๐The Next Web (TNW)โขFreshcollected in 47m
LinkedIn Secretly Scans 6,000 Browser Extensions
๐กLinkedIn fingerprints devs' browsersโprotect privacy on key AI job/networking platform
โก 30-Second TL;DR
What Changed
Hidden JS probes for 6,000+ extensions silently
Why It Matters
Raises privacy concerns for professionals using LinkedIn for networking and job searches. Could erode user trust in Microsoft-owned platform amid growing scrutiny on tracking.
What To Do Next
Audit browser extensions and use incognito mode or privacy-focused browsers before accessing LinkedIn.
Who should care:Developers & AI Engineers
๐ง Deep Insight
AI-generated analysis for this event.
๐ Enhanced Key Takeaways
- โขSecurity researchers identified that the technique utilizes 'web accessible resources' within the manifest.json files of installed extensions to perform side-channel attacks, allowing LinkedIn to detect specific software without explicit browser permissions.
- โขThe practice is primarily aimed at fraud detection and bot mitigation, specifically targeting automated scraping tools or malicious extensions that inject content into the LinkedIn DOM, rather than just user tracking.
- โขBrowser vendors, particularly Google, have faced increased pressure to restrict the 'web_accessible_resources' API in response to this discovery, as it facilitates cross-site fingerprinting that bypasses standard privacy protections.
๐ ๏ธ Technical Deep Dive
- โขThe routine executes a series of 'fetch' requests to known extension-specific URLs (e.g., chrome-extension://[extension-id]/manifest.json).
- โขA successful response (200 OK) confirms the extension's presence, while a failure (404 or blocked) indicates absence.
- โขThe 48 characteristics collected include canvas fingerprinting, WebGL renderer information, audio context analysis, and battery status API data.
- โขThe resulting fingerprint is hashed using a proprietary algorithm and transmitted via a custom header in XHR/Fetch requests to LinkedIn's backend infrastructure.
๐ฎ Future ImplicationsAI analysis grounded in cited sources
Browser vendors will deprecate or restrict 'web_accessible_resources' access.
The widespread abuse of this feature for fingerprinting forces browser developers to prioritize privacy over legacy extension compatibility.
LinkedIn will face regulatory scrutiny under GDPR and CCPA.
The lack of explicit user consent for collecting device-specific hardware identifiers constitutes a potential violation of data transparency requirements.
โณ Timeline
2024-11
Initial discovery of suspicious fingerprinting scripts by independent security researchers.
2025-03
LinkedIn updates its privacy policy to include broader language regarding 'security and fraud prevention' measures.
2026-02
Public disclosure of 'BrowserGate' findings by security analysts, triggering widespread media coverage.
๐ฐ
Weekly AI Recap
Read this week's curated digest of top AI events โ
๐Related Updates
AI-curated news aggregator. All content rights belong to original publishers.
Original source: The Next Web (TNW) โ