LinkedIn is scanning browser extensions

Original Article ↗ Hacker News Discussion ↗

What LinkedIn is doing

  • LinkedIn runs JavaScript that probes thousands of Chrome/Edge extensions by trying to load known files via chrome-extension://{id}/{file} and recording which succeed.
  • Results are reportedly sent back encrypted (RSA), not just hashed, enabling LinkedIn to recover the exact list.
  • The tracked list skews heavily toward scrapers, data-extraction tools, AI spam/recruiting helpers, and shady utilities.
  • A few politically, religiously, or accessibility-themed extensions are highlighted; some of these have been removed from extension stores, possibly as deceptive fronts for data exfiltration.

Fingerprinting, privacy, and intent

  • Many commenters see this as invasive fingerprinting and undisclosed surveillance that can help uniquely identify users, even without cookies.
  • Others argue it is “standard” device fingerprinting used mainly for anti-scraping and fraud detection, not behavioral profiling.
  • There is disagreement over how much the scan is actually about combatting abuse versus broader tracking; some call the coverage “ragebait,” others think LinkedIn’s behavior is “bonafide scummy.”

Browser and extension mechanics

  • Explanation: Chrome extensions can mark resources as web_accessible_resources; web pages can fetch these, which reveals whether an extension is installed.
  • Multiple comments argue browsers should not allow page JavaScript to probe extension resources; debate over why CORS doesn’t block this.
  • Firefox randomizes extension IDs per install, making this enumeration harder. Brave and Safari behavior are discussed but remain somewhat unclear. Edge is reported to be affected like Chrome.
  • Suggested evasions: use non‑Chromium browsers, repackage extensions to get new IDs, or use fingerprinting-protection tools and aggressive blocking (e.g., uBlock, blocking LinkedIn CDNs).

Ethics and employment

  • Thread includes a broader debate: if asked to build such tracking, should engineers refuse (risking their job), comply, or quietly sabotage/slow-walk it?
  • Some say they avoid working for companies likely to demand this; others would implement it and blame Chrome’s design.

User impact, performance, and policy

  • Several users report high CPU/RAM usage and thousands of failed extension-resource requests when LinkedIn is open.
  • Concern is raised about scanning for extensions tied to religion or politics; whether this is for profiling or because those extensions are malicious is disputed.
  • One commenter notes LinkedIn’s privacy policy does mention collecting info on browser “add-ons,” but it does not clearly describe large-scale extension enumeration.