One of the largest corporate espionage and data breach scandals in digital history: New "BrowserGate" report claims LinkedIn secretly scans user browsers

Posted by BendicantMias@reddit | anime_titties | View on Reddit | 47 comments

A new report is alleging LinkedIn uses hidden JavaScript to scan its visitors’ browsers for installed extensions, looks for those that compete with its own sales tools, and then twists its users’ arms until they stop using those and pick LinkedIn’s products, instead.

"LinkedIn scans for over 200 products that directly compete with its own sales tools, including Apollo, Lusha, and ZoomInfo. Because LinkedIn knows each user's employer, it can map which companies use which competitor products. It is extracting the customer lists of thousands of software companies from their users' browsers without anyone's knowledge,' the report states.

"Then it uses what it finds. LinkedIn has already sent enforcement threats to users of third-party tools, using data obtained through this covert scanning to identify its targets."

Apparently, the scanning part is true - BleepingComputer ran an independent test and saw a JavaScript that checked for exactly 6,236 browser extensions.

[-]

ResilientBiscuit@reddit

Do people think browser extensions are private or something? I genuinely thought this was always happening at any large site I visit.

It's kind of scummy to threaten people into using your tool, but the extension identification seems normal.

[-]

Vivid-Rutabaga9283@reddit

"Do people think browser extensions are private or something?"

It's literally something that runs on your private computer. It's not supposed to be public by default.

At the very least, Mozilla seems to agree https://support.mozilla.org/en-US/questions/889811

And so does Chrome https://developer.chrome.com/docs/extensions/reference/manifest/web-accessible-resources

By default no resources are web accessible, as this allows a malicious website to fingerprint extensions that a user has installed or exploit vulnerabilities (for example XSS bugs) in installed extensions. Only pages or scripts loaded from an extension's origin can access that extension's resources.

In fact, most browsers don't even allow you to query this data directly. Linkedin is doing a roundabout way of assuming you have the extension, trying to use a bit of it, and then if the file doesn't exist they find out you don't have the extension. If the bit of extension they query happens to exist, then it's confirmed that you have that extension. It's a hacky way of going around the intentional limitation of not letting websites read browser data, in an unofficial way, without prior notice.

"I genuinely thought this was always happening at any large site I visit."

Why would you think that? A better way to phrase it would be "any large site that asked and received consent to do it".

The default isn't to collect everything possible, the default is to ask or notify the user, and then collect what you need, or want. For stuff you don't need but still want, the way to go is notify the user through a privacy policy, terms of use, or consent pop-up, in regards to what the company wants, and why they want it(where the why is allowed to be vague) at least in the EU. (and browsergate.eu is relying on the EU laws)

The claim here is that Microsoft never told users about this bit of data being collected, meaning it breaks the GDPR rule for asking for express consent before collecting data that is not mandatory for the functions of your app(and stuff like checking if you got a Quran extension isn't "mandatory" for Linkedin to work on your browser, but it can infer your religion for no reason)

[-]

CoffeeWorldly9915@reddit

Now I wanna install as many religious extensions as possible...

[-]

iksbob@reddit

Now I want an extension that feeds gibberish data instead of a file-not-found response when a local file is missing.

[-]

Deep_Ad1959@reddit

the difference is that most sites doing extension detection use it for generic analytics or compatibility checks. linkedin ties it directly to your real name, employer, and job title, then uses that to map out which companies are running competitor sales tools. that's not fingerprinting for ads, that's competitive intelligence extraction at scale. the scanning part might be common but the identity linkage makes it a completely different thing.

rocksuperstar42069@reddit

The Internet? Tracking me? From MY computer? Well golly, thanks for the heads up!

Every single website bitches about ad block, yet they think LinkedIn came up with a novel way to run JavaScript....

EsperaDeus@reddit

They know your porn kinks too

Somepotato@reddit

It's worth noting this whole thing was started by a company trying to force Microsoft to let them scrape LinkedIn who are upset Microsoft has been trying to stop them.

Teamfluence@reddit

Well, not sure what "the whole thing" is, but if you're talking about the spying scandal dubbed "Browsergate", then it was Microsoft who started it.

Fairlinked published the findings. It's also utterly irrelevant who published it. LinkedIn didn't even try to deny it. They have been independently verified and they are meanwhile subject of a criminal investigation and a class action suit.

I don't know why slendering me makes you feel better, but your accusations are wrong and unrelated to the illegal surveillance operation Microsoft is running.

Your shooting the messenger.

fubo@reddit

Everyone sucks here.

The people pushing this "scandal" are spammers.

An “association of commercial LinkedIn users” called Fairlinked e.V published a report detailing “BrowserGate”

These are "commercial LinkedIn users" in the same sense that email spammers are "commercial email users". That is, they abuse the system in question for commercial gain.

What they're complaining about is the anti-spam system that LinkedIn uses to detect automated activity — that is, their spambots.

Yes, that anti-spam system is intrusive. Yes, it reveals that most browsers leak way too much information about you. Yes, that's bad.

But their motive is to get an anti-spam system down so that they can spam.

I'm one of the authors of the research. Can you explain why you slander me and accuse me of things I have never done?

By the way - it doesn't matter who published the findings. They have been independently verified and are meanwhile subject of a criminal investigation in Germany and a class action suit in California.

So, while we never asked for "sympathy", I don't think we deserve slander and unfounded accusations.

Have a nice day.

Stippings@reddit

Yet another thing I can point to when someone asks me why I use no socialmedia (barring Reddit, which I use a different browser exclusively for it... With a VPN (probably far from enough though)).

They are all spyware. Whatever you actively write, post/upload and click is information about yourself what you voluntarily give to them. But all of them have scripts, cookies and trackers to harvest more of you. They even go as far to see on what you had your mouse pointed at, and how long you have been looking at something, which also contains information about yourself you're not aware of (subconscious behaviours).

lurkity_mclurkington@reddit

I have DuckDuckGo as both a browser and as app tracking protection, which in both cases identifies and blocks cookies and other trackers. They also have a virtual email address you can tie to your real email address that removes trackers on emails.

DDG gives me weekly notifications showing the total amount of trackers it's blocked across all my Android apps, often between 20k and 30k per week.

BakerXBL@reddit

That’s not going to stop a tracking pixel

frostysauce@reddit

I just use Thunderbird. ALL remote content is blocked unless I specifically tell it to load remote content for that particular email. No images, nothing. I can simply read the text before I decide to delete or fully open it.

We’re talking about visiting LinkedIn.com

Whoops, my bad! I thought we were talking about removing trackers on emails.

VladimiroPudding@reddit

To be honest with you, after the Firefox privacy fiasco of last year, I am wary of any web product that market themselves as independent and privacy-first. They can change their Terms of Service anytime they decide to become profitable.

kuroioni@reddit

Since neither the techradar article, nor this post link the original browsergate portal, here:

https://browsergate.eu/

All the info on who they are, what the research includes AND proof (with downloads) are available there. There's also a mailing list you can subscribe to to stay informed on progress.

BendicantMias@reddit (OP)

Added it to the post. :)

BasicSulfur@reddit

Fuck Zoominfo

braiam@reddit

Didn't this news make rounds like several times before?

https://www.reddit.com/r/linkedin/comments/1bxga16/my_account_gets_restricted_because_of_false/

theeldergod1@reddit

you can tell linkedin is super toxic because they're hardcore spammer. I enter it once a month, they do whatever they can to bring me back with black hole pull.

IAccidentallyCame@reddit

No matter how much I change my comms preferences to not get emails from them, they still email you a few times per year. And especially after my once or twice annual logins.

Canadian_Border_Czar@reddit

They'll literally modify their communications just to fit in the categories you selected.

Dont like marketing emails? Here's an important site update, followed by a bunch of marketing shit.

Oh an by the way, someone has looked at your profile! Pay us money to find out who!

Que microsoft bots saying it's just fingerprinting and everyone does it or that it's only illegal if it's identifiable data and the website that holds your name, email and entire work experience has no way of identifying you.

MairusuPawa@reddit

I've heard Google employees say this exact line regarding this subject matter, so.

kimana1651@reddit

The problem is that people don't understand how few datapoints it takes to identify a person. You have anonymous database of 20 million users, that's a lot of data right? How can you find one person in all of that? Well most of that data is unique. How many people are friends with user 3245 that works for Creed and user 55895 that works for Sysco? Just one person. How many people logged into the platform at 9:10:26 am from Ohio? Just one.

Most of the time you can pick your target out with the data at hand, if not then you only need one or two external datapoints to figure it out.

sluttytinkerbells@reddit

It’s not that they don’t understand — it’s that they don’t care.

quacainia@reddit

Or feel powerless to do anything about it

tsardonicpseudonomi@reddit

Which is not caring. Feeling powerless is what corporations and corporate controlled governments want you to feel.

If you feel powerless you are. If you feel empowered you are.

Lint_baby_uvulla@reddit

Want to hear a one line joke?

Anonymised census data.

Slumunistmanifisto@reddit

Hahahaha.....

Sells your phone number and dob

rundgren@reddit

I'm leaning in that direction even though I'm a Microsoft-hating non-bot

keepthepace@reddit

We are past that point in the US. Legality do not matter much as consequences are at zero.

The only receivable argument is that Microsoft culture is not be efficient at all and that it is very credible that they amass that amount of data that could be worth billions to them just into a shitty database that decides which background they should use when sending you their spammy newsletter.

machado34@reddit

I'm wary of any site that requires you to be logged in to see otherwise public content, such as LinkedIn, Instagram and xwitter

clarinetJWD@reddit

Cue.

Edited

historycommenter@reddit

It should be illegal for them to twist user's arms or any sort of violence, but it is a free service, what do people expect? I will add this extra text so my comment is not removed by the Auto Mod and fuck this forum for wasting my time this morning with my snarky comment and having to go back and edit it because apparently how could someone have something constructive to say without writing a wall of text?

Trollimperator@reddit

So this "techradar.com" has news about LinkedIn using thier clients as product. At the same time i get 2 popups, a leftside banner and a topside banner, asking for my email adress - to join the team. I dont mention shitty application of the EU consent to cookies or the lack thereof anymore...

The internet was fun, before all those greedy companies got thier foot in. Users are the product and i truely wonder what happens when 90% of the net users are echo bots. Its not about selling things anymore, its about reach - in history, that was always a recipe for a crash.

You don't have to wonder for long. About 80% of all images produced in the internet last year were AI. We crossed the threshold of more bots than people in the web traffic in 2024.

What happens is that internet as we know it is destroyed. The destruction of "mainstream" internet is imminent: AI bot ads that are "read" by AI bot crawlers. Some who are interested/in the weeds enough will resort to niches similarly how it was internet in the 90s.

Jea, but i also know more and more people retreating out of the internet as a social space. The people i knew, who did use the internet as a social platform often stopped doing that and stricted use the internet for content, not social participation, due to the growing hostility of the predatory environment. The risks of exposure are just higher, when you have a serious job/income(and reputation). The more valuable the user is, the less likely is it, that he stays in this hostile environment. Its like with movie stars and paparazzi.

RevengeWalrus@reddit

My friend reads the entire terms and conditions for everything she uses, and LinkedIn has always been at the very top of companies she'll never fuck with. This isn't their first rodeo with invasions of privacy.

callmejellydog@reddit

LinkedIn is the worst thing in the world.

It’s full of fucking knobs posting AI generated content to try and look good and talking from a position on authority based on that.

I’m a big fan of AI when it’s use appropriately. But i am having major fatigue right now with generated content on socials, and managers vibe coding critical systems which form the companies cash cow, essentially being paid to destroy the only value it has.

TheSamuil@reddit

The only positive thing I can say about LinkedIn is that its existence has given rise to a bunch of apps that translate to LinkedIn speak.

The only silver lining to LinkedIn is the incredible ecosystem of innovative tools it has inspired, specifically those designed to optimize and streamline professional communication for maximum impact. #Innovation #Networking #ProfessionalGrowth #TechTrends

kinmix@reddit

The only positive thing I can say about LinkedIn

Ken Cheng LinkedIn posts are also pretty great.

PinothyJ@reddit

Straight from the Honey school of running a website business.

I am sure it will go great.