so they have theirs set up to walk the entire DOM looking for any references to "chrome-extension://" and snagging the IDs if found.

Maybe walk the DOM for their own document. But what moron would build their core browser to allow sites to walk/query content from other, unrelated sites? That just sounds like content theft to me. Just the kind of scraping that LinkedIn claims to be detecting.

Re:

[thegarbz]

Please do yourself the favour and RTFA before you look any stupider than you already do. This mechanism is not querying an unrelated site. If you want to pretend to be a clever programmer than note the OP even helpfully put the thing you think is an "unrelated site" (it's not, it's a management interface which by necessity needs to be open for some extensions) in quotation marks indicating it is a string being searched for in the DOM tree.

Re: How is this possible?

[HnT]

All we ever really wanted is to see some funny cat pictures online... nobody needs their browser to essentially be an entire kernel and OS for some horrible JS.

How does this get green-lighted?

[stx23]

"I'm going to develop a browser fingerprinting system that's every more spywarey than linkedin is by default."

"Sure, go ahead. Remember, the more people you can identify, the more Microsoft dollars you get to spend!"

Re:

[Narcocide]

This isn't even the worst thing LinkedIn has gotten caught doing. It's always been an entirely criminal enterprise masquerading as a normal jobs board.

Any free service

[Anonymous Coward]

You are the thing being sold!

LinkedIn is a lost cause

[WaffleMonster]

After the company was caught spamming contacts a decade ago did anyone think they would improve?

Re:

[echo123]

After the company was caught spamming contacts a decade ago did anyone think they would improve?

Define "improvement". A decade ago LinkedIn was sold to Microsoft for $26.2billion. It seems Microsoft values LinkedIn plenty, just the way things are.

They have an interesting defense

[CEC-P]

They later came out with a statement saying they only check for plugins known to scrape others' profile data in large quantities. I do not personally believe that's entirely and solely the reason. You would not believe the amount of "I changed my linked in status to working at New Company Inc!" immediately resulting a scam text message with "Hey, set up your banking info for payroll at New Company Inc!" and then the person gets a fraudulent bank wire. It's all because of Linked In scrapers. So they have a point, I just think they're hiding fingerprinting within this system.

Spying? For what you already give them?

[sabbede]

I'm sorry, it just sounds silly to me to accuse them of spying when you already give them all your information. Linkedin already knows who I am, where I live and what I do for a living, because I told it. It has my email and phone number. What are they going to do, fingerprint my browser to be even more sure of who I am when they already have my f-ing resume?

Re:

[strike6]

It knows the things you voluntarily chose to disclose. And that's fine. The problem lies in when they decide to take information you did NOT voluntarily choose to disclose.

Re:

[sabbede]

Do you really think they're going to learn that much more from browser extensions? Beyond, "bad at using browsers", or, "will do whatever a popup says"?

Besides, this is largely in the context of fingerprinting, and you don't need those to track users who log in.

Re:

[strike6]

I have no idea but that's not the point. It's really the old opt-in vs. opt-out argument. I'm an opt-in guy. Obviously you're opt-out.

Re:

[sabbede]

Don't assume, I haven't given you my own opinion.

Lack of information....

[FrankSchwab]

When they learn that you support Planned Parenthood, or are a member of or the Sunni branch of Islam, or (in the present environment) the Democratic party, or are a member of AARP, they learn a lot about you that IMHO shouldn't be associated with your work search. Is that so hard to understand?

Re:

[sabbede]

Are you saying that there are Planned Parenthood, Sunni Islam, DNC, and AARP browser extensions?

I suppose it's possible that there is an AARP extension, probably coupon or security related, but the important information there would be the user's age, which LinkedIn already knows or can accurately infer.

There ARE corporate entities that force chrome

[bferrell]

PG&E for one
Try logging in with Firefox and see

Re:

[KiltedKnight]

Same happens where I work. They default everything to Chrome but allow you to use Firefox and a couple of others as well. I just restrict my use of Chrome to the corporate intraweb stuff (training, help desk, etc). Overall, it's laziness of design of those intraweb sites... they force the developers to use one methodology over another instead of building things to a browser-agnostic standard.

Re:

[PPH]

Overall, it's laziness of design of those intraweb sites...

Maybe not laziness. Chrome -> Google -> Major PG&E customer.

Back when I worked for Boeing, we were a Macintosh shop. Then, Bill Gates started his annual dinners for the movers and shakers in the IT industry. The more Microsoft stuff your company had, the closer they seated you to Bill. Our CIO had to sit in the back of the room. He came back and announced that we'd be scrapping all the Macs and switching to Windows.

When it comes to corporations, you can never tell from which end the technology i [biljohnson.com]

Re:

[KiltedKnight]

Maybe not laziness. Chrome -> Google -> Major PG&E customer.

Back when I worked for Boeing, we were a Macintosh shop. Then, Bill Gates started his annual dinners for the movers and shakers in the IT industry. The more Microsoft stuff your company had, the closer they seated you to Bill. Our CIO had to sit in the back of the room. He came back and announced that we'd be scrapping all the Macs and switching to Windows.

When it comes to corporations, you can never tell from which end the technology is driven [biljohnson.com].

I still see it as laziness of design. It goes back to the days when sites required you to use Internet Exploder, er, Explorer... because it followed a different implementation track than Netscape/Mozilla, and IE accepted broken HTML because Internet Insecurity Server (IIS) would serve it that way. When you have defined standards and follow them with your site design, the browser a user chooses when visiting your site should be 100% irrelevant, and if it is that is the fault of the browser maker because th

Re:

[bferrell]

Zactky!

Epstein Class

[bill_mcgonigle]

Count the number of emails between a company founder and Epstein before you install their code in your Browser or put your data on their platform.

I mean, spies were spying on you?

Not to mock the victims, but c'mon, Nancy, don't be naÃve.

https://jmail.world/ [jmail.world]

Browse Forest Browse Stupid is as stupid does

[TheWho79]

Why LinkedIn is even mentioned in this suit? Good on those LinkedIn programmers for using ever tool GOOGLE GAVE THEM.

I left LinkedIn last week

[BrendaEM]

Okay, I'm a bit slow on the draw.

Why use LinkedIn anymore?

[forrie]

LinkedIn used to be a good product, it created a niche for a time. There was nothing like it at the time, and it helped bring people into opportunity.

Since MS bought it, it's continued to decline, being filled with annoying, sycophantic content and a lot of other garbage and a poor UX. The messaging is a complete f'ing JOKE.

We have Indeed and others who, as competitors, follow suit. Waiting for "those scandals" to appear.

Something new, novel, simple should replace it. But what would that even look like