Why is my Chrome telling random websites which extensions I have installed?
LinkedIn runs an extension scan against a hardcoded list of 6,278 Chrome extensions on every visit. Detected results are packaged into encrypted telemetry and injected as an HTTP header into every subsequent API request during your session. This data can be used to identify your religious affiliations, tax-bracket, job search intent, and more.
I verified this myself and traced the implementation. Details and the technical breakdown in the article.
And certainly fingerprint you right?
"What is not a question is that a criminal investigation is now open." Good. These companies deserve each and every stone thrown at them, and much more.
friends, WHEN you are asked to implement something like this at your job, which will you choose: object (& hold ground, loose job) OR comply (& keep job)
as practitioners, where do we hold the line between telemetry and surveillance?
I choose not to work at places like linked in, meta, or any place that accepts Saudi or Israeli funding. It makes it a little harder to find a job, but i sleep better at night.
Interesting, so would Safari prevent this? I tried moving to Safari and honestly loved everything except I use my google accounts now for authenticating with to many services and that was a pain compared to chrome.
Even better! Moving to firefox fixes this.
Chrome for some reason (still!) gives extensions static ids. Firefox has the id change per firefox instance.
Seems to only happen Chrome per the dev of Wipr (a great safari privacy extension) https://mas.to/@mipstian/116341745221356805
I would imagine using any non-Chromium browser would cause it to fail to find any Chrome extensions, yes.
Sure, but Safari may or may not leak Safari extension signals in a similar fashion. I haven't actually investigated.
Well if you’re a logged in to Google don’t you just SSO everywhere?
I honestly kind of forget the exact annoyances because it has been some time. I want to say I had to reauth every time I wanted to SSO with my google account because it doesn't allow/deletes third party cookies.
Well, I deleted my Linkedin account and life is better now.
See also "LinkedIn is searching your browser extensions" (812 comments) https://news.ycombinator.com/item?id=47613981
[dupe]
Discussion: https://news.ycombinator.com/item?id=47613981
28 days ago, 1897 points, 812 comments
I did that and got logged out of LinkedIn.
Wasn't this specifically some lame-ass attempt to combat some click fraud or something these extensions were doing? And aren't these articles specifically coming from the person doing the fraud (which is why they know about the extension scanning)?
To be clear, LinkedIn shouldn't be scanning your browser extensions, but still. The ultimate problem is that browser extensions are a powerful malware vector and there's a huge market of people buying little utilities off of solo developers to enshittify them.
Can ask the same question about so many horrible security blunders web browsers have made over the decades.
They are only blunders if they aren't being used as features by someone
[delayed]