There have been all sorts of sensationalist claims from “Microsoft is scanning your computer for installed software” to “LinkedIn devs are injecting malicious code to track personal data.” I want to start by putting this to rest… these headlines are just that, sensationalist. It is clickbait at its finest.
What the BrowserGate Evidence Actually Contains
So, what is in the BrowserGate evidence bundle? A list of 6000+ Extension IDs for Google Chrome packages contained within a JavaScript file. It then uses a technique called Resource Probing to attempt to determine which of the 6000+ extensions might be installed. So, yes, LinkedIn was probing for a lot of extensions, but there was no scanning of your computer and no malicious code, just a simple JavaScript technique to determine if the extension was there. The kicker… it didn’t even include the most popular extensions – popular ad blockers, password managers, and other extensions that people regularly use were not included. Instead, the list includes tools for extracting personal information from web pages, 496 AI-related extensions, and 162 extensions that reference social media.
The list mapped each Extension ID to a file and would attempt to load that file to see if the extension was available using the format chrome-extension://<Extension ID>/<file>. In order for this to succeed, files must be listed in the web_accessible_resources of the Manifest V3 manifest.json file. Even if the developer of the extension needs to use web_accessible_resources, they can still prevent this technique from working by including the use_dynamic_url property.
In fact, many of the extensions that were being tested could not actually be detected with the latest versions available from the Chrome Store. I wanted to test all 6,000+ extensions for this blog post, but it turns out you can’t install that many extensions in Chrome, and I didn’t want to sit and install groups of extensions until I tested them all. I decided that a sample size of 10%, which resulted in a list of 615 extensions, was a reasonable demonstration of how well Resource Probing actually worked. Even 615 extensions was an unreasonable amount, so I split the group into 2 and installed the first 308 extensions. Of those, only 272 (88.3%) ended up installed and only 92 (33.8%) of the 272 were detected using LinkedIn’s techniques.
Measuring Reality: What the Testing Revealed
A large number of those extensions installed background tasks, and I was overwhelmed by the number of overlays added to the webpage. One extension refused to have its tab closed and reopened itself every time I closed it. Others changed my home screen, the about: blank page, and added bookmarks. To say that a lot of these are the worst of the worst extensions out there is not an understatement.
Now it was time for the second half of the 615 extensions, with 307 being bulk installed via the registry. This time, one of them kept trying to open a YouTube video every time I opened my browser, and, yes, it was Rick Astley’s Never Gonna Give You Up. The browser was even slower than last time, and I had to eventually prevent a plugin called 1Page from accessing page data just to have websites load. Again, I ended up with 272 installed extensions and, of those, 97 (35.6%) were detected.
With a 10% sample size, 34.7% of extensions were detected. That is close enough in my books to call it 1/3. If we extrapolate based on the total number of extensions, that means that only about 2000 of the 6000+ extensions were potentially detected. There’s a margin of error doing it this way, but given how much impact these extensions have on system performance, I would not want to test all 6000+ to see if they are detected via the LinkedIn methods.
Final Assessment: More Hype than Harm
At the end of the day, I can’t help but look at this as a giant nothingburger. When you visit LinkedIn, you are logged in, and they know who you are. If they were using browser extensions to fingerprint you, they would go with a better set of extensions – popular extensions that are actually used. I’d be more concerned that techniques like canvas fingerprinting exist and can be used to track you in and out of incognito mode. If your extension privacy matters to you, check manifest.json and make sure that use_dynamic_url is configured or that web_accessible_resources are not used.
Personally, I think that administrators and security folks should be celebrating this revelation - they now have a list of Extension IDs that they should block at their organization. Even with only installing 10% of the extensions, I saw rickrolls, background processes that ran after Chrome was closed, bookmarks modified, page contents relayed to various servers, and several other things that scared me. The only thing LinkedIn should do is notify users that they have these impractical extensions installed. That’s about the only thing we can look down on them for in this situation. Everything else is just making a mountain out of a molehill.
