I was gonna say… If LinkedIn managed to figure out how to break out of the browser sandbox, this would be a much bigger headline. Like “scanning your PC for installed software without the user’s knowledge, simply by visiting the site” is full blown “pull the plug on your entire internet connection until this zero day exploit can be figured out” levels of bad.

Well that was very interesting. I wasn’t planning to cover my tracks, but apparently I am.

They also scan for thousands of extensions. The only reason it doesn’t do this on Firefox is that Firefox randomises the uuid of extensions every time. Chrome doesn’t.

Fonts, codecs, hardware, OS, extensions are all parts of a computer that never ever need to be transmitted to a website for it to function. Any information about them should be sandboxed, and if the website wants to display differently based on them, it can send static data or code in and get nothing back out.

Yeah but still sick of this shit

I think the argument is that since some of the extensions that are probed can be political in nature, which can reveal political identity, which is potentially unlawful in the EU. However, it really needs to be up to a judge to make a decision on that.

In general what they’re doing is legal, and the BrowserGate people are using niggling little details, a handful of extensions out of the 6000 probed, to justify this argument. I couldn’t say, especially as someone from outside the EU, whether this is actually illegal or not, but it’s definitely in a nebulous area at the moment.

Though I agree it’s sensationalized in terms of claiming it’s “searching your computer” and doing “corporate espionage.”

“Yes, LinkedIn was probing for a lot of extensions, but there was no scanning of your computer and no malicious code, just a simple JavaScript technique to determine if the extension was there.”

Reguly decided to test the resource probing and results obtained on a sample 10% of the 6,000+ extensions. “One extension refused to have its tab closed and reopened itself every time I closed it. Others changed my home screen, the about:blank page, and added bookmarks.” Another Rickrolled him, playing the ‘Never Gonna Give You Up’ video every time he opened his browser. “To say that a lot of these are the worst of the worst extensions out there is not an understatement.”

What’s more, statistically from his sample testing, he believes only around 2,000 could be detected by LinkedIn, when even 6,000 is just a small sub-set of the total number of extensions that exist. If LinkedIn was intent on fingerprinting or profiling its users, there are better methods than this.

“I don’t see anything that indicates malicious intent here,” he told SecurityWeek “It is discovering some information, yes, but I don’t think it crosses the threshold to malicious – I think that’s a very sensationalized view of what’s going on.”

Asked why LinkedIn is doing this, he replies, “I don’t know. But for me, a common trend across these extensions is that they have data scraping functionality and are not well known. And they were problematic at times. Many of them gave me that used-car-salesman vibe that you see in the movies,” he continued.

“I can’t help but wonder if LinkedIn wanted to know if these extensions were there to try and defend against them. I certainly wouldn’t want one of my LinkedIn contacts to be running these extensions and visit my page with these scrapers installed. I feel that a user with these extensions installed visiting my LinkedIn page is more of an affront to my privacy than LinkedIn checking to see if I have these extensions.”

Of course, depending on interpretation, this still may not be appropriate or legal in the EU. However, it does seem that BrowserGate’s claims are a bit on the exaggerated side.

OP’s link with Google’s AMP nonsense removed: https://www.securityweek.com/browsergate-claims-of-linkedin-spying-clash-with-security-research-findings/