DE version is available. Content is displayed in original English for accuracy.
Advertisement
Advertisement
⚡ Community Insights
Discussion Sentiment
47% Positive
Analyzed from 2988 words in the discussion.
Trending Topics
#extensions#extension#linkedin#chrome#job#data#https#installed#list#why
Discussion (180 Comments)Read Original on HackerNews
Discussion: https://news.ycombinator.com/item?id=47613981
"Chrome extensions can expose internal files to web pages through the web_accessible_resources field in their manifest.json. When an extension is installed and has exposed a resource, a fetch() request to chrome-extension://{id}/{file} will succeed. When the extension is not installed, Chrome blocks the request and the promise rejects.
LinkedIn tests every extension in the list this way."
I read that their reasoning is it exists to block users that use known scraper extensions which bypass their terms of use. But don’t entirely buy that.
Browser fingerprinting is massively valuable to Google's surveillance/advertising apparatus. This is all working exactly as intended.
"Chrome extensions can expose internal files to web pages through the web_accessible_resources field in their manifest.json. When an extension is installed and has exposed a resource, a fetch() request to chrome-extension://{id}/{file} will succeed. When the extension is not installed, Chrome blocks the request and the promise rejects.
LinkedIn tests every extension in the list this way."
But that would be a lot of work for 6,300 extensions. Unless someone offers that as a service?
https://news.ycombinator.com/item?id=46904361
as practitioners, where do we hold the line between telemetry and surveillance?
I’m lucky that I’m in a team which is hands on and does a lot of very interesting things. From building CRUD apps which are used in management and response to bushfires (wildfires) to more interesting things like building a datalake which amalgamates and stores weather data from multiple sources to building near real time CDC pipelines and making our transactional data available to our in house team of data scientists who then use that data to do fascinating stuff that eventually results in for example making sure that our response to bushfires takes into account the impact and safety of endangered species.
And when I look at the underlying data and the trends and and projections of just how bad bushfires are going to get in the next 30 years and how we must be so much nimbler and smarter just to survive, the work takes on a whole new level of meaning.
Don’t get me wrong, there are times the internal bureaucracy absolutely drives me mad. And I am aware that I could be earning much more in the private sector. But I get to work with a team who are really passionate and enthusiastic about their job, and I get to sleep at night knowing that unlike my previous jobs, this time I am not just making someone who is already uber rich, richer.
If you had told the teenage Utilitarian me that I would one day work for, and enjoy working for, government, I would have thought hell must have frozen over.
As they say, better to be a poor master than a rich slave.
Anyway, for those in this situation, some anecdotes. I've outright refused to do questionable things and kept my job. I've also played incompetent so the sharks look elsewhere. Point being... options exist, don't negotiate [only] with yourself.
Would be remiss if I missed the opportunity to quote Louis Rossman: "don't accept the premise of assholes"
https://en.wikipedia.org/wiki/Pegasus_(spyware)
https://en.wikipedia.org/wiki/Paragon_Solutions
https://en.wikipedia.org/wiki/Cytrox#Predator
If that's the game you're playing tho, maybe time to find another job too ;)
To answer your question though: I'd object of course, I'm very lucky to be well enough off that I can currently make that choice without serious repercussions. Do you think someone would come out on HN and say "oh sure yeah I have no morals!", at least without it being a throwaway where you'd have no idea if it's real?
> According to browsergate, Milinda Lakkam confirmed this under oath, saying, "LinkedIn took action against users who had specific extensions installed."
https://browsergate.eu/the-evidence-pack/
Edit: nice! I just notice indent-formatted text is now wrapping on mobile browsers. (Or at least ffm.) I wonder how long that's been fixed...Having a lot of connections working at Microsoft and Western tech industry, I'm not surprised with the targeting of Muslims.
No idea if if LinkedIn has the same issue though.
A big part of its detection relies on finding known extension resources at URLs of the form `chrome-extension://{extension_id}/{file}`
An extension installed from the Chrome store has the same `extension_id` for every user. But, if you just extract the source for that extension, and then load it yourself, you'll get a NEW extension_id. Same extension with the same functionality, but its extension_id will be completely new so impossible for LinkedIn to query.
Granted this won't evade the second type of detection LinkedIn employs, it'll help you evade quite a bit. I often clone extension source code anyway since it mostly protects me from malicious extension updates (by effectively disabling updates).
Why are these even extensions to begin with? A legit job finding service can be a website, no extension required. If they are nefarious extensions that fake ad clicks or mine cryptocurrency, that they are job search, or political, or religious in name/nature only serves to get rubes to install them. This entire ecosystem is goofed up.
It has a lot of hallmarks of LLM writings ("It's not this, it's that" and feeling like a lot of empty words rehydrated from an outline) while missing the real updates in the story like the German affidavit filed by a LinkedIn engineer who worked on these tools.
A key piece of information that this article omits is that the list of extensions being scanned for doesn't include anything you'd recognize or anything you'd even think to install. It's full of data extraction tools, scrapers, AI spam and recruiting tools (remember all those automated spammy LinkedIn messages you got?), and plugins masquerading as simple things that have been pulled from the extension store for violations.
A lot of articles have been trying hard to distract from this fact by highlighting that the list of extension includes things like a plugin designed to simplify web pages for neurodivergent users or an "anti-Zionist political tagger" to imply that they're trying to do fingerprinting based on those attributes, but they neglect to mention that those plugins were pulled from the extension store most likely because they were data exfiltrators dressed up as simple plugins to get people to install them.
An updated list is available here: https://browsergate.eu/extensions/
But read that site carefully and actually try to click the links. In this section they're trying to direct your attention away from all of the AI spam and data extraction tools with this section:
> The scan doesn’t just look for LinkedIn-related tools. It identifies whether you use an Islamic content filter (PordaAI — “Blur Haram objects, real-time AI for Islamic values”), whether you’ve installed an anti-Zionist political tagger (Anti-Zionist Tag), or a tool designed for neurodivergent users (simplify).
But click the links. They've all been pulled from the store. Extensions like that are often bait to get people to install scrapers that will use your computer and LinkedIn login to extract data and send it back to their servers.
So regardless of where you stand on probing for the presence of these scammy extensions, you should at least understand the facts rather than the story that companies like this are trying to sell you to drive traffic to their product.
I suggest cutting through the ragebait journalism and reading more directly from a recent source, like this affidavit filed in Germany by a LinkedIn engineer familiar with the project: https://browsergate.eu/downloads/Lakam-affidavit-redacted.pd...
I did that with the first five extensions in the list; only one was removed from the store. So you should qualify this statement.
Maybe they are all scammy extensions, and maybe this is a weird LLM-driven astroturfing campaign, but let's try to at least root our arguments in a shared reality.
All 3 of those have been removed.
recently while trying to decipher why computer was at 98% memory and 65% cpu
one of the culprits is https://li.protechts.net taking 2GB ram and 8% cpu.
DDG searches say this is something for linkedin. - I had two tabs for linkedin open but left behind as I opened other tabs to research.
So I had not reopened these tabs in over 9 hours and they are still just humming along sucking down almost 10% of cpu and a couple gigs of ram for what?
This is firefox with ublock origin - quick searches saw malwarebytes browser guard considered it (protechts.net) malware for a bit and then took it off the list of things it blocked / warned about.
Not sure this is related to the scan mentioned, but it may be related to the overall concerns about data and unknown usage of resources.
I'm considering blocking this at the dns hosts level at this point.
repost of my comment 28 days ago
Runtime of extensions should be blackbox to a website IMO
Chrome for some reason (still!) gives extensions static ids. Firefox has the id change per firefox instance.
Its disgusting.
* I use Edge bcs of the vertical tabs — Safari's equivalent is a poor substitute. Firefox didn't seem to have vertical tabs last time I checked.
As if users are actually reading the privacy policy...
> Update to our terms and data use As of November 3, 2025, we are using some of your Linkedin data to improve the content-generating Al that enhances your experience, unless you opt out in your settings. We also updated our terms. See what's new and how to manage your data.
Frankly, it is unacceptable to tell a user "oh we have been using your personal data for 5 months already and will continue to do so unless you explicitly opt out". Are there any transparent alternatives to LinkedIn (not the trust me bro variant)?
To be clear, LinkedIn shouldn't be scanning your browser extensions, but still. The ultimate problem is that browser extensions are a powerful malware vector and there's a huge market of people buying little utilities off of solo developers to enshittify them.
Correct
Yes there are other problems in the world and we can JAQ the messanger too.
No. That you believed that was just an unfortunate consequence of HN's kneejerk tendency to upvote middlebrow dismissals to the top comment, which resulted in people rushing to craft apologetics for what is in reality bonafide scumminess on LinkedIn's part, which itself resulted in confabulations like the claim that, "It was all extensions related to spamming and scraping LinkedIn last time this was posted"—which is simply untrue.