LinkedIn checks for 2953 browser extensions

Posted by mdp 7 hours ago

LinkedIn checks for 2953 browser extensions(github.com)

289 points | 142 commentspage 2

zahlman 7 hours ago|

> This repository documents every extension LinkedIn checks for and provides tools to identify them.

I get that the CSV lists the extensions, and the tools are provided in order to show work (mapping IDs to actual software). But how was it determined that LinkedIn checks for extensions with these IDs?

And is this relevant for non-Chrome users?

usefulposter 7 hours ago|

Technical writeup from a few weeks ago by a vendor that explains how LinkedIn does it, then boasts that their approach is "quieter, harder to notice, and easier to run at scale":

https://blog.castle.io/detecting-browser-extensions-for-bot-...

mongrelion 7 hours ago||

Curious question: why would they check for installed extensions on one's browser?

CobrastanJorji 6 hours ago||

Fingerprinting. There are a few reasons you'd do it:

1. Bot prevention. If the bots don't know that you're doing this, you might have a reliable bot detector for a while. The bots will quite possibly have no extensions at all, or even better specific exact combination they always use. Noticing bots means you can block them from scraping your site or spamming your users. If you wanna be very fancy, you could provide fake data or quietly ignore the stuff they create on the site.

2. Spamming/misuse evasion. Imagine an extension called "Send Messages to everybody with a given job role at this company." LinkedIn would prefer not to allow that, probably because they'd want to sell that feature.

3. User tracking.

b1temy 2 hours ago|||

> The bots will quite possibly have no extensions at all

I imagine most users will also not have extensions at all, so this would not be a reliable metric to track bots. Maybe it might be hard to imagine for someone whose first thing to do after installing a web browser is to install some extensions that they absolutely can't live without (ublock origin, privacy badger, dark mode reader, noscript, vimium c, whatever). But I imagine the majority of casual users do not install any extensions or even know of its existence (Maybe besides some people using something like Grammarly, or Honey, since they aggressively advertise on Youtube).

I do agree with the rest of your reasons though, like if bots used a specific exact combinations of extensions, or if there was an extension specifically for linkedin scraping/automation they want to detect, and of course, user tracking.

xz18r 5 hours ago|||

I wrote some automation scripts that are not triggered via browser extensions (e.g., open all my sales colleagues’ profiles and like their 4 most recent unliked posts to boost their SSI[1], which is probably the most ‘innocent’ of my use-cases). It has random sleep intervals. I’ve done this for years and never faced a ban hammer.

Wonder if with things like Moltbot taking the scene, a form of “undetectable LinkedIn automation” will start to manifest. At some point they won’t be able to distinguish between a chronically online seller adding 100 people per day with personalized messages, or an AI doing it with the same mannerisms.

[1] https://business.linkedin.com/sales-solutions/social-selling...

jppope 7 hours ago|||

most automations for sales and marketing use browser extensions... linkedIn wants you using their tools not 3rd party

Nextgrid 7 hours ago||

Their own tools suck, that’s the issue.

direwolf20 17 minutes ago||

Third–party tools don't bring money to LinkedIn, that's the issue. Rather than try to compete, much easier to force you to use their tools! Reddit did the same thing.

staticshock 7 hours ago|||

For a social network, more information about their users = better ad targeting. It likely gets plumbed into models to inform user profiles.

Aurornis 7 hours ago||

Look at the actual list. It's primarily questionable AI tools, scrapers, lead generation tools, and other plugins in that vein.

I would guess this is for rate limiting and abuse detection.

HPsquared 7 hours ago|||

An attempt at fingerprinting, I suppose?

hasperdi 6 hours ago||

Another thing... they alter the localStorage & sessionStorage prototype, by wrapping the native ones with a wrapper that prevent keys that not in their whitelist from being set.

You can try this by opening devtools and setting

  localStorage.setItem('hi', 123)

ddtaylor 3 hours ago||

Does anyone know if Brave has any defense against this like Firefox does?

pnw 1 hour ago|

It doesn't seem like Brave's fingerprinting prevention includes extensions, so on my first pass I would say no.

ddtaylor 20 minutes ago||

Good call. I did a test and on Chrome I see the spam and I also see the spam on Brave as well, so they don't seem to be any different.

mrkramer 5 hours ago||

LinkedIn is the worst walled garden of all of them.

dwedge 5 hours ago||

I wonder if this is why the linkedin feed blocker I installed in Firefox 2 weeks ago stopped working for me within 24 hours

ta988 5 hours ago||

So it really is espionage at all levels.

insin 4 hours ago||

So every Chrome extension that wants to avoid being detected this way needs to proxy fetch() on the target site, imagining someone with a bunch of them installed having every legit HTTP request on the target site going through a big stack of proxies

input_sh 6 hours ago||

    cut -d',' -f2 chrome_extensions_with_names_all.csv | grep -c "AI"
    474

Only 16%!?

Aurornis 7 hours ago|

I suggest everyone take a look at the list of extensions and their names for some very important context: https://github.com/mdp/linkedin-extension-fingerprinting/blo...

I didn't find popular extensions like uBlock or other ad blockers.

The list is full of scammy looking data collection and AI tools, though. Some random names from scrolling through the list:

- LinkedGPT: ChatGPT for LinkedIn

- Apollo Scraper - Extract & Export Apollo B2B Leads

- AI Social Media Assistant

- LinkedIn Engagement Assistant

- LinkedIn Lead Magnet

- LinkedIn Extraction Tool - OutreachSheet

- Highperformr AI - Phone Number and Email Finder

- AI Agent For Jobs

These look like the kind of tools scummy recruiters and sales people use to identify targets for mass spamming. I see several AI auto-application tools in there too.

cxr 4 hours ago||

> I suggest everyone take a look at the list of extensions and their names for some very important context[…] I didn't find popular extensions like uBlock

Unsurprising outcome since uBlock (specifically: uBlock Origin Lite, the only version available for Chrome on the Chrome Web Store) makes itself undetectable using this method. (All of its content-accessible resources have "use_dynamic_url" set to "true" in its extension manifest.) So its absence in this data is not dispositive of any actual intent by LinkedIn to exclude it—because they couldn't have included it even if they wanted to.

NicuCalcea 5 hours ago||

LinkedIn itself provides tools for scummy recruiters to mass spam, so this is just them protecting their business.

Also, not all of them are data collection tools. There are ad blockers listed (Hide LinkedIn Ads, SBlock - Super Ad Blocker) and just general extensions (Ground News - Bias Checker, Jigit Studio - Screen Recorder, RealEyes.ai — Detect Deepfakes Across Online Platforms, Airtable Clipper).

More comments...