RU version is available. Content is displayed in original English for accuracy.
Advertisement
Advertisement
⚡ Community Insights
Discussion Sentiment
62% Positive
Analyzed from 5885 words in the discussion.
Trending Topics
#linkedin#extensions#extension#chrome#job#same#data#more#https#don
Discussion (216 Comments)Read Original on HackerNews
Discussion: https://news.ycombinator.com/item?id=47613981
It is being used, e.g., by this commenter, where the URLs and the target page content for each submission differ
Moreover, HN allows duplicate submissions under some circumstances, where the URLs are exactly the same. If the submissions are relatively far apart in time sometimes the moderator or a commenter will reply with "Previous discussion". More recently, a "past" link was added. Many times however the duplicate submissions are close together in time and there are no comments
Perhaps "[dupe]" as used here means "duplicate topic". But that seems like a pointless label as there are multiple submissions about the same topic every week on HN
As someone who archives all active HN story URLs, titles, etc. in an SQL database daily, I can locate duplicate submissions very quickly. Most do not have any indication of "[dupe]" in the title or comments
I prefer to read the submitted stories ("news") more than the replies, if any. I enjoy reading multiple stories on the same topic as they may include different presentation of the facts and sometimes different perspectives. Not to mention there are sometimes technical differences in news websites, e.g., some news websites suck more than others. Before the internet, I would read several newspapers each day. I would intentionally read multiple news reports of the same story
Others may prefer HN _discussion_, which only occurs on a minority of stories
NB. Most HN users do not submit replies and engage in discussion. They are readers and/or voters only
A small number of HN commenters, or maybe the moderators, might try to preempt or redirect potential discussion, or otherwise manipulate it to meet their preferences or goals
C'est la vie. Have at it
But I think "dupe" means duplicate. As in duplicate URLs. Others seem to agree. I appreciate the clarification
Using that term to refer to something else related to _potential discussion_ is subjective and inaccurate, maybe even deceptive, an attempt to "dupe" the reader, pun intended
Not pointless at all, keeps things fresh and rolling. Stops some of us having to see the same topic over and over, and directs those who missed things to where the main discussion happened or is still happening. Stuff moves pretty fast around here.
You might see multiple submissions (a regular offender of submitting a ton of duplicates yourself) but they don't go anywhere, don't make it to front page or eyeball traction (say >20 upvotes). Most don't need specific dupe flagging because there's no discussion forming. Sharing the link helps casual readers find the discussion. And directs the recognition and attention to the original posters and story especially when stories are barely hours old.
As if you haven't been around here for awhile enough to be clearer on this. Striving to keep the feed fresh and discussion together helps us all, you could do better to contribute that way.
Then, I saw the browsergate story drop on mastodon and thought "no way," lo-and-behold, there's a lawsuit in the works for it.
I found the audit to be a bit dense and hard to read, this is a response to that. I
Some truly straight-shooters should be pointing the finger very accurately to where all this is coming from.
Anybody who has a team committed to non-below-average websites should be able to screen applicants against a roster of known enshittifiers.
It may be too late to nip it in the bud, but there's no reason to allow these individuals to continue unabated, much less keep growing so annoyingly.
What's wrong with some people anyway?
Browser fingerprinting is the new norm. LinkedIn just didn't disclose it in their privacy policy. They do mention canvas fingerprinting and collecting other signals, but not specifically this extension enumeration stuff.
But fingerprinting is used to track people even without cookies. Take a look at this for some further reading: https://404privacy.com/blog/browser-fingerprinting-is-the-ad...
I read that their reasoning is it exists to block users that use known scraper extensions which bypass their terms of use. But don’t entirely buy that.
"Chrome extensions can expose internal files to web pages through the web_accessible_resources field in their manifest.json. When an extension is installed and has exposed a resource, a fetch() request to chrome-extension://{id}/{file} will succeed. When the extension is not installed, Chrome blocks the request and the promise rejects.
LinkedIn tests every extension in the list this way."
But that would be a lot of work for 6,300 extensions. Unless someone offers that as a service?
https://news.ycombinator.com/item?id=46904361
That said, I can't find conclusive info on whether this is blocked exactly. Brave does block "plugins" (which is why I assumed this includes this specific kind of fingerprinting), and the getExtension() call (which is probably unrelated), according to this page: https://brave.com/privacy-updates/4-fingerprinting-defenses-...
But since they don't explicitly mention the chrome-extension URL, you might be right.
Browser fingerprinting is massively valuable to Google's surveillance/advertising apparatus. This is all working exactly as intended.
Source:
as practitioners, where do we hold the line between telemetry and surveillance?
I’m lucky that I’m in a team which is hands on and does a lot of very interesting things. From building CRUD apps which are used in management and response to bushfires (wildfires) to more interesting things like building a datalake which amalgamates and stores weather data from multiple sources to building near real time CDC pipelines and making our transactional data available to our in house team of data scientists who then use that data to do fascinating stuff that eventually results in for example making sure that our response to bushfires takes into account the impact and safety of endangered species.
And when I look at the underlying data and the trends and and projections of just how bad bushfires are going to get in the next 30 years and how we must be so much nimbler and smarter just to survive, the work takes on a whole new level of meaning.
Don’t get me wrong, there are times the internal bureaucracy absolutely drives me mad. And I am aware that I could be earning much more in the private sector. But I get to work with a team who are really passionate and enthusiastic about their job, and I get to sleep at night knowing that unlike my previous jobs, this time I am not just making someone who is already uber rich, richer.
If you had told the teenage Utilitarian me that I would one day work for, and enjoy working for, government, I would have thought hell must have frozen over.
You can provide value in the free market, or you can work in a public sector where the people paying your salary have no choice but pay their taxes to cover your salary or risk going to prison.
As they say, better to be a poor master than a rich slave.
Anyway, for those in this situation, some anecdotes. I've outright refused to do questionable things and kept my job. I've also played incompetent so the sharks look elsewhere. Point being... options exist, don't negotiate [only] with yourself.
Would be remiss if I missed the opportunity to quote Louis Rossman: "don't accept the premise of assholes"
https://en.wikipedia.org/wiki/Pegasus_(spyware)
https://en.wikipedia.org/wiki/Paragon_Solutions
https://en.wikipedia.org/wiki/Cytrox#Predator
If that's the game you're playing tho, maybe time to find another job too ;)
To answer your question though: I'd object of course, I'm very lucky to be well enough off that I can currently make that choice without serious repercussions. Do you think someone would come out on HN and say "oh sure yeah I have no morals!", at least without it being a throwaway where you'd have no idea if it's real?
"Chrome extensions can expose internal files to web pages through the web_accessible_resources field in their manifest.json. When an extension is installed and has exposed a resource, a fetch() request to chrome-extension://{id}/{file} will succeed. When the extension is not installed, Chrome blocks the request and the promise rejects.
LinkedIn tests every extension in the list this way."
It should also be interesting to see which other sites test those very same files, has anybody looked yet ?
> According to browsergate, Milinda Lakkam confirmed this under oath, saying, "LinkedIn took action against users who had specific extensions installed."
https://browsergate.eu/the-evidence-pack/
Edit: nice! I just notice indent-formatted text is now wrapping on mobile browsers. (Or at least ffm.) I wonder how long that's been fixed...> 1.5 Your Device and Location > We receive data through cookies and similar technologies When you visit or leave our Services (including some plugins and our cookies or similar technology on the sites of others), we receive the URL of both the site you came from and the one you go to and the time of your visit. We also get information about your network and device (e.g., IP address, proxy server, operating system, web browser and add-ons, device identifier and features, cookie IDs and/or ISP, or your mobile carrier). If you use our Services from a mobile device, that device will send us data about your location based on your phone settings. We will ask you to opt-in before we use GPS or other tools to identify your precise location.
"including some plugins" being the relevant bit.
It has a lot of hallmarks of LLM writings ("It's not this, it's that" and feeling like a lot of empty words rehydrated from an outline) while missing the real updates in the story like the German affidavit filed by a LinkedIn engineer who worked on these tools.
A key piece of information that this article omits is that the list of extensions being scanned for doesn't include anything you'd recognize or anything you'd even think to install. It's full of data extraction tools, scrapers, AI spam and recruiting tools (remember all those automated spammy LinkedIn messages you got?), and plugins masquerading as simple things that have been pulled from the extension store for violations.
A lot of articles have been trying hard to distract from this fact by highlighting that the list of extension includes things like a plugin designed to simplify web pages for neurodivergent users or an "anti-Zionist political tagger" to imply that they're trying to do fingerprinting based on those attributes, but they neglect to mention that those plugins were pulled from the extension store most likely because they were data exfiltrators dressed up as simple plugins to get people to install them.
An updated list is available here: https://browsergate.eu/extensions/
But read that site carefully and actually try to click the links. In this section they're trying to direct your attention away from all of the AI spam and data extraction tools with this section:
> The scan doesn’t just look for LinkedIn-related tools. It identifies whether you use an Islamic content filter (PordaAI — “Blur Haram objects, real-time AI for Islamic values”), whether you’ve installed an anti-Zionist political tagger (Anti-Zionist Tag), or a tool designed for neurodivergent users (simplify).
But click the links. They've all been pulled from the store. Extensions like that are often bait to get people to install scrapers that will use your computer and LinkedIn login to extract data and send it back to their servers.
So regardless of where you stand on probing for the presence of these scammy extensions, you should at least understand the facts rather than the story that companies like this are trying to sell you to drive traffic to their product.
I suggest cutting through the ragebait journalism and reading more directly from a recent source, like this affidavit filed in Germany by a LinkedIn engineer familiar with the project: https://browsergate.eu/downloads/Lakam-affidavit-redacted.pd...
The LLM writing style is simply not true. I am a high-school English teacher and if my students caught me using AI to do my writing, they'd rip me to pieces.
I included the GH link as a source of proof. While I did read the browsergate piece and ended up publishing my article as a result of, I noticed this was happening months ago because I am a developer myself and saw this very strange behavior in the LinkedIn dev console. The nature of my work is that I spend many hours sometimes staring at the dev tools to debug my JS injection, CSP rewriting, and header modification that 404 does.
Is 404 a tool to stop this? Yes. But that's the point. The reason why this type of thing is allowed to happen, browser fingerprinting, is because the public is unaware of it, so trying to educate the public is a part of my outreach. There are almost no tools on the market that allow for browser fingerprinting protection. Mullvad and Tor are close options, but they're often met with their own levels of scrutiny just for using their tools. For example, my school blocks the Tor network from being accessed altogether. Some websites can block the Tor fingerprint.
The original source is more technical, of course, but I was also in communication with the Browsergate team and continue to be so this is not a one-off journalist just trying to peddle his project. This has been my life for the last 2 years and I don't appreciate you discounting the work that privacy advocates do by splitting hairs and mincing my words.
While it may not be things I would think to install, maybe they're not extensions someone with certain affiliations would think to install.
I did that with the first five extensions in the list; only one was removed from the store. So you should qualify this statement.
Maybe they are all scammy extensions, and maybe this is a weird LLM-driven astroturfing campaign, but let's try to at least root our arguments in a shared reality.
All 3 of those have been removed.
recently while trying to decipher why computer was at 98% memory and 65% cpu
one of the culprits is https://li.protechts.net taking 2GB ram and 8% cpu.
DDG searches say this is something for linkedin. - I had two tabs for linkedin open but left behind as I opened other tabs to research.
So I had not reopened these tabs in over 9 hours and they are still just humming along sucking down almost 10% of cpu and a couple gigs of ram for what?
This is firefox with ublock origin - quick searches saw malwarebytes browser guard considered it (protechts.net) malware for a bit and then took it off the list of things it blocked / warned about.
Not sure this is related to the scan mentioned, but it may be related to the overall concerns about data and unknown usage of resources.
I'm considering blocking this at the dns hosts level at this point.
repost of my comment 28 days ago
Farrell v LinkedIn Corporation 4:26-cv-02953-KAW (N.D. Cal. Apr. 6, 2026)
https://ia601503.us.archive.org/33/items/gov.uscourts.cand.4...
A big part of its detection relies on finding known extension resources at URLs of the form `chrome-extension://{extension_id}/{file}`
An extension installed from the Chrome store has the same `extension_id` for every user. But, if you just extract the source for that extension, and then load it yourself, you'll get a NEW extension_id. Same extension with the same functionality, but its extension_id will be completely new so impossible for LinkedIn to query.
Granted this won't evade the second type of detection LinkedIn employs, it'll help you evade quite a bit. I often clone extension source code anyway since it mostly protects me from malicious extension updates (by effectively disabling updates).
Chrome for some reason (still!) gives extensions static ids. Firefox has the id change per firefox instance.
Having a lot of connections working at Microsoft and Western tech industry, I'm not surprised with the targeting of Muslims.
No idea if if LinkedIn has the same issue though.
> tracks 6,278 extension
I just tried it and in 7 mins it got to 800 errors so that's like 50 minutes to do them all, using ~5% of cpu.
Runtime of extensions should be blackbox to a website IMO
* I use Edge bcs of the vertical tabs — Safari's equivalent is a poor substitute. Firefox didn't seem to have vertical tabs last time I checked.
Why are these even extensions to begin with? A legit job finding service can be a website, no extension required. If they are nefarious extensions that fake ad clicks or mine cryptocurrency, that they are job search, or political, or religious in name/nature only serves to get rubes to install them. This entire ecosystem is goofed up.
1. Doesn't have the spam
2. That doesn't look like it's from 2008
3. That only developers / engineers / tech folks can join
4. Doesn't try to log into your email to steal your contact list
5. That doesn't track you or your extensions / browser fingerprint
6. That doesn't have a bunch of fake "linkedinmaxxing" garbage content
7. that doesn't have marketers and recruiters, etc.
8. ...
That's how things used to be done. Recruiters did exist but you generally got off your arse and impressed a potential employer with a well laid out CV as an invitation to call to interview.
Nowadays it appears that people want to circumvent all that complicated effort bollocks. You simply spray yourself across some social media wankery and let's face it LinkedIn is the supreme example of wankery and some grateful employer will pick you up.
The next time you are considering buying a record player to engage with the past in some sort of misty eyed histrionics session, why not buy a pen and paper and write a letter and impress someone with your turn of phrase? Enclose a CV (resume) for maximum effect.
... "Nurse ... nurse ... my dried frog pills have started dancing on my eyeballs ... nurse ... "
Applying to jobs posted in the newspapers
We have the ability to vibe these things over a weekend, yet getting to the critical mass/tipping point of adoption is something else.
Whatever happened to: if you build it, they will come?
Wishing Guido (gui.do) the best.
Only a Public Benefit Corporation will get the software to a usable state and refuse enshittification
Is there anything else making a new start right now with as well-known a name? That could make a major difference in building critical mass fast enough.
Now Friendster is already moving in its own new direction [0], but it would still be a good portal to a separate new jobs board that only needs to start out with zero bullshit and one key thing a little bit better than Linkedin in some very important area, then gradually diverge further from there if necessary.
No need to even try to replace Linkedin (who wants another one of those?), the only thing that a better option needs to have to become sustainable, is to be better for a few million visitors on a regular basis. Maybe way fewer would be adequate if done right, IDK.
I don't think Friendster is going to stop short of that, so there you go.
Plus IIRC Friendster is already paid for and owes nobody anything. If it stays that way it could turn out to be a surprising advantage. No matter how big Linkedin is I can only imagine that it is "mortgaged" up the wazoo like anything else, it's a whale like no other.
Friendster could go into the kind of shallow water where it can thrive, and Linkedin would be effectively beached.
[0] Very cool the way their plan for physical contact or proximity looks like it will restrict bot activity just when it's needed most, while accepting the limitation to unbridled growth that this implies.
Is at odds with
> 6. That doesn't have a bunch of fake "linkedinmaxxing" garbage content
Almost all of the shit-tier AI-generated AI evangelism has been from "tech folks" connections. It's all the exact same content.
Anyway if you magically copied the entire LinkedIn network to a clean, no-nonsense site and wanted $5/mo to be active on there during the time I'm seeking a job, I'd pay that. And it'd be more if it had better opportunities. I guess there's LinkedIn Premium, but eh not convinced on that.
They’re basically the only reason I’m there.
A previous coworker had been not especially good at his job and left after two months, and a little later I went looking for his LinkedIn to see where he'd ended up. Couldn't find him but didn't give it much thought. A friend told me that he was working at a company up the street but was also working another job at the same time, and the penny dropped - you can't have LinkedIn and be working two jobs at once and reasonably expect to get away with it or get hired again.
I didn't apply, because fuck that inside out.
As if users are actually reading the privacy policy...
Its disgusting.
> Update to our terms and data use As of November 3, 2025, we are using some of your Linkedin data to improve the content-generating Al that enhances your experience, unless you opt out in your settings. We also updated our terms. See what's new and how to manage your data.
Frankly, it is unacceptable to tell a user "oh we have been using your personal data for 5 months already and will continue to do so unless you explicitly opt out". Are there any transparent alternatives to LinkedIn (not the trust me bro variant)?
I am far from conspiracy theorist but, god damn, if you take a few steps back from all the current madness and look at what's happening from a perspective, then YES, they're collecting all that data and it up to specific people and their IDs. I don't even want to guess how deep are Palantir and AI chat in this.
This kind of tracking has been going on for decades
Also, please don't use a title for the HN submission that's different from the title of the original post. The guidelines are specific about this.
Both are concerns, but sending interpretable data is a more serious concern.
I scanned through the article and did not see an example of the header it added.
https://addons.mozilla.org/en-US/firefox/addon/linkedin-data...
I think 99% are identifiable
To be clear, LinkedIn shouldn't be scanning your browser extensions, but still. The ultimate problem is that browser extensions are a powerful malware vector and there's a huge market of people buying little utilities off of solo developers to enshittify them.
Correct
Yes there are other problems in the world and we can JAQ the messanger too.
No. That you believed that was just an unfortunate consequence of HN's kneejerk tendency to upvote middlebrow dismissals to the top comment, which resulted in people rushing to craft apologetics for what is in reality bonafide scumminess on LinkedIn's part, which itself resulted in confabulations like the claim that, "It was all extensions related to spamming and scraping LinkedIn last time this was posted"—which is simply untrue.