The headline seems pretty misleading. Here’s what seems to actually be going on:
> Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions. The scan probes for thousands of specific extensions by ID, collects the results, encrypts them, and transmits them to LinkedIn’s servers.
This does seem invasive. It also seems like what I’d expect to find in modern browser fingerprinting code. I’m not deeply familiar with what APIs are available for detecting extensions, but the fact that it scans for specific extensions sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”).
I’m certainly not endorsing it, do think it’s pretty problematic, and I’m glad it’s getting some visibility. But I do take some issue with the alarmist framing of what’s going on.
I’ve come to mostly expect this behavior from most websites that run advertising code and this is why I run ad blockers.
show comments
ef2k
A few years ago, intentionally fingerprinting or tracking your users without disclosure was spyware and unethical. Alas, here we are.
Anyway, what they're calling "spectroscopy", is a combination of extension probing and doing residue detection (looking for what extensions might leave behind in the DOM).
An ad blocker is not necessarily equipped to help since the script is embedded with the application code. Since they're targetting Chrome, switching browsers will help with the probing but not the detection part and you'll still be fingerprinted.
The only way forward is for browser vendors to offer a real privacy or incognito mode where sites are sandboxed by default. When the default profile is identical across millions of users there won't be anything unique to fingerprint.
Beestie
I don't have a linkedin acct. So imagine my shock when I "googled" myself and found a linkedin profile connecting my name to a company I presently have a consulting arrangement with (1099 not W2). I went ballistic and fired off an email to the consulting firm to take down the profile immediately or face legal action (a bluff). Couple days later, the company forwarded an email they received from linkedin confirming the profile had been taken down.
So this is just a heads up that even if you don't have a linkedin account, they will create one on your behalf so might better check (assuming you neither have nor want one).
show comments
andersonpico
this is a massive violation of trust
> The scan doesn’t just look for LinkedIn-related tools. It identifies whether you use an Islamic content filter (PordaAI — “Blur Haram objects, real-time AI for Islamic values”), whether you’ve installed an anti-Zionist political tagger (Anti-Zionist Tag), or a tool designed for neurodivergent users (simplify).
show comments
cenal
There is no reason to trust any big tech company. Folks should be using containers in their browser if they care about privacy. I previously published a LinkedIn container extension for FireFox: https://addons.mozilla.org/en-US/firefox/addon/linkedin-cont... although as many know you can achieve the same results with Firefox containers without a specific extension like mine if you configure it manually.
I will work on an improvement to that extension so that it can block these scans if they attempt them in firefox.
Johnny555
>the fact that it scans for specific extensions sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch)
Why should a website be able to scan for extensions at all?
Or if there's a legitimate need (like linkedin.com wants to see if you installed the linkedin extension), leave it up to the extension to decide if it wants to reveal itself. The extension can register a list of URL patterns it will reveal itself to. So the linkedin extension might reveal itself only to *.linkedin.com, a language translation extension might reveal itself to everyone, and an adblocker extension might not choose to reveal itself to anyone.
show comments
lxgr
All I'm seeing is that Chrome apparently is failing to properly sandbox websites against extension fingerprinting.
Sure, this can be solved at the legal layer, but in this case, there seems to be a much simpler and more effective technical solution, so why not pursue that instead?
show comments
OhMeadhbh
Fwiw... I now run personal and professional browser profiles from two different jails / cgroups. It's a pain in the arse to set up, and I have to verify my config still works after every update, but I get a good feeling knowing my personal chocolate is not mixing in with my professional peanut butter.
I set up the cgroups hack so I could route traffic from a dev profile into a VPS vpn, and may not be that useful for everyone.
But I think this is a reminder that you may want to have at least two profiles: one public and the other private. Do you really want Microsoft to know you installed the "Otaku Neko StarBlazers Tru-Fen Extendomatic" package to change every picture of a current political figure to an image from the cast of Space Battleship Yamato?
show comments
arafeq
the part about scanning for 509 job search extensions is especially nasty. imagine getting flagged to your employer because linkedin detected you had a job board extension installed.
show comments
stevenicr
this morn while trying to decipher why computer was at 98% memory and 65% cpu
DDG searches say this is something for linkedin.
- I had two tabs for linkedin open but left behind as I opened other tabs to research.
So I had not reopened these tabs in over 9 hours and they are still just humming along sucking down almost 10% of cpu and a couple gigs of ram for what?
This is firefox with ublock origin - quick searches saw malwarebytes browser guard considered it (protechts.net) malware for a bit and then took it off the list of things it blocked / warned about.
Not sure this is related to the scan mentioned, but it may be related to the overall concerns about data and unknown usage of resources.
I'm considering blocking this at the dns hosts level at this point.
It seems to not scan for Privacy Badger and uBlock Origin, two extensions I rely on. That's...surprising.
show comments
hmokiguess
Separate question, why isn't this kind of stuff something the browser restricts access to or puts behind an approval gate to the end user?
show comments
z3ratul163071
why would the browser ever expose extensions api to a web page. does firefox does this as well?
show comments
gburgett
The “how it works” page suggests it only works on chrome based browsers. Anyone able to determine if firefox or safari are affected too?
show comments
charles_f
It will sound like finessing on details, but details are important in these kind of claims, and this seems incorrect
> Microsoft has 33,000 employees and a $15 billion legal budget
Microsoft has more than 220k employees (it's hard to follow with all the layoffs), and the G&A in which bankrolls legal expenses (but not only - it also contains basically every employee who's not engineering or sales) was only 7B in 2025 - so legal budget is much lower than that.
devy
LinkedIn has been a weirdest social network for a long time.
> Every time any of LinkedIn’s one billion users visits linkedin.com, hidden code searches their computer for installed software, collects the results, and transmits them to LinkedIn’s servers
And thought, "no way in hell this gets by Safari."
And then, under "The Attack: How it Works":
> Every time you open LinkedIn in a Chrome-based browser
Shocker. If you use a Chromium-based browser, you should expect to be trading away your privacy, IME.
tiku
I remember the LinkedIn app that got all your contacts from your phone and tried to add them to your network. I had random people from internet-deals (local craigslist) that where popping up. So strange that this was allowed.
jobberknoll
Can't be said enough: Stop using Chrome.
show comments
hnuser435
Wish they'd add a little more to what end-users can do about it like switch to a non chrome-based browser.
show comments
seamossfet
I wonder how much of this is also used for audience segmentation for their advertisements? Linkedin ads are some of the most expensive out of any social media platform, but they also tend to have the highest conversion since you can get pretty niche with your targeting.
dmos62
What's an optimistic future for Web fingerprinting? Currently, a website's ability to fingerprint the browser, the device, and the user is absolutely ridiculous.
This website was difficult to follow but I found that this page https://browsergate.eu/extensions/ was the most helpful to understand what they were talking about
Essentially, they are labelling you, like most do, but against some interesting profiles given the kinds of extensions they are scanning for
Joeboy
The most obvious reason for this is browser fingerprinting, right? So your visits to other websites can be linked to your Linkedin identity? Or no?
show comments
kartoffelsaft
I want to know what power I have as just some guy to do anything about this? (even if just for myself)
I ask because it seems like every job I apply to asks for a linkedin profile, and I've heard floating around that if it's not filled in enough most employers assume you're a bot. Heck, one of the forms from the "who's hiring" thread yesterday straight up said if you have < 100 connections they'd throw out your application. So, in order to get my foot in the door, I need to hand over vast and intricate data about my personal life to a third party?
show comments
nticompass
> Every time you open LinkedIn in a Chrome[actually Chromium]-based browser
There's a reason I continue to use Firefox (with uBlock Origin) and will never switch.
Also, when I got laid off from a previous job, I made a LinkedIn profile to help find a new job. Once I found a new job, I haven't logged into LinkedIn since - that was almost 2 years ago.
I'm certain that if LinkedIn were confronted, that they could produce a response that says they are covered by the TOS you had to agree to in order to use the site. I don't have time to spend scanning legalease. Or make use of LinkedIn. If my system is being scanned, they'll see that I'm using a legitimate licensed copy of Windows 7 on a MODERN computer. If anything is at fault, it includes web browsers that Identify themselves to web sites.
ericyd
I don't like any of this, but I'm not totally clear how this is substantially different from other fingerprinting technologies which I assume are used by every large tech company. Could anyone elaborate? The post isn't very clear why this is different from other data surveillance.
show comments
stronglikedan
Oh boy, they stand to lose dozens of users over this! DOZENS!
mentalgear
Interesting. I didn't know a extension’s web-accessible resource (e.g. chrome-extension://<id>/...) could be abused to learn about the user's installed extensions by checking whether it resolves or not.
show comments
arndt
Is there a way to disable the ability for websites to scan for extensions in Chrome?
show comments
red_admiral
"searching your computer" -> using standard web fingerprinting techniques. They don't actually get to read your home directory, and the authors should be honest about this!
two_handfuls
That's on brand. I remember their phone app asking for contacts permission and just taking them all and uploading them to their server.
fooofw
How is it even possible that we've reached a point where "yes, this is obvious and pretty unsurprising" is the default response to spying on an industrial scale.
elwebmaster
LinkedIn also violates SPAM regulations on a regular basis. Despite of me having disabled all emails from this service I consistently receive promotional emails. LinkedIn defines a new "type of promotional email" for which it assumes it has implicit consent to send unsolicited emails and proceeds to do so. It then has a fake compliance apparatus by allowing the victim to once again "unsubscribe" from the newly created email subscription which they never consented to on the first place. I really hope there is a class action and these scumbags get fined.
GuestFAUniverse
AFAIK it can be fined with up to 4% of revenue in the EU.
How much is that currently? $600M?
llacb47
This title should be changed as no court found this is illegal, and this is pretty standard, if extensive, browser fingerprinting, however disagreeable it is
show comments
hnburnsy
Go check out QueryAllPackages permission on Android and see which of your apps can scan and know about all the other apps on your Phone. Thanks Google!
show comments
pier25
I alway use LinkedIn and Meta websites in a different browser altogether.
I hope browsers in the future will need to ask for permission before doing any of that.
show comments
free_bip
They only mention this being a potential violation of the DMA. How about north american countries? US and Canada?
show comments
jacquesm
Not mine. And why do we say LinkedIn, it is just Microsoft, just like Github is Microsoft and a whole raft of other companies are just Microsoft in a trenchcoat.
mrkeen
Yep, LinkedIn is cancer.
2020 - LinkedIn Sued For Spying on Clipboard Data After iOS 14 Exposes Its App:
I run MalwareBytes on all my browsers and as my computer protection system.
LinkedIn is getting nothing.
show comments
kittikitti
I removed my LinkedIn premium subscription because of this. It was always very suspicious and expensive so they were already on thin ice. This is unacceptable and LinkedIn crossed the line with yet another fascist social media platform.
sumanep
Bait, just look at browser addons, millons of site do it as well
show comments
lagrange77
> The headline seems pretty misleading.
No it isn't.
Performing fingerprinting on user's devices, to ultimately profit of financially or worse is misleading. Especially doing this while knowing the user isn't aware what this really means and just deciding it for them.
The headline is just an exaggerated way of saying what is really happening.
robert23mg
seems like clickbaiting, browser can't 'scan' your computer...
oelmgren
Is there evidence that they use that information for anything other than browser fingerprinting or fraud detection?
That seems like the most obvious use case? Or maybe I missed something in the write up.
show comments
pizzuh
i dont like that i pay them $79 a month for them to scrape my extensions
daft_pink
I don’t understand how browser security would allow linkedin to search my computer?
mikkupikku
LinkedIn has been overtly evil for decades, and their power users are the most insufferable sort of middle management yuppy scum. I know job searching can be hard, but I don't go near LinkedIn with a ten foot pole.
show comments
everdrive
Sounds like containers and potentially adblocking and js blocking prevent this. For my part, I use linked in on my "god dammnit I hate corporate websites so much" browser which is used only for medical bill pay and amazon / wal mart purchases and then monthly bills. Could LinkedIn get something from me there? Potentially, but they're also not really following me around the web. I think given this I'll go install a 3rd browser for linkedin only, or maybe finally just delete my account. It never got me a job and it's a cesspool.
show comments
liyu-aka-lukyu
Deleted my account. Fixed!
laughing_snyder
Directly on the landing page:
> Microsoft has 33,000 employees
this should probably be LinkedIn, not Microsoft.
syn0x
LinkedIn is full of lunatics, does not surprise me at all.
acorn221
This gave someone the opportunity to add in "Jeffery_Epstein_did_not_kill_himself" to linkedin's client facing code base through this.
If you open dev tools -> network tab -> network search icon (magnifying glass) -> search for "epstein" and load up linkedin, you should see it for yourself too!
I really don't think they're "illegally" searching your computer, they're checking for sloppy extensions that let linkedin know they're there because of bad design.
chromacity
The real story is what's going on behind the scenes. The charges are relatively flimsy (for the reason I mentioned in my other comment). But here's the cool thing: the site is basically taken from Microsoft's playbook. For years, they pretty transparently bankrolled shadowy, single-issue "grassroots advocacy" groups that went after their competitors under flimsy pretenses. These organizations attacked others but somehow never had an opinion about stuff like Windows Copilot.
This feels very similar, except now it's taking a swing at Microsoft. It's apparently paid for by some mysterious "trade association and advocacy group for commercial LinkedIn users" that runs out of a private PO box in a small German town - uh huh. I'm not going to feel bad for Microsoft, but I would love to read some investigative reporting down the line.
chad_strategic
I run ad blockers and pihole, does that help?
foxes
It seems it scans your extensions not your system - reading the details. The intro made it a bit unclear.
show comments
hcfman
I hate the way they just started saying you have a new message when you really don't. Now I'm going to miss when I really have new messages for a while because I'm not going to go to that site anymore when they say that.
And not letting you read your messages when on your mobile phone unless you use their app is particularly mean. Considering again where they are sending all the information they scrape.
dzonga
some of these things are just an effect of using chromium browsers.
use safari or Firefox. and chrome only for incognito web app testing.
tamimio
Amazing work, but it’s not surprising, I think anyone in cybersec space knows that LinkedIn is the number one source of information when it comes to track or ID someone, and I don’t mean just OSINT given the real data you have, but also three letters agencies love it, it’s a gold mine, wasn’t the silkroad owner was busted because of the same personal email used on LinkedIn? So yeah, delete it, never use it, it’s full of corporate cringy nonsense anyway
kvisner
I can't say I needed yet another reason to hate the current state of LinkedIn, but I am not surprised in the slightest.
nathias
linkedin is full of dark patterns, it's really unfortunate it became the business default, all other social platforms get more criticism while being only a fraction as bad
bitfilped
Despite the misleading headline, I really don't understand why anyone uses linkedin, there will inevitably be a trailing rely of comments claiming it has some irreplaceable value in professional networking, but I don't buy it. Nobody I've ever talked to has been able to articulate any actual value provided by "connecting" to another person on a social networking site. If you want to build professional connections go to lunch, join community calls, attend professional events, and go to conferences.
trey-jones
The fact that every job application wants a link to my profile on a platform that tries to push "brain training puzzle and games" on me just makes me angry every single time. I really hate LinkedIn and my active rebellion against it is hurting my ability to find a new job.
I know there has been other LinkedIn hate on HN this week. I know they have some good tools for job searching and hiring. I still wish we as a society could move on and leave this one with MySpace.
Chrome: lets website scan what extensions you have installed for some reason.
Fokamul
This is result of browser fingerprinting.
My guess, Linkedin is used for years as source of valuable information for phishing/spear-phishing.
Maybe their motive is really spying. But more important for them is to fight against people botting Linkedin.
Imho, browser fingerprinting should be banned and EU should require browser companies to actively fight against it, not to help them (Fu Google)
jen729w
I can’t take an article seriously that starts:
> Every time any of LinkedIn’s one billion users visits linkedin.com, hidden code searches their computer for installed software
and then proceeds not to explain how it’s doing that to me, a Safari user.
Because, spoiler: it isn’t. Or, it might try to search, and fail, and nothing will be collected.
liyu-aka-lukyu
Deleted my LinkedIn account. Fixed.
EdoardoIaga
The headline seems pretty misleading
dboreham
Exactly how is it "illegal" to run code that exercises some aspect of the legitimate browser API surface? Are there functions marked as legal, and others marked as illegal?
JoelMcCracken
This is true/valid in many ways, but the signs of significant AI gen are pretty obvious. And now I wonder how much of the overblown narrative is here.
This reminds me of the slop bug reports plaguing the curl project.
secretsatan
Just use Safari, it won't even load the page half the time.
j45
Browsers almost need a firewall against websites for the functions and scans being run on it by websites.
Different browsers have various settings available, but do we have a little snitch for a web browser?
knollimar
Reminder for windows control alt shift windows L
pjmlp
Another good reason not to use extensions, and leave whatever they do for utility apps.
donatj
If they are genuinely only using the information to detect bad actors and maintain site stability as the affidavit states, and if they can prove it, this seems like potentially a non-issue?
I am not a lawyer, but site stability seems like a GDPR "Legitimate Interest" in my book anyway.
callamdelaney
Typical microsoft
buellerbueller
When Aaron Swartz does it, it is the threat of life in prison leading to suicide. When a multibillion dollar company does it, it is just capitalism.
HOLD EXECS LEGALLY ACCOUNTABLE, CRIMINALLY AND CIVILLY, FOR THE CRIMES OF THER CORPORATIONS.
VladVladikoff
>The user is never asked. Never told. LinkedIn’s privacy policy does not mention it.
OMG is literally every article written with LLMs these days I just can't anymore. It's all so tiring.
show comments
josefritzishere
Why can't we have nice things?
show comments
sourcegrift
The only explanation of linkedin being worth 44B is the prominent appearance of both bill gates (who started spending a day a week at MS after nadella became ceo), and reid hoffman appear prominently in epstein files. The deal itself was finalized during Trump's first term. So everything checks out
_pdp_
The title is a complete nonsense.
show comments
nxm
Nothing but click-bait.
maplethorpe
Doesn't it depend how they're storing the data? If it's sufficiently transformed, it could be considered fair use.
show comments
zephyrwhimsy
The proliferation of AI coding assistants is shifting the bottleneck from writing code to reviewing code. The developers who will thrive are those who develop strong code review instincts.
The headline seems pretty misleading. Here’s what seems to actually be going on:
> Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions. The scan probes for thousands of specific extensions by ID, collects the results, encrypts them, and transmits them to LinkedIn’s servers.
This does seem invasive. It also seems like what I’d expect to find in modern browser fingerprinting code. I’m not deeply familiar with what APIs are available for detecting extensions, but the fact that it scans for specific extensions sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”).
I’m certainly not endorsing it, do think it’s pretty problematic, and I’m glad it’s getting some visibility. But I do take some issue with the alarmist framing of what’s going on.
I’ve come to mostly expect this behavior from most websites that run advertising code and this is why I run ad blockers.
A few years ago, intentionally fingerprinting or tracking your users without disclosure was spyware and unethical. Alas, here we are.
Anyway, what they're calling "spectroscopy", is a combination of extension probing and doing residue detection (looking for what extensions might leave behind in the DOM).
An ad blocker is not necessarily equipped to help since the script is embedded with the application code. Since they're targetting Chrome, switching browsers will help with the probing but not the detection part and you'll still be fingerprinted.
The only way forward is for browser vendors to offer a real privacy or incognito mode where sites are sandboxed by default. When the default profile is identical across millions of users there won't be anything unique to fingerprint.
I don't have a linkedin acct. So imagine my shock when I "googled" myself and found a linkedin profile connecting my name to a company I presently have a consulting arrangement with (1099 not W2). I went ballistic and fired off an email to the consulting firm to take down the profile immediately or face legal action (a bluff). Couple days later, the company forwarded an email they received from linkedin confirming the profile had been taken down.
So this is just a heads up that even if you don't have a linkedin account, they will create one on your behalf so might better check (assuming you neither have nor want one).
this is a massive violation of trust
> The scan doesn’t just look for LinkedIn-related tools. It identifies whether you use an Islamic content filter (PordaAI — “Blur Haram objects, real-time AI for Islamic values”), whether you’ve installed an anti-Zionist political tagger (Anti-Zionist Tag), or a tool designed for neurodivergent users (simplify).
There is no reason to trust any big tech company. Folks should be using containers in their browser if they care about privacy. I previously published a LinkedIn container extension for FireFox: https://addons.mozilla.org/en-US/firefox/addon/linkedin-cont... although as many know you can achieve the same results with Firefox containers without a specific extension like mine if you configure it manually.
I will work on an improvement to that extension so that it can block these scans if they attempt them in firefox.
>the fact that it scans for specific extensions sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch)
Why should a website be able to scan for extensions at all?
Or if there's a legitimate need (like linkedin.com wants to see if you installed the linkedin extension), leave it up to the extension to decide if it wants to reveal itself. The extension can register a list of URL patterns it will reveal itself to. So the linkedin extension might reveal itself only to *.linkedin.com, a language translation extension might reveal itself to everyone, and an adblocker extension might not choose to reveal itself to anyone.
All I'm seeing is that Chrome apparently is failing to properly sandbox websites against extension fingerprinting.
Sure, this can be solved at the legal layer, but in this case, there seems to be a much simpler and more effective technical solution, so why not pursue that instead?
Fwiw... I now run personal and professional browser profiles from two different jails / cgroups. It's a pain in the arse to set up, and I have to verify my config still works after every update, but I get a good feeling knowing my personal chocolate is not mixing in with my professional peanut butter.
I set up the cgroups hack so I could route traffic from a dev profile into a VPS vpn, and may not be that useful for everyone.
But I think this is a reminder that you may want to have at least two profiles: one public and the other private. Do you really want Microsoft to know you installed the "Otaku Neko StarBlazers Tru-Fen Extendomatic" package to change every picture of a current political figure to an image from the cast of Space Battleship Yamato?
the part about scanning for 509 job search extensions is especially nasty. imagine getting flagged to your employer because linkedin detected you had a job board extension installed.
this morn while trying to decipher why computer was at 98% memory and 65% cpu
one of the culprits is https://li.protechts.net taking 2GB ram and 8% cpu.
DDG searches say this is something for linkedin. - I had two tabs for linkedin open but left behind as I opened other tabs to research.
So I had not reopened these tabs in over 9 hours and they are still just humming along sucking down almost 10% of cpu and a couple gigs of ram for what?
This is firefox with ublock origin - quick searches saw malwarebytes browser guard considered it (protechts.net) malware for a bit and then took it off the list of things it blocked / warned about.
Not sure this is related to the scan mentioned, but it may be related to the overall concerns about data and unknown usage of resources.
I'm considering blocking this at the dns hosts level at this point.
https://browsergate.eu/extensions/
It seems to not scan for Privacy Badger and uBlock Origin, two extensions I rely on. That's...surprising.
Separate question, why isn't this kind of stuff something the browser restricts access to or puts behind an approval gate to the end user?
why would the browser ever expose extensions api to a web page. does firefox does this as well?
The “how it works” page suggests it only works on chrome based browsers. Anyone able to determine if firefox or safari are affected too?
It will sound like finessing on details, but details are important in these kind of claims, and this seems incorrect
> Microsoft has 33,000 employees and a $15 billion legal budget
Microsoft has more than 220k employees (it's hard to follow with all the layoffs), and the G&A in which bankrolls legal expenses (but not only - it also contains basically every employee who's not engineering or sales) was only 7B in 2025 - so legal budget is much lower than that.
LinkedIn has been a weirdest social network for a long time.
https://hn.algolia.com/?q=linkedin+weird
Read this:
> Every time any of LinkedIn’s one billion users visits linkedin.com, hidden code searches their computer for installed software, collects the results, and transmits them to LinkedIn’s servers
And thought, "no way in hell this gets by Safari."
And then, under "The Attack: How it Works":
> Every time you open LinkedIn in a Chrome-based browser
Shocker. If you use a Chromium-based browser, you should expect to be trading away your privacy, IME.
I remember the LinkedIn app that got all your contacts from your phone and tried to add them to your network. I had random people from internet-deals (local craigslist) that where popping up. So strange that this was allowed.
Can't be said enough: Stop using Chrome.
Wish they'd add a little more to what end-users can do about it like switch to a non chrome-based browser.
I wonder how much of this is also used for audience segmentation for their advertisements? Linkedin ads are some of the most expensive out of any social media platform, but they also tend to have the highest conversion since you can get pretty niche with your targeting.
What's an optimistic future for Web fingerprinting? Currently, a website's ability to fingerprint the browser, the device, and the user is absolutely ridiculous.
Here's a quick look at only the static things a website can fingerprint https://www.browserscan.net/.
How a web site can search one's computer?
This website was difficult to follow but I found that this page https://browsergate.eu/extensions/ was the most helpful to understand what they were talking about
Essentially, they are labelling you, like most do, but against some interesting profiles given the kinds of extensions they are scanning for
The most obvious reason for this is browser fingerprinting, right? So your visits to other websites can be linked to your Linkedin identity? Or no?
I want to know what power I have as just some guy to do anything about this? (even if just for myself)
I ask because it seems like every job I apply to asks for a linkedin profile, and I've heard floating around that if it's not filled in enough most employers assume you're a bot. Heck, one of the forms from the "who's hiring" thread yesterday straight up said if you have < 100 connections they'd throw out your application. So, in order to get my foot in the door, I need to hand over vast and intricate data about my personal life to a third party?
> Every time you open LinkedIn in a Chrome[actually Chromium]-based browser
There's a reason I continue to use Firefox (with uBlock Origin) and will never switch.
Also, when I got laid off from a previous job, I made a LinkedIn profile to help find a new job. Once I found a new job, I haven't logged into LinkedIn since - that was almost 2 years ago.
Enumerated a full list.
https://git.gay/SiteRelEnby/browsergate-list
https://git.gay/SiteRelEnby/browsergate-list/src/branch/main...
I'm certain that if LinkedIn were confronted, that they could produce a response that says they are covered by the TOS you had to agree to in order to use the site. I don't have time to spend scanning legalease. Or make use of LinkedIn. If my system is being scanned, they'll see that I'm using a legitimate licensed copy of Windows 7 on a MODERN computer. If anything is at fault, it includes web browsers that Identify themselves to web sites.
I don't like any of this, but I'm not totally clear how this is substantially different from other fingerprinting technologies which I assume are used by every large tech company. Could anyone elaborate? The post isn't very clear why this is different from other data surveillance.
Oh boy, they stand to lose dozens of users over this! DOZENS!
Interesting. I didn't know a extension’s web-accessible resource (e.g. chrome-extension://<id>/...) could be abused to learn about the user's installed extensions by checking whether it resolves or not.
Is there a way to disable the ability for websites to scan for extensions in Chrome?
"searching your computer" -> using standard web fingerprinting techniques. They don't actually get to read your home directory, and the authors should be honest about this!
That's on brand. I remember their phone app asking for contacts permission and just taking them all and uploading them to their server.
How is it even possible that we've reached a point where "yes, this is obvious and pretty unsurprising" is the default response to spying on an industrial scale.
LinkedIn also violates SPAM regulations on a regular basis. Despite of me having disabled all emails from this service I consistently receive promotional emails. LinkedIn defines a new "type of promotional email" for which it assumes it has implicit consent to send unsolicited emails and proceeds to do so. It then has a fake compliance apparatus by allowing the victim to once again "unsubscribe" from the newly created email subscription which they never consented to on the first place. I really hope there is a class action and these scumbags get fined.
AFAIK it can be fined with up to 4% of revenue in the EU.
How much is that currently? $600M?
This title should be changed as no court found this is illegal, and this is pretty standard, if extensive, browser fingerprinting, however disagreeable it is
Go check out QueryAllPackages permission on Android and see which of your apps can scan and know about all the other apps on your Phone. Thanks Google!
I alway use LinkedIn and Meta websites in a different browser altogether.
I hope browsers in the future will need to ask for permission before doing any of that.
They only mention this being a potential violation of the DMA. How about north american countries? US and Canada?
Not mine. And why do we say LinkedIn, it is just Microsoft, just like Github is Microsoft and a whole raft of other companies are just Microsoft in a trenchcoat.
Yep, LinkedIn is cancer.
2020 - LinkedIn Sued For Spying on Clipboard Data After iOS 14 Exposes Its App:
https://wccftech.com/linkedin-sued-for-spying-on-clipboard-d...
2013 - LinkedIn MITM attacks your iPhone to read your mail:
https://www.troyhunt.com/disassembling-privacy-implications-...
2012/2016 - Data breach of 164.6 million accounts:
https://haveibeenpwned.com/breach/LinkedIn
According to haveibeenpwned.com, my email & password were leaked in both the 'May 2012' and 'April 2021' LinkedIn incidents.
6 months ago I already posted about this
https://news.ycombinator.com/item?id=45349476
I run MalwareBytes on all my browsers and as my computer protection system.
LinkedIn is getting nothing.
I removed my LinkedIn premium subscription because of this. It was always very suspicious and expensive so they were already on thin ice. This is unacceptable and LinkedIn crossed the line with yet another fascist social media platform.
Bait, just look at browser addons, millons of site do it as well
> The headline seems pretty misleading.
No it isn't. Performing fingerprinting on user's devices, to ultimately profit of financially or worse is misleading. Especially doing this while knowing the user isn't aware what this really means and just deciding it for them.
The headline is just an exaggerated way of saying what is really happening.
seems like clickbaiting, browser can't 'scan' your computer...
Is there evidence that they use that information for anything other than browser fingerprinting or fraud detection?
That seems like the most obvious use case? Or maybe I missed something in the write up.
i dont like that i pay them $79 a month for them to scrape my extensions
I don’t understand how browser security would allow linkedin to search my computer?
LinkedIn has been overtly evil for decades, and their power users are the most insufferable sort of middle management yuppy scum. I know job searching can be hard, but I don't go near LinkedIn with a ten foot pole.
Sounds like containers and potentially adblocking and js blocking prevent this. For my part, I use linked in on my "god dammnit I hate corporate websites so much" browser which is used only for medical bill pay and amazon / wal mart purchases and then monthly bills. Could LinkedIn get something from me there? Potentially, but they're also not really following me around the web. I think given this I'll go install a 3rd browser for linkedin only, or maybe finally just delete my account. It never got me a job and it's a cesspool.
Deleted my account. Fixed!
Directly on the landing page:
> Microsoft has 33,000 employees
this should probably be LinkedIn, not Microsoft.
LinkedIn is full of lunatics, does not surprise me at all.
This gave someone the opportunity to add in "Jeffery_Epstein_did_not_kill_himself" to linkedin's client facing code base through this. If you open dev tools -> network tab -> network search icon (magnifying glass) -> search for "epstein" and load up linkedin, you should see it for yourself too!
I really don't think they're "illegally" searching your computer, they're checking for sloppy extensions that let linkedin know they're there because of bad design.
The real story is what's going on behind the scenes. The charges are relatively flimsy (for the reason I mentioned in my other comment). But here's the cool thing: the site is basically taken from Microsoft's playbook. For years, they pretty transparently bankrolled shadowy, single-issue "grassroots advocacy" groups that went after their competitors under flimsy pretenses. These organizations attacked others but somehow never had an opinion about stuff like Windows Copilot.
This feels very similar, except now it's taking a swing at Microsoft. It's apparently paid for by some mysterious "trade association and advocacy group for commercial LinkedIn users" that runs out of a private PO box in a small German town - uh huh. I'm not going to feel bad for Microsoft, but I would love to read some investigative reporting down the line.
I run ad blockers and pihole, does that help?
It seems it scans your extensions not your system - reading the details. The intro made it a bit unclear.
I hate the way they just started saying you have a new message when you really don't. Now I'm going to miss when I really have new messages for a while because I'm not going to go to that site anymore when they say that.
And not letting you read your messages when on your mobile phone unless you use their app is particularly mean. Considering again where they are sending all the information they scrape.
some of these things are just an effect of using chromium browsers.
use safari or Firefox. and chrome only for incognito web app testing.
Amazing work, but it’s not surprising, I think anyone in cybersec space knows that LinkedIn is the number one source of information when it comes to track or ID someone, and I don’t mean just OSINT given the real data you have, but also three letters agencies love it, it’s a gold mine, wasn’t the silkroad owner was busted because of the same personal email used on LinkedIn? So yeah, delete it, never use it, it’s full of corporate cringy nonsense anyway
I can't say I needed yet another reason to hate the current state of LinkedIn, but I am not surprised in the slightest.
linkedin is full of dark patterns, it's really unfortunate it became the business default, all other social platforms get more criticism while being only a fraction as bad
Despite the misleading headline, I really don't understand why anyone uses linkedin, there will inevitably be a trailing rely of comments claiming it has some irreplaceable value in professional networking, but I don't buy it. Nobody I've ever talked to has been able to articulate any actual value provided by "connecting" to another person on a social networking site. If you want to build professional connections go to lunch, join community calls, attend professional events, and go to conferences.
The fact that every job application wants a link to my profile on a platform that tries to push "brain training puzzle and games" on me just makes me angry every single time. I really hate LinkedIn and my active rebellion against it is hurting my ability to find a new job.
I know there has been other LinkedIn hate on HN this week. I know they have some good tools for job searching and hiring. I still wish we as a society could move on and leave this one with MySpace.
This is https://news.ycombinator.com/item?id=46904361, right?
Chrome: lets website scan what extensions you have installed for some reason.
This is result of browser fingerprinting.
My guess, Linkedin is used for years as source of valuable information for phishing/spear-phishing.
Maybe their motive is really spying. But more important for them is to fight against people botting Linkedin.
Imho, browser fingerprinting should be banned and EU should require browser companies to actively fight against it, not to help them (Fu Google)
I can’t take an article seriously that starts:
> Every time any of LinkedIn’s one billion users visits linkedin.com, hidden code searches their computer for installed software
and then proceeds not to explain how it’s doing that to me, a Safari user.
Because, spoiler: it isn’t. Or, it might try to search, and fail, and nothing will be collected.
Deleted my LinkedIn account. Fixed.
The headline seems pretty misleading
Exactly how is it "illegal" to run code that exercises some aspect of the legitimate browser API surface? Are there functions marked as legal, and others marked as illegal?
This is true/valid in many ways, but the signs of significant AI gen are pretty obvious. And now I wonder how much of the overblown narrative is here.
This reminds me of the slop bug reports plaguing the curl project.
Just use Safari, it won't even load the page half the time.
Browsers almost need a firewall against websites for the functions and scans being run on it by websites.
Different browsers have various settings available, but do we have a little snitch for a web browser?
Reminder for windows control alt shift windows L
Another good reason not to use extensions, and leave whatever they do for utility apps.
If they are genuinely only using the information to detect bad actors and maintain site stability as the affidavit states, and if they can prove it, this seems like potentially a non-issue?
I am not a lawyer, but site stability seems like a GDPR "Legitimate Interest" in my book anyway.
Typical microsoft
When Aaron Swartz does it, it is the threat of life in prison leading to suicide. When a multibillion dollar company does it, it is just capitalism.
HOLD EXECS LEGALLY ACCOUNTABLE, CRIMINALLY AND CIVILLY, FOR THE CRIMES OF THER CORPORATIONS.
>The user is never asked. Never told. LinkedIn’s privacy policy does not mention it.
OMG is literally every article written with LLMs these days I just can't anymore. It's all so tiring.
Why can't we have nice things?
The only explanation of linkedin being worth 44B is the prominent appearance of both bill gates (who started spending a day a week at MS after nadella became ceo), and reid hoffman appear prominently in epstein files. The deal itself was finalized during Trump's first term. So everything checks out
The title is a complete nonsense.
Nothing but click-bait.
Doesn't it depend how they're storing the data? If it's sufficiently transformed, it could be considered fair use.
The proliferation of AI coding assistants is shifting the bottleneck from writing code to reviewing code. The developers who will thrive are those who develop strong code review instincts.