LinkedIn checks for 2953 browser extensions

Original Article ↗ Hacker News Discussion ↗

Mechanism of LinkedIn’s extension detection

  • Code probes chrome-extension://<id>/<known file> for ~2950 extensions and infers presence from successful loads, not by calling the Chrome Web Store.
  • Targets web_accessible_resources declared in extension manifests; a large hardcoded list of {id, file} pairs is embedded in fingerprint.js.
  • In addition to extensions, the same script fingerprints WebGL capabilities, fonts, and other browser features, and ties into reCAPTCHA v3.
  • LinkedIn also wraps localStorage / sessionStorage to whitelist allowed keys, preventing arbitrary per-site storage.

Browser differences and defenses

  • Firefox randomizes moz-extension://<UUID>/... paths per browser instance, and UUIDs are not tied to the extension ID, making this technique effectively useless there.
  • Manifest V3 adds options (including in Chromium) to randomize or limit web-accessible resource URLs and to scope them to specific sites.
  • Popular content blockers like uBlock Origin Lite deliberately set use_dynamic_url so this probing method can’t reliably detect them.
  • Brave, as currently implemented, appears vulnerable in the same way as Chrome. No consensus on a generic browser setting that simply blocks this without breaking legitimate extension behavior.

Why LinkedIn might be doing this

  • Most probed extensions are LinkedIn scrapers, lead-generation tools, automation/engagement bots, and various AI assistants.
  • Commenters infer main goals as:
    • Bot and scraper detection / rate limiting.
    • Detecting and blocking automation that competes with LinkedIn’s own paid tools.
    • Additional user fingerprinting and profiling.

Scraping, ToS, and hypocrisy debate

  • Some argue this is a legitimate anti-abuse defense: businesses should be able to stop third parties from harvesting and reselling their data.
  • Others see LinkedIn (and its parent company) as major data brokers already; calling this “abuse prevention” is viewed as hypocritical.
  • Disagreement over whether scraping public pages is “abuse” at all versus a normal use of published data.
  • Several note the irony that creating the extension list likely required large-scale scraping of the Chrome Web Store, against its own ToS.

Reactions, mitigations, and open questions

  • Many users express disgust and surprise that sites can enumerate installed extensions at all; some consider leaving Chrome or moving to Firefox/forks.
  • Suggested defenses: browser-side randomization of extension URLs, extensions avoiding web-accessible resources or using dynamic URLs, and more stringent same-origin–style rules for extension resources.
  • Some ambiguity remains over what LinkedIn ultimately does with the collected extension fingerprints beyond bot/abuse detection.