This works by looking for web accessible resources that are provided by the extensions. For Chrome, these are are available in a webpage via the URL chrome-extension://[PACKAGE ID]/[PATH] https://developer.chrome.com/docs/extensions/reference/manif...
On Firefox, web accessible resources are available at "moz-extension://<extension-UUID>/myfile.png" <extension-UUID> is not your extension's ID. This ID is randomly generated for every browser instance. This prevents websites from fingerprinting a browser by examining the extensions it has installed. https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...
For multi-browser setups (Firefox for fingerprint resistance, Chrome for the sites that only work there), cross-browser bookmark sync is weirdly undersolved. Xbrowsersync, marksyncr, and a few others exist but most people don't know about them.
Are they bit coin mining or are they just incompetent?
You can actually see what tabs are hogging CPU by pressing SHIFT-ESC to open the task manager (about:processes) inside Firefox.
https://fingerprint.com/
https://coveryourtracks.eff.org/
https://abrahamjuliot.github.io/creepjs/
Further, When I used Tor, a few sites, like Google, showed me Captchas for a while afterward, when using my _normal_ browser.
Further I heard that sites like PayPal are giving me black karma when I try to avoid Fingerprinting by using e.g. Tor.
The issue is them selling the data, or using it in unrelated locations, or trying to detect me as a person. And their programmers are not enforced and rewarded when they report such behavior to law agencies / the public. And the law is not punishing it.
Doesn't the idea of swapping extension specific IDs to your browser specific extension IDs mean that instead of your browser being identifiable, you become identifiable?
I mean, it goes from "Oh they have X, Y , and Z installed" to "Oh, it's jim bob, only he has that unique set of IDs for extensions"
The website should never be able to tell what's running in my browser, or on my computer in general. The browser renders the page, maybe runs a little Javascript, but there's no reason why it should be able to query anything about my environment.
I wonder how much stuff would break if the Chrome sandboxing was extended to preventing access to chrome-extension:// from Javascript loaded of random websites.
I presume the extension knows when it wants to access resources of its own. But random javascript, doesn't.
* if LinkedIn didn't get it from an existing data source
LinkedIn's fingerprinting code, as the README explains, is found in fingerprint.js[2], which embeds a big JSON literal with the IDs of the extensions it probes for. (Sickeningly enough, this data starts about two-thirds of the way through the file* and isn't the culprit behind the bulk of its 2.15 MB size…)
* On line 34394; the one starting:
const r = [{
id: "aacbpggdjcblgnmgjgpkpddliddineni",
file: "sidebar.html"
2. <https://github.com/mdp/linkedin-extension-fingerprinting/blo...>
However, they do contribute to security: Chrome was first to implement Site Isolation, sandboxing too. These are essential security features for modern browsers. They are also not doing too bad with patching and security testing.
Google became a monopoly. All monopolies do this.
If you want a clean chrome, use ungoogled-chromium. Like IE6, some stuff just doesn't work in librewolf (less scummy firefox), so I use ungoogled-chromium when so, and I just don't do anything googleish on it that it latches onto google again.
Screenshots found here https://x.com/DenisGobo/status/2018334684879438150
https://javascript.plainenglish.io/the-extensions-you-use-ar...
> ... it is used to check for abuse (bot use)
> If you follow a LinkedIn influencer and they get banned, now you know why.
https://blog.castle.io/detecting-browser-extensions-for-bot-...
* Overriding scroll speed on Firefox Web. Not sure why.
* Opening a profile on mobile web, then pressing back to go to last page, takes me to the LinkedIn homepage everytime.
* One of their analytic URLs is a randomly generated path on www.linkedin.com, supposedly to make it harder to block. Regex rules on ublock origin sufficiently stop this.
Anyone know why they could be doing this?
- back - hijacking it seems fairly common on malicious/dark-pattern sites to try to trap you on them. not sure why because you can just leave and it seems it would obviously piss someone off
- analytics paths - not everyone may know about/how to use regex rules for it or may use something else that doesn't support it (the stripped down ublock for chrome? i don't know if it can or not). sites seem to do this with malicious js code as well, presumably to prevent blocking
I think they want you to feel disoriented.
Why do they do all this bs and not fix the bug that happens when you insert Unicode U+202E in your name?
I've been having loads of fun with that but it's never been fixed. Anyone tagging me in a comment makes their input right-to-left unless they backspace the tag or insert newline. It also jumbles notification text because your name is concatenated to the notification static text.
You can also create an inverted link but it isn't clickable, just like other unicode links which aren't punycode-encoded on LinkedIn but aren't clickable (on the clients I've tried).
I did have a relatively early beef with Chrome though, whcih was I couldn't completely opt out of Flash. As in, I didn't even want it installed. This turned out to be an issue because Flash turned out to be one of the earliest vectors for so-called "zombie cookies".
Fingerprinting in general has been a longstanding problem and has become more and more advanced.
Add to this that Google is, first and foremost, an advertising business and they've become increasingly hostile to ad-bloccking tech for obvious reasons.
Basically what I'm getting at is something I couldn't have imagined a decade ago where I think I really have go switch away from Chrome to something that takes privacy and security seriously so that LinkedIn can't do things like this. And I increasingly don't trust Google to do that.
I actually have more trust in Apple because they have historically been user-focused eg blocking Meta's third party cookies. But obviously Safari isn't an option because it's not cross-platform.
I'm not sure I trust the current state of Mozilla. What's the alternative? Brave? Is Opera still a thing? I honestly don't know.
What I really want is a cross-platform browser written in Rust that black-holes ads out of the box. Why Rust? Memory safety. I simply don't trust a large C/C++ code to never have buffer overruns. Memory safety has become too important.
I don't want my browser to provide information on what extensions I'm using to a site and that shouldn't be a thing I have to ask for or turn on in any way.
Desktop - Librewolf
Android - Ironfox
It's already a sycophantic cesspool of corporate drones repeating mindless PR. I unfollow everyone who re"tweets" feel-good memes or corporate crap and I have very few people I follow left over :) Critical discussion doesn't exist, if I comment anything that's not 100% celebratory of so-called company successes I get blocked.
They infuriate me. Data harvesting machines in all ways. Incredibly user hostile.
Example: making me scroll endlessly through attendee lists. Lack of good filters. Etc. Can’t download attendee lists.
I finally lost my patience and wrote a Selenium script to page through an app and extract everything. Worked well after some initial trial and error.
1. Bot prevention. If the bots don't know that you're doing this, you might have a reliable bot detector for a while. The bots will quite possibly have no extensions at all, or even better specific exact combination they always use. Noticing bots means you can block them from scraping your site or spamming your users. If you wanna be very fancy, you could provide fake data or quietly ignore the stuff they create on the site.
2. Spamming/misuse evasion. Imagine an extension called "Send Messages to everybody with a given job role at this company." LinkedIn would prefer not to allow that, probably because they'd want to sell that feature.
3. User tracking.
I imagine most users will also not have extensions at all, so this would not be a reliable metric to track bots. Maybe it might be hard to imagine for someone whose first thing to do after installing a web browser is to install some extensions that they absolutely can't live without (ublock origin, privacy badger, dark mode reader, noscript, vimium c, whatever). But I imagine the majority of casual users do not install any extensions or even know of its existence (Maybe besides some people using something like Grammarly, or Honey, since they aggressively advertise on Youtube).
I do agree with the rest of your reasons though, like if bots used a specific exact combinations of extensions, or if there was an extension specifically for linkedin scraping/automation they want to detect, and of course, user tracking.
Wonder if with things like Moltbot taking the scene, a form of “undetectable LinkedIn automation” will start to manifest. At some point they won’t be able to distinguish between a chronically online seller adding 100 people per day with personalized messages, or an AI doing it with the same mannerisms.
[1] https://business.linkedin.com/sales-solutions/social-selling...
I would guess this is for rate limiting and abuse detection.
I get that the CSV lists the extensions, and the tools are provided in order to show work (mapping IDs to actual software). But how was it determined that LinkedIn checks for extensions with these IDs?
And is this relevant for non-Chrome users?
https://blog.castle.io/detecting-browser-extensions-for-bot-...
https://www.nymeria.io/blog/linkedins-war-on-email-finder-ex...
The big one that comes to mind is "Contact Out" which is scan-able, but LinkedIn seems to pretend like it doesn't exist? Smells like a deal happened behind the scenes...
https://chromewebstore.google.com/detail/email-finder-by-con...
A $7.5B chip merger
Pinterest prepares layoffs
Healthcare premiums surge
Autodesk to cut 7% of jobs
Ozempic keeps getting cheaper
And what's with some of these? Bad mouthing employers is an odd choice for a platform that makes its money from them? Or perhaps now all the revenue is ad derived?
You can try this by opening devtools and setting
localStorage.setItem('hi', 123) cut -d',' -f2 chrome_extensions_with_names_all.csv | grep -c "AI"
474
Perhaps an overly aggressive attempt to block bots.
I didn't find popular extensions like uBlock or other ad blockers.
The list is full of scammy looking data collection and AI tools, though. Some random names from scrolling through the list:
- LinkedGPT: ChatGPT for LinkedIn
- Apollo Scraper - Extract & Export Apollo B2B Leads
- AI Social Media Assistant
- LinkedIn Engagement Assistant
- LinkedIn Lead Magnet
- LinkedIn Extraction Tool - OutreachSheet
- Highperformr AI - Phone Number and Email Finder
- AI Agent For Jobs
These look like the kind of tools scummy recruiters and sales people use to identify targets for mass spamming. I see several AI auto-application tools in there too.
Unsurprising outcome since uBlock (specifically: uBlock Origin Lite, the only version available for Chrome on the Chrome Web Store) makes itself undetectable using this method. (All of its content-accessible resources have "use_dynamic_url" set to "true" in its extension manifest.) So its absence in this data is not dispositive of any actual intent by LinkedIn to exclude it—because they couldn't have included it even if they wanted to.
Also, not all of them are data collection tools. There are ad blockers listed (Hide LinkedIn Ads, SBlock - Super Ad Blocker) and just general extensions (Ground News - Bias Checker, Jigit Studio - Screen Recorder, RealEyes.ai — Detect Deepfakes Across Online Platforms, Airtable Clipper).
const msg = createDoneMessage(); msg.style.opacity = '1';
console.log("Extensions sorted alphabetically!");
console.table(sortedCards.map(c => ({
name: getName(c),
id: c.id || '—'(Alternatively extension developers can modify their extensions to block these requests!)
Does Firefox have a similar weakness?
Edit: Confirmed. It's not pinging the Chrome Web Store. https://blog.castle.io/detecting-browser-extensions-for-bot-...
Should be patched nonetheless though, that's a pretty obscene fingerprinting vector.
- why does CWS respond to cross-site requests?
- why is chrome sending the credentials (or equivalent) in these requests?
- why is the button enabled server-side and not via JS? Google must be confident in knowing the exact and latest state of your installed extensions enough to store it on their servers, I guess
Typical early hooks: • fetch wrapper • XMLHttpRequest.prototype.open/send wrapper • WebSocket constructor wrapper • history.pushState/replaceState wrapper • EventTarget.addEventListener wrapper (optional, heavy) • MutationObserver for DOM diffs • Error + unhandledrejection capture