Every time you open LinkedIn in a Chrome-based browser, hidden JavaScript silently scans your computer for installed software without your knowledge, without your consent, and without a single word in LinkedIn's privacy policy.
It is absolutely a secret! Based on the discussions I’ve seen, many people in the field were quite surprised that this technique works. So just like Meta’s recent-ish WebRTC scandal, this was a secret, even if the code always showed what it does.
My point is that any assumption that your extensions are not detected is a delusion
It is? How are these websites detecting my Firefox extensions?
By doing things the extensions are interacting with. You can see if an ad is served and displayed or not, you can detect if an iteraction was originated by an user or automatic, you can see if letters were pasted or input at a speed no human can match.
You can see if an ad is served and displayed or not
This doesn’t tell you which specific extensions a user has installed. First, the filter lists are mostly shared between ad blockers, so you can at best tell that some adblock extension is installed, but not which one. Second, the ad might fail to load for a variety of other reasons (e.g. user is offline, firewall blocking URLs/endpoints, network-level DNS adblock, …), so all you can tell is that the user might have an adblock extension installed. That’s far milder than your initial premise: “My point is that any assumption that your extensions are not detected is a delusion[…]”
you can detect if an iteraction was originated by an user or automatic
Sure, and how does this help with detecting the installed extensions? Knowing that the click event wasn’t triggered by the user doesn’t tell you who triggered it.
you can see if letters were pasted or input at a speed no human can match
Again, how does this help with detecting the installed extensions?
I mean, I was listing stuff one person can do on their site to detect if visitors have a type of extension or not. If I can do that with a couple hours of work I am not surprised at all whith what a major social network like linkedin can implement. I don’t know what linkedin does and I don’t plan to read their code, I did not even read the article tbh
Well, that’s a pretty useless approach for tech discussions, because this kind of attack is explicitly not possible on Firefox.
Also, extrapolating such a broad statement from the simple fact that it’s possible to unreliably detect the presence of a single broad category of extensions is a huge reach.
It is absolutely a secret! Based on the discussions I’ve seen, many people in the field were quite surprised that this technique works. So just like Meta’s recent-ish WebRTC scandal, this was a secret, even if the code always showed what it does.
It is? How are these websites detecting my Firefox extensions?
By doing things the extensions are interacting with. You can see if an ad is served and displayed or not, you can detect if an iteraction was originated by an user or automatic, you can see if letters were pasted or input at a speed no human can match.
This doesn’t tell you which specific extensions a user has installed. First, the filter lists are mostly shared between ad blockers, so you can at best tell that some adblock extension is installed, but not which one. Second, the ad might fail to load for a variety of other reasons (e.g. user is offline, firewall blocking URLs/endpoints, network-level DNS adblock, …), so all you can tell is that the user might have an adblock extension installed. That’s far milder than your initial premise: “My point is that any assumption that your extensions are not detected is a delusion[…]”
Sure, and how does this help with detecting the installed extensions? Knowing that the click event wasn’t triggered by the user doesn’t tell you who triggered it.
Again, how does this help with detecting the installed extensions?
I mean, I was listing stuff one person can do on their site to detect if visitors have a type of extension or not. If I can do that with a couple hours of work I am not surprised at all whith what a major social network like linkedin can implement. I don’t know what linkedin does and I don’t plan to read their code, I did not even read the article tbh
Well, that’s a pretty useless approach for tech discussions, because this kind of attack is explicitly not possible on Firefox.
Also, extrapolating such a broad statement from the simple fact that it’s possible to unreliably detect the presence of a single broad category of extensions is a huge reach.