LinkedIn is using hidden JS to scan your browser for over 6,000 specific extension IDs via a known Chromium vulnerability. By inventorying your local software, they can infer highly sensitive “Special Category” data like health status, religion, and political advocacy without consent.
I’ve joined the dots on why Chromium-based “Shields” fail here and how to harden your home lab/network to stop the leak.
I think you forgot the link? That or my instance didn’t pull it.
First off it only scans browser addons/extensions by matching them to known browser ids.
Second this has nothing to do with home lab or network so nothing to secure there; Either dont use linkedin, use a firefox based browser or, if you read the actual browsergate website, changing your user agent to anything not chrome/chromium based should block the script from running as it runs this check before anything else, or just dns block ‘linkedin.com/li/track’ iirc to prevent from being sent back or do all of the above.
Yes this is a volation of privacy but helping push the framing around this thst it scans your computer with that terrible title isnt helping the situation.
Edit: spelling
Thanks for the feedback. You’re right, it’s really just scanning for known extension IDs, not poking around your entire computer. Saying “computer scan” might sound a bit dramatic, but the privacy risk is still pretty serious given what info they can guess from those extensions.
About the home lab and network side — I get that LinkedIn isn’t scanning your whole network or anything. What I meant is more about how you can block or filter those sneaky requests at the network level, like with DNS blocking or firewall rules, so they never even get sent out. It’s not a classic home lab threat, but if you’re running your own DNS or network filters, it’s a handy extra layer to keep things tighter.
Sure, switching browsers or faking your user agent works too, but not everyone wants to give up Chromium or LinkedIn completely. That’s why I mentioned a few different ways to protect yourself.
Appreciate the note on wording — I just wanted to show why this isn’t just some minor browser oddity and why it’s worth thinking about from a privacy and network defence angle.
How do you DNS block a URL :)
Wonder how hard it would be to make a list of sensitive information employees based on the programs installed. I imagine pretty easy.
Spot on. If you can see a user has certain VPN clients, IDEs, or specific advocacy tools installed, you’ve essentially built a psychological profile of an employee’s home environment without them ever clicking ‘Accept’. It’s a massive GDPR Article 9 violation (Special Category data) hidden in plain sight.
It only checks browser addons/extensions. The title isnt accurate.
So Firefox and its forks are safe?
Mostly, yes. Firefox doesn’t use the specific Chromium internal resource API that LinkedIn is exploiting for this. However, since the script relies on hidden GET requests, I still recommend Multi-Account Containers to isolate LinkedIn entirely, plus a custom uBlock Origin filter just to be sure.
Or if you change your useragent to anything other than chrome/chromium related as it only runs on detected chromium browsers.
Did you find it, I think the Lemmy server is having a few issues today. https://the.unknown-universe.co.uk/privacy-security/linkedin-browsergate/
