frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

LinkedIn checks for 2953 browser extensions

https://github.com/mdp/linkedin-extension-fingerprinting
155•mdp•1h ago

Comments

lapcat•1h ago
[removed]
ronsor•1h ago
This is a security vulnerability and should be patched. Sorry, LinkedIn.

(Alternatively extension developers can modify their extensions to block these requests!)

0cf8612b2e1e•1h ago
No kidding. I am shocked this works.

Does Firefox have a similar weakness?

burkaman•1h ago
I don't see any evidence of this happening in Firefox. Either it's more difficult or they just didn't bother, either way I'm happy.

Edit: Can't find much documentation on exactly how the anti-fingerprinting works, but this page implies that the browser blocks extension detection: https://support.mozilla.org/en-US/kb/trackers-and-scripts-fi...

cxr•1h ago
It doesn't work. The person who posted the comment you're responding to has absolutely no idea what he's talking about. He confabulated the entire explanation based on a single misunderstood block of code containing the comment «Remove " - Chrome Web Store" suffix if present» in the (local, NodeJS-powered) scraper that the person who's publishing this data themselves used to fetch extension names.
tech234a•1h ago
No. Firefox always randomizes the extension ID used for URLs to web accessible resources on each restart [1]. Apparently, manifest v3 extensions on Chromium can now opt into similar behavior [2].

[1]: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...

[2]: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...

toomuchtodo•1h ago
Is there no browser setting to defend against this attack? If not, there should be, versus relying on extension authors to configure or enable such a setting.
zahlman•1h ago
I imagine that it would require browsers to treat web requests from JS differently from those initiated by the user, specifically pretending the JS-originating requests are by logged-out or "incognito" users (by, I suppose, simply not forwarding any local credentials along, but maybe there's more to it than that).

Which would probably wreak havoc with a lot of web apps, at least requiring some kind of same-origin policy. And maybe it messes with OAuth or something. But it does seem at least feasible.

circuit10•49m ago
As people have said it’s not making requests to web store, that’s just part of this repository looking for what extensions it’s blocking via nodejs

Browsers already have strong protections against that sort of thing, look up the same-origin policy and CORS

zahlman•37m ago
I see, I was too credulous.
MrGilbert•1h ago
I'm not sure how you'd patch that. Any request that’s made from the current open tab / window is made on behalf of the user. From my point of view, it's impossible for the browser to know, if the request is legit or not.
ronsor•1h ago
An ideal implementation of the same origin policy would make it impossible for a site (through a fetch call or otherwise) to determine whether an extension resource exists/is installed or the site simply lacks permission to access it.
cobertos•1h ago
Wouldn't that mean 2900 requests from fingerprint.js??
halapro•1h ago
If this is true, it's insane that this would work:

- why does CWS respond to cross-site requests?

- why is chrome sending the credentials (or equivalent) in these requests?

- why is the button enabled server-side and not via JS? Google must be confident in knowing the exact and latest state of your installed extensions enough to store it on their servers, I guess

cxr•59m ago
It's not true. The person you're responding to has a habit of posting implausible-but-plausibly-plausible nonsense, and that's not how this works at all.
lapcat•12m ago
I made the mistake of trying to skim the code hastily before I had to leave to run an errand, and yes it turns out I was wrong, but please refrain from the personal comments, and no, I don't have any such "habit."
usefulposter•1h ago
Isn't it enumerating web_accessible_resources? Below static collectFeatures(e, t) there is a mapping of extension IDs to files in the const r (Minified JS, obviously.)

Edit: Confirmed. It's not pinging the Chrome Web Store. https://blog.castle.io/detecting-browser-extensions-for-bot-...

jsheard•1h ago
Looks to me like LinkedIn is fetching chrome-extension://{extension id}/{known filename} and seeing if it succeeds, not pinging the web store.

Should be patched nonetheless though, that's a pretty obscene fingerprinting vector.

what•47m ago
How do you patch it? The extensions themselves (presumably) need to access the same web accessible resources from their content scripts. How do you differentiate between some extension’s content script requesting the resource and LinkedIn requesting it?
jsheard•44m ago
Firefox already mitigates this by randomizing the extension path: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...

    The file is then available using a URL like: moz-extension://<extension-UUID>/images/my-image.png"
    <extension-UUID> is not your extension's ID. This ID is randomly generated for every browser instance.
    This prevents websites from fingerprinting a browser by examining the extensions it has installed.
zahlman•38m ago
Doesn't the browser know which script it's running?

Why can't it just deny access to the specified path, except to the extension itself?

cxr•15m ago
It does by default, except for the files from the extension that the extension author has explicitly designated as content-accessible. It's explained ("Using web_accessible_resources") at the other end of the link.
chocolatkey•1h ago
That’s incorrect, it’s trying to load an asset (hardcoded unique per-extension path) for each extension, there is a huge list of these in the source code: https://raw.githubusercontent.com/mdp/linkedin-extension-fin...
minkeymaniac•1h ago
I can confirm.. open up linkedIn.. hit F12 and watch the error count keep going up and up and up

Screenshots found here https://x.com/DenisGobo/status/2018334684879438150

9021007•1h ago
xcancel link: https://xcancel.com/DenisGobo/status/2018334684879438150
mongrelion•1h ago
Curious question: why would they check for installed extensions on one's browser?
jppope•1h ago
most automations for sales and marketing use browser extensions... linkedIn wants you using their tools not 3rd party
Nextgrid•1h ago
Their own tools suck, that’s the issue.
HPsquared•1h ago
An attempt at fingerprinting, I suppose?
staticshock•1h ago
For a social network, more information about their users = better ad targeting. It likely gets plumbed into models to inform user profiles.
Aurornis•1h ago
Look at the actual list. It's primarily questionable AI tools, scrapers, lead generation tools, and other plugins in that vein.

I would guess this is for rate limiting and abuse detection.

CobrastanJorji•51m ago
Fingerprinting. There are a few reasons you'd do it:

1. Bot prevention. If the bots don't know that you're doing this, you might have a reliable bot detector for a while. The bots will quite possibly have no extensions at all, or even better specific exact combination they always use. Noticing bots means you can block them from scraping your site or spamming your users. If you wanna be very fancy, you could provide fake data or quietly ignore the stuff they create on the site.

2. Spamming/misuse evasion. Imagine an extension called "Send Messages to everybody with a given job role at this company." LinkedIn would prefer not to allow that, probably because they'd want to sell that feature.

3. User tracking.

rdoherty•1h ago
Skimming the list, looks like most extensions are for scraping or automating LinkedIn usage. Not surprising as there's money to be made with LinkedIn data. Scraping was a problem when I worked there, the abuse teams built some reasonably sophisticated detection & prevention, and it was a constant battle.
hsbauauvhabzb•1h ago
Wont someone think of poor little LinkedIn, a subsidiary of one of the largest data brokers in the world?
charcircuit•1h ago
Why frame what you are trying to say like that? Businesses of all sizes deserve the ability to protect their businesses from abuse.
ronsor•1h ago
I think they framed it this way because they don't consider scraping abuse (to be fair, neither do I, as long as it doesn't overload the site). Botting accounts for spam is clear abuse, however, so that's fair game.
hsbauauvhabzb•47m ago
No, I consider all data collection and scraping egregious. From that perspective, LinkedIn is hypocritical when Microsoft discloses every filesystem search I do locally to bing.
schmidtleonard•1h ago
The big social media businesses deserve a Teddy Roosevelt character swooping in and busting their trusts, forcing them to play ball with others even if it destroys their moats. Boo hoo! Good riddance. World's tiniest violin.

This is a popular position across the aisle. Here's hoping the next guy can't be bought, or at least asks for more than a $400M tacky gold ballroom!

sellmesoap•1h ago
We enjoy the fruits of an LLM or two from time to time, derived from hoards of ill gotten data. Linkedin has the resourses to attempt to block scraping, but even at the resource scale of LI I doubt the effort is effective.
charcircuit•1h ago
I am not denying that scraping is useful. If it wasn't people wouldn't do it. But if the site rules say you aren't allowed to scrape, then I don't think people should be hostile towards the people enforcing the rules.
ronsor•1h ago
Well, they can try to enforce the rules; that's perfectly fair. At the same time, there are many methods of "trying" which I would not consider valid or acceptable ones. "Enforcing the rules" does not give a carte blanche right to snoop and do "whatever's necessary." Sony tried that with their CD rootkits and got multiple lawsuits.
jmward01•59m ago
Do they respect my data? Why do they get to track me across sites when I clearly don't want them to but someone can't scrape their data when they don't want them to. Why should big companies get the pass but individuals not? They clearly consider internet traffic fair game and are invasive and abusive about it so it is not only fair to be invasive and abusive back, it is self defense at this point.
hsbauauvhabzb•45m ago
They don’t need to track your web browser when they’re owned by Microsoft, because they track every action at a lower level.
missingdays•39m ago
What lower level? Microsoft owns internet?
zelphirkalt•28m ago
The operating system. For example see the Windows 11 screenshot debacle/scandal.
nitwit005•49m ago
I'm sure there are issues with fake accounts for scraping, but the core issue is that LinkedIn considers the data valuable. LinkedIn wants to be able to sell the data, or access to it at least, and the scrapers undermine that.

They could stop all the scraping by providing a downloadable data bundle like Wikipedia.

compiler-guy•38m ago
LLMs scrape Wikipedia all the time, or at least attempt to.

The data bundle doesn't help that at all.

b112•26m ago
Yes, until it becomes abusive and malignly affects innocents.
xp84•1h ago
I mean, regardless of who they are or even if you don’t like what LinkedIn does themselves with the data people have given them, the random third parties with the extensions don’t additionally deserve to just grab all that data too, do they?
mathfailure•1h ago
Surely they do! The data is in the public internets, aren't they?
ronsor•1h ago
They'd put Widevine or PlayReady DRM on the website if they could, I'm sure.
bigfishrunning•40m ago
why can't they?
josephg•47m ago
Eh. I worked at a company which made an extension which scraped LinkedIn. We provided a service to recruiters, who would start a hiring process by putting candidates into our system.

The recruiters all had LinkedIn paid accounts, and could access all of this data on the web. We made a browser extension so they wouldn’t need to do any manual data entry. Recruiters loved the extension because it saved them time.

I think it was a legitimate use. We were making LinkedIn more useful to some of their actual customers (recruiters) by adding a somewhat cursed api integration via a chrome extension. Forcing recruiters to copy and paste did’t help anyone. Our extension only grabbed content on the page the recruiter had open. It was purely read only and scoped by the user.

hsbauauvhabzb•6m ago
I say the same thing about my start menu sending every action I perform to bing.
bryanrasmussen•1h ago
from the code doesn't look like they do anything if they have a match, they just save all the results to a csv for fingerprinting?
cxr•34m ago
"The code" here you're referring to (fetch_extension_names.js[1]) isn't and doesn't claim to be LinkedIn's fingerprinting code. It's a scraper that the researcher behind this repo wrote in order to themselves create the CSV that they're publishing.

LinkedIn's fingerprinting code, as the README explains, is found in fingerprint.js[2], which embeds a big JSON literal with the IDs of the extensions it probes for. (Sickeningly enough, this data starts about two-thirds of the way through the file* and isn't the culprit behind the bulk of its 2.15 MB size…)

* the one (on line 34394) starting:

    const r = [{
                id: "aacbpggdjcblgnmgjgpkpddliddineni",
                file: "sidebar.html"
1. <https://github.com/mdp/linkedin-extension-fingerprinting/blo...>

2. <https://github.com/mdp/linkedin-extension-fingerprinting/blo...>

cxr•46m ago
In order to create the data source that LinkedIn's extension-fingerprinting relies on to work, someone (at LinkedIn*?) almost certainly violated the Chrome Web Store TOS—by (perversely*) scraping it.

* if LinkedIn didn't take the data from an existing data source

winddude•37m ago
a problem for linkedin != "a problem". The real problem for people is the back room data brokering linkedin and others do.
zahlman•1h ago
> This repository documents every extension LinkedIn checks for and provides tools to identify them.

I get that the CSV lists the extensions, and the tools are provided in order to show work (mapping IDs to actual software). But how was it determined that LinkedIn checks for extensions with these IDs?

And is this relevant for non-Chrome users?

usefulposter•1h ago
Technical writeup from a few weeks ago by a vendor that explains how LinkedIn does it, then boasts that their approach is "quieter, harder to notice, and easier to run at scale":

https://blog.castle.io/detecting-browser-extensions-for-bot-...

Aurornis•1h ago
I suggest everyone take a look at the list of extensions and their names for some very important context: https://github.com/mdp/linkedin-extension-fingerprinting/blo...

I didn't find popular extensions like uBlock or other ad blockers.

The list is full of scammy looking data collection and AI tools, though. Some random names from scrolling through the list:

- LinkedGPT: ChatGPT for LinkedIn

- Apollo Scraper - Extract & Export Apollo B2B Leads

- AI Social Media Assistant

- LinkedIn Engagement Assistant

- LinkedIn Lead Magnet

- LinkedIn Extraction Tool - OutreachSheet

- Highperformr AI - Phone Number and Email Finder

- AI Agent For Jobs

These look like the kind of tools scummy recruiters and sales people use to identify targets for mass spamming. I see several AI auto-application tools in there too.

cbsks•1h ago
Looks like Firefox is immune.

This works by looking for web accessible resources that are provided by the extensions. For Chrome, these are are available in a webpage via the URL chrome-extension://[PACKAGE ID]/[PATH] https://developer.chrome.com/docs/extensions/reference/manif...

On Firefox, web accessible resources are available at "moz-extension://<extension-UUID>/myfile.png" <extension-UUID> is not your extension's ID. This ID is randomly generated for every browser instance. This prevents websites from fingerprinting a browser by examining the extensions it has installed. https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...

awesome_dude•36m ago
This is probably a naive question, but...

Doesn't the idea of swapping extension specific IDs to your browser specific extension IDs mean that instead of your browser being identifiable, you become identifiable?

I mean, it goes from "Oh they have X, Y , and Z installed" to "Oh, it's jim bob, only he has that unique set of IDs for extensions"

triceratops•33m ago
It's not a naive question. This comment says it's not possible to do that: https://news.ycombinator.com/item?id=46905213
awesome_dude•31m ago
Oh, it's (re)randomised upon each restart, whew, thanks for the heads up

edit: er, I think that that also suggests that I need to restart firefox more often...

b112•31m ago
Maybe, but how long are the extension ids? And if they are random, how long to scan a trillion random alphanumeric ids, to find matches?

I presume the extension knows when it wants to access resources of its own. But random javascript, doesn't.

maples37•24m ago
The extension IDs are UUIDs/GUIDs, so 128 bits of entropy. No site is going to be able to successfully scan that full range.
rchaud•35m ago
And they said that using a browser with sub-5% market share would cause us to miss out on the latest and greatest in web technology!
dana321•32m ago
chrome was made by ex-firefox devs, chrome is still not as good!
hasperdi•58m ago
Another thing... they alter the localStorage & sessionStorage prototype, by wrapping the native ones with a wrapper that prevent keys that not in their whitelist from being set.

You can try this by opening devtools and setting

  localStorage.setItem('hi', 123)
tech234a•58m ago
See also: a demo page for the same technique that can enumerate many extensions installed in your browser: https://browserleaks.com/chrome
shouldnt_be•45m ago
I wrote an article about it a couple of months ago. I also explain why, how and a way to prevent it.

https://javascript.plainenglish.io/the-extensions-you-use-ar...

jmholla•43m ago
To clarify, you talk about why it's possible, not why LinkedIn is doing it, right? Or did I miss something in your article.
DrStartup•42m ago
Setup a quick CDP connection. Have Claude Code attach and inject JS into Page.addScriptToEvaluateOnNewDocument. Loads before the page.

Typical early hooks: • fetch wrapper • XMLHttpRequest.prototype.open/send wrapper • WebSocket constructor wrapper • history.pushState/replaceState wrapper • EventTarget.addEventListener wrapper (optional, heavy) • MutationObserver for DOM diffs • Error + unhandledrejection capture

shj2105•37m ago
what would this do?
input_sh•33m ago

    cut -d',' -f2 chrome_extensions_with_names_all.csv | grep -c "AI"
    474
Only 16%!?
unstatusthequo•33m ago
I’m probably on the list. I made a LinkedIn Redactor that allowed you to add keywords and remove posts from your thread that included such words. It’s the X feature but for LinkedIn. Anyway, got a cease and desist from those lame fucks at LI. So I removed from the chrome store but it’s still available on GitHub.
avastel•32m ago
I wrote a blog post recently about the technique used by LinkedIn to do extension probing, as well as other ways to do it with less side effects

https://blog.castle.io/detecting-browser-extensions-for-bot-...

bastard_op•7m ago
Chrome is the new IE6. Google set themselves up to be the next Microsoft and is "ad friendly" in all the creepy ways because that's what Google IS an ad company. All they've contributed to security is diminishing the capability of adblockers and letting malware to do bad things to you as consumers.
0xbadcafebee•5m ago
[delayed]
themafia•5m ago
> Google set themselves up to be the next Microsoft

Google became a monopoly. All monopolies do this.

OpenClaw (MoltBot) as a Service on DigitalOcean

https://www.digitalocean.com/blog/openclaw-digitalocean-app-platform
1•perelin•52s ago•0 comments

Show HN: Linear MCP Fast – 10x faster Linear MCP reads from local cache

https://github.com/everything-chalna/linear-mcp-fast
1•liabilityuk0•2m ago•0 comments

My Issues with ProtonMail

https://tildeweb.nl/~michiel/protonmail-issues.html
2•roywashere•6m ago•0 comments

Jane Street Blog – What if writing tests was a joyful experience?

https://blog.janestreet.com/the-joy-of-expect-tests/
1•ryanhn•8m ago•0 comments

I accidentally became a FOSS maintainer

https://www.hughrundle.net/i-accidentally-became-a-foss-maintainer-and-all-i-got-was-this-lousy-n...
1•cratermoon•8m ago•0 comments

What Every Programmer Should Know About Memory [pdf]

https://people.freebsd.org/~lstewart/articles/cpumemory.pdf
1•sebg•9m ago•0 comments

I design with Claude more than Figma now

https://blog.janestreet.com/i-design-with-claude-code-more-than-figma-now-index/
1•jsomers•12m ago•0 comments

Show HN: Sop-agents – Write Markdown, get coordinated agents

https://github.com/serverless-dna/sop-agents
1•walmsles•14m ago•1 comments

Binance denies issuing legal threats over insolvency allegations

https://www.theblock.co/post/388578/binance-denies-issuing-legal-threats
1•decimalenough•16m ago•0 comments

Dash0 CLI v1.0.0

https://github.com/dash0hq/dash0-cli
1•puppion•16m ago•0 comments

Merkle trees and build systems with OSTree and ninja

https://lwn.net/Articles/821367/
2•fanf2•17m ago•0 comments

Review of 1984 by Isaac Asimov (1980)

https://www.newworker.org/ncptrory/1984.htm
4•doruk101•19m ago•1 comments

Show HN: A note-taking tool for homebuyers

https://tournotes.my/
1•bschwartz9•20m ago•0 comments

Slack CLI for Agents (OSS)

https://github.com/stablyai/agent-slack
2•nwparker•21m ago•1 comments

Flower Labs and Starcloud Reach a Major AI Milestone in Orbit

https://flower.ai/blog/2026-02-02-flower-labs-and-starcloud-reach-ai-milestone-in-orbit/
2•danieljanes•22m ago•1 comments

Show HN: Dream-team – assemble a team of Claude Code agents for your task

https://github.com/drbscl/dream-team
1•drbscl•22m ago•0 comments

Git's Magic Files

https://nesbitt.io/2026/02/05/git-magic-files.html
1•zdw•23m ago•0 comments

Martin Luther (German)

https://en.wikipedia.org/wiki/Martin_Luther
2•barrister•28m ago•2 comments

Claude Code Tips

https://www.builder.io/blog/claude-code
1•testelastic•28m ago•0 comments

Elon Musk is getting serious about orbital data centers

https://techcrunch.com/2026/02/05/elon-musk-is-getting-serious-about-orbital-data-centers/
2•evo_9•31m ago•3 comments

San Francisco is seeing a jobless AI boom

https://www.sfexaminer.com/news/technology/san-francisco-ai-boom-tech-jobs-plateau/article_f1b372...
1•randycupertino•31m ago•0 comments

Team unveils simpler, faster way to make vaccines

https://medicalxpress.com/news/2026-01-team-unveils-simpler-faster-vaccines.html
2•PaulHoule•31m ago•0 comments

"Slow Tuesday Night" by R. A. Lafferty (2015)

http://apbsal.blogspot.com/2015/01/slow-tuesday-night-by-r-lafferty.html
1•walterbell•32m ago•1 comments

Django Reinhardt

https://en.wikipedia.org/wiki/Django_Reinhardt
1•barrister•33m ago•2 comments

O Que é Desenvolvimento Pessoal E Profissional de Verdade

https://voltepracaixa.substack.com/p/o-que-e-desenvolvimento-pessoal-e
1•wmeller•35m ago•0 comments

It's 2026, Just Use Postgres

https://www.tigerdata.com/blog/its-2026-just-use-postgres
22•turtles3•35m ago•1 comments

Epstein Graph Visualization

https://epsteinsecrets.com/network
3•oldfuture•36m ago•0 comments

Recursive Self-Improvement (Part I)

https://www.hyperdimensional.co/p/on-recursive-self-improvement-part
1•typeofhuman•38m ago•0 comments

Live agent face-off in CivBench: Claude Opus 4.6 vs. GPT-5.2

https://www.clashai.live
3•mbh159•39m ago•3 comments

Infrastructure configuration can swing coding evals by several % points

https://www.anthropic.com/engineering/infrastructure-noise
4•jackyzhao•42m ago•0 comments