
How LinkedIn detects browser extensions - siddg
https://github.com/dandrews/nefarious-linkedin
======
gkoberger
The repo says "A look at how LinkedIn spies on its users"

I'm not convinced this is LinkedIn spying on users... rather, it's them
protecting its users from the spammy people using these extensions. There's
not a single extensions on that list that doesn't result in someone getting an
unsolicited email.

~~~
gkoberger
Here's the full list; they're all spammy recruiting/sales extensions (nothing
legit like uBlock or LastPass):

    
    
        daxtra
        SalesloftProspector
        SalesLoftCadence
        discoverly
        Ecquire
        Ebstabullhorn
        EbstaSalesforce
        ProspectHive
        talentbin
        Entelo
        Nimble
        amazinghiring
        colabo extension
        StepWells(colabo)
        found.ly
        datananas
        Linkedin-Hubspot Connector
        dux-soup(fixed)
        data Scraper
        aevy
        Lusha
        Lead Generator
        Candidate.ai
        Email Hunter
        Prospectify
        iMacros
        Prophet
        Leadiq
        HirEtuaL
        Contact Out
        Prospect.io
        saleslift.io
        Skrapp
        Slik
        CleverStaff
        Linked Helper
        Get Email
        Sourcehub
        Salestools
        SellHack
        Sourcebreaker
        turboHiring
        LinMailPro
        LinMailNavigator
        Leonard for Linkedin
        LinkeLead
        Loxo Social import
        Jlenty
        Social2Sugar
        Emply
        Linkedroid
        eLink Pro
        LinkMatch for zoho CrM
        LinkMatch for zoho recruit
        inkMatch for CatS
        LinkMatch for PCrecruiter
        LinkMatch for Pipedrive
        LinkMatch for Greenhouse
        Snapaddy Grabber
        ramper
        Linklead.io
        alore.io
        Hr-Skyen
        SeekOut
        Leadkedin
        icebreaker
        Spider for Linkedin
        recruiterNerd
        Crelate
        EyeMail
        Sales Lead Multiplier
        Email Finder
        Linkedin assistant Lily
        auto Connect tools Lily
        adapt Prospector
        Leadconnect
        Linkedbot
        People.camp
        instant data Scraper
        LinkMe tool
        adorito
        gay2sms
        Lusha (FireFox Extension)
        LinkedPro
        LeadGibbon
        Socialbff
    

And here's the code you can run yourself:
[https://pastebin.com/Ux684VtL](https://pastebin.com/Ux684VtL)

~~~
Buge
iMacros is a legit extension. But yeah, I guess there are recruiters using it
to spam people.

~~~
eastendguy
Agree. iMacros is a completely fine macro recorder. Similar extensions like
Kantu and Selenium IDE are _not_ in the list.

~~~
disiplus
well iMacros looks like another scraping tool, while those others look like
testing tools that can be used for scraping.

------
345tw4erfd
Calling this "nefarious-linkedin" when it's obvious that LinkedIn is trying to
protect itself from unauthorized data collection shows that the developer is
either seeking for attention or didn't really look into the purpose of those
extensions ([https://github.com/dandrews/nefarious-
linkedin/pull/1](https://github.com/dandrews/nefarious-linkedin/pull/1))

~~~
tnolet
But how is this data accessible to the extension? I ‘m not an expert, but it
seems that this data has to publicly available for an extension to find and
parse it. Extensions don’t have magic Auth rights or credentials.

~~~
tylerhou
Extensions have the same auth rights as your logged-in account (the ability to
see people who are out of network, for example). It’s against LinkedIn’s ToS
to scrape data.

~~~
feanaro
This should go both ways. It is against my ToS for LinkedIn to scrape which
extensions I have installed.

~~~
newsbinator
I'm on the anti-LinkedIn side of this scraping debate.

But that said, LinkedIn never agreed to your ToS.

~~~
feanaro
True, and I accept this is a potentially good legal refutation of this kind of
argument. However, I do consider ToS-es untenable and unjust because of this
power asymmetry.

If my computing node is interacting with your computing node, we should either
both be able to put restrictions on the use of obtainable information or
neither.

~~~
i_cant_speel
You an avoid them collecting your data by not visiting their site.

~~~
feanaro
And they can avoid me storing their data by not offering it to me. Both are
rather lazy arguments.

This is besides the fact that many sites (LinkedIn included) aren't very
upfront about what exactly they collect. Also, after a certain point, it gets
impractical to have to make this decision for each and every site you visit.

------
tnolet
I don’t get it. How can a browser extension mine data that otherwise is
inaccessible? This should be covered by basic RBAC. Or are they just
convenient scrapers, saving time but otherwise not accessing privileged
information. If so, the LinkedIn story about “protecting our users” seems a
bit shaky.

~~~
superfrank
The extensions are basically bots to collect info for the user with the
extension installed, not steal info from that user. Most are either scraping
email, names, and job titles as quickly as a bot can, or mass sending out
messages to users based on some criteria.

Here's a video for one of the extensions
[https://www.youtube.com/watch?v=2XvtuZjblCc](https://www.youtube.com/watch?v=2XvtuZjblCc)
(Warning: loud music)

~~~
peteretep
> The extensions are basically bots

No, most appear to be plugins for ATS/CRMs, which allow recruiters -- having
found a lead on LinkedIn -- to then add them to their CRM. This is profoundly
differently.

------
superfrank
For anyone who is asking what/who LinkedIn are protecting with this, it's not
the users with the extensions installed, it's to protect the other users on
the sites. I poked through some of the listed extensions and most are
basically bots that you can turn on that will crawl through LinkedIn pages
very quickly and either collect info (like email addresses) or send out
messages to other LinkedIn users.

I found this video for one of the extensions that is a good example of what
I'm talking about
[https://www.youtube.com/watch?v=2XvtuZjblCc](https://www.youtube.com/watch?v=2XvtuZjblCc)
(Warning: Loud music)

~~~
whoisjuan
In 2015 I wrote and publish and Chrome Extension for LinkedIn that calculated
the age of a person and put that age next to the name in their LinkedIn
profiles. It quickly went viral and showed up in several places including
Product Hunt.

Someone from BuzzFeed reached out to me asking questions about it and then
later that day wrote an article claiming that LinkedIn had asked me to take it
down (until that point they hadn't). That night I received a cease and desist
letter, so I took it down.

There were many valid reasons to ask for my extension to be removed, but I
never got the impression that they were doing it to protect the users whose
age was being augmented or at least it didn't feel that was their angle.

It felt more like "this data is ours, so back-off". Just to be clear, I'm not
saying that they were rude in their communications or anything like that. But
the C&D letter focused a lot on the techniques and uses of my extension and
not so much on the "this violates user's privacy" or "this is not representing
accurate data".

I just think that in general LinkedIn doesn't like people poking around and
trying to scrape data in any way. In the end, that's their most valuable asset
(users' data).

For anyone curious, I still have the website: [http://www.whoisjuan.me/age-
insight-linkedin/](http://www.whoisjuan.me/age-insight-linkedin/)

~~~
kiallmacinnes
C&D letters are written by lawyers. They don't appeal to your empathy over the
PII of other users, they state facts and appeal to the legal standing LinkedIn
(or $company...) has over the data being used.

That said, I have no idea of the reasons LinkedIn sent you a C&D. It could
well be any of the proposed options, or something else entirely. I'm just
highlighting that the language in a C&D will rarely give any indication of
intent, at least not "well written" ones anyway.

------
dawnerd
Ignoring everything else, it seems a bit weird a page can make requests to an
extension's assets without originating from that extension.

~~~
tinus_hn
Imagine an extension modifying a page and adding an image. How would it allow
the image to load if that wasn’t possible?

~~~
dawnerd
I was thinking if an image is injected, it'd be injected by a script loaded
from the plugin thus trusted.

~~~
tinus_hn
It’s a logical thought but that isn’t how it works.

A script doesn’t really inject an image, it injects an image tag which
contains a reference to the image. As the image gets loaded there is no check
who created the tag.

------
tanilama
> LinkedIn violates their own users' privacy in an effort to detect the usage
> of browser extensions. At the time of writing this, LinkedIn is scanning
> visitors for 38 different browser extensions.

No it is defending against malicious actors from abusing its API.

~~~
enriquto
> No it is defending against malicious actors from abusing its API.

I do not really understand the concept of "abusing an API". If an API is
amenable to a "bad" use, it seems entirely to be the fault of the API
designers, not of its users. The designers built an API that enabled an usage
that they did not want. That is their fault, how could it be otherwise?

~~~
tanilama
That is exactly what LinkedIn is doing, they are preventing bad actors from
calling their API essentially blacklist them. They cant be blacklisted via IP
since they are scattered across the internet, so they are banning them
productively. Simple and easy.

------
userbinator
Changing the name of the extension resources and any extra elements they add
to the page would be enough to stop this. (It reminds me of another "trick"
pages like to use: randomising the element IDs. Easily defeated by searching
for other properties of the desired element.) Just like DRM, it's a stupid
cat-and-mouse game, and the mice will always win...

------
pacifika
Even if the intent by LinkedIn is legit this will soon get used by data
tracking scripts to further de-anonymise people

~~~
porlune
Is that inherently wrong if the website doesn't want to serve anonymous
clients?

------
mirimir
OK, but _why_ does LinkedIn scan extensions?

~~~
gkoberger
To flag accounts that are scraping data or "revealing" email addresses.

Negative view: they're blocking people from circumventing their paid features

Positive view: they're protecting their other users from getting spammed

~~~
vidarh
A lot of these are used as CRM type applications where people would _love it_
if LinkedIn just charged for access to a more comprehensive API instead.
LinkedIns messaging UI sucks, and ironically one of the reasons to want to use
CRMs like Nimble to interact with your LinkedIn connections is to be able to
better track communication with them so you _don 't_ spam. But of course
people will use it to spam too.

If LinkedIn offered API access to messaging in a way that let CRMs work with
them instead of feel forced to circumvent them I think most who want to use it
legitimately would be perfectly happy to have LinkedIn impose various usage
limits and peotections even if paid.

They should see this as revenue potential: there are lots of potential to get
companies with legitimate reasons for more integration than the current API to
upsell their customers on paid LinkedIn features if they are able to offer it
in an approved way, and I bet many would be happy to let LinkedIn monitor how
it's used.

If they try to block access instead, they'll find more and more companies keep
offering the same, but manually.

------
Linkedout
I admit one of the extensions from the list is mine. But is not as malicious
or spammy as some like to picture it. Most of them are complements, addons to
help the user with their CRM. I don´t know of any intended to steal data ( i
believe they will use scrapers or other ways instead of asking users to pay
for an extension) There are well know CRMs like Hubspot or SOHO that aim to
sync data. Yes, some others are used to send messages to connections.. just as
unsolicited as Inmails, the linkedin paid version( but at least is to
connections). They also block extensions that block their ads and extensions
like help users to filter out "sponsored " content ( we did that) Regarding
GDPR , even LInkedin says Is not actually their data but the users are data
controllers ( owners)
[https://legal.linkedin.com/dpa](https://legal.linkedin.com/dpa) . Obviously,
this is not Ok with LinkedIn because they are a walled garden and not an open
platform. The points is they do not let the user decide, customize or adapt
their experience to suit their needs. Any feature that is not in their
revenues agenda, gets killed even if thousands of users cry for it ( happens
regularly ) and they do not let anyone else offer it. Nobody likes spam , but
is up the user no to do it - is like if your gmail will not let you send an
email to more than one person at a time or be conneted to any other app ( yes,
I know there are limits in gmail ). Notice that is not the legal way that
Linkedin takes to stop these services because in reality, they are a monopoly
( and as pointed earlier Courts has ruled against Linkedin). Neither they use
a educational or marketing path telling the users why is better FOR THEM not
to use those extensions. No, they use FUD ( fear, uncertainty & doubt) to
scare users and cancel the Linkedin of the people who create this
"competition" ..it happened to me, to the people of hunter.io, findthatlead
and many others. Mafia style. This is not a moral justification from me, it is
a business decision to offer extensions to give capabilities that people want.

------
rathish_g
Looks like they are trying to block spiders and protect its users

~~~
peteretep
No, they're trying to protect their LinkedIn Recruiter license revenue.

------
xg15
> _Furthermore, there 's no good reason to use web accessible resources in an
> extension! You can always find a solution to your problem that does not
> require them._

How would I e.g inject an extension-provided image into a web page without
using web accessible resources?

The only ways I can think of would be copying the image to a blob or drawing
it on a canvas - both seem significantly more complex than just injecting an
IMG tag and would still be detectable as side effects.

~~~
leni536
I'm not familiar with writing browser extensions, but data URI comes to mind.

~~~
xg15
Ah, right, I forgot those. That's true of course.

I think you could still use them for side-effect detection (watch for
images/scripts/etc with a known data uri suddenly appearing in your DOM) - but
at least you couldn't actively query it without the extension doing anything.

------
maaaats
How is a webpage able to query the local file system? That sounds pretty bad.

~~~
kiallmacinnes
It doesn't, it queries the local assets of installed extensions. Chrome (and I
guess other browsers?) provide a way to do this, so the HTML etc injected by
an extension can reference assets shipped with the extension.

------
peter_retief
I am really in two minds about Linkedin, I cancelled my account years ago
after getting spammed by recruiters, this could be an attempt to clean up but
looking quite sinister in the attempt

~~~
kerouanton
Linkedin has been an issue for years for me, because they simply disclosed
your email to anyone connected. This enables some people and/or corporations
to scrap profiles and build spam email databases. After being annoyed about
this, I started to change my linkedin dedicated email address frequently, 4-5
times a year. The conclusion was obvious: less than a few days after the
change, I began receiving spam and proposals on this new dedicated email
address, thus confirming the email scraping problem.

Yesterday I went back to Linkedin to reconfigure a new email address, and
found that the account settings now incorporate a setting to hide your email
address to anyone (inactive by default...). I've enabled it and changed again
to a new dedicated email address, to see if it is true. I hope this time
Linkedin did things right.

~~~
peter_retief
Maybe I should try again, I am not looking to hire or be hired so not really
sure if there is a point anymore

------
pheres
The written tone used in the repo comes of as too drastic, specially as it
only reports the collection of analytics on how LinkedIn users use the
website.

Is the detection result reported back to LinkedIn?

In their [Privacy Policy]([https://www.linkedin.com/legal/privacy-
policy#your_device_an...](https://www.linkedin.com/legal/privacy-
policy#your_device_and_location)) they do mention they collect information on
"web browser and add-ons".

This reminds me of similar approaches used in other environments. For example
in the game industry, anti-cheat techniques of detecting the running software
in mobile devices to flag users. How do you think this differs?

------
ed_blackburn
Talking of LinkedIn. Any suggestions of how I can bulk-remove contacts? I was
wondering if there’s a Chrome Extension? I’m assuming all I’m missing is the
motivation to script it?

------
patrickwiseman
One aspect is that LinkedIn is protective of plugins that incidentally cover
up their own ads. Notably several entries on this list once had such
grievances filed against them.

------
meitham
Is this issue unique to Chrome? Does it happen with Firefox?

~~~
mweibel
I do have the same localStorage item in my Firefox. The shown way of decoding
the content works too.

------
ttty
Do they detect the extension... What they do after that? Hide the email?

------
Brosper
Why this is dangerous?

