On Firefox, web accessible resources are available at "moz-extension://<extension-UUID>/myfile.png" <extension-UUID> is not your extension's ID. This ID is randomly generated for every browser instance. This prevents websites from fingerprinting a browser by examining the extensions it has installed. https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...
Skimming the list, looks like most extensions are for scraping or automating LinkedIn usage. Not surprising as there's money to be made with LinkedIn data. Scraping was a problem when I worked there, the abuse teams built some reasonably sophisticated detection & prevention, and it was a constant battle.
Chrome is the new IE6. Google set themselves up to be the next Microsoft and is "ad friendly" in all the creepy ways because that's what Google IS an ad company. All they've contributed to security is diminishing the capability of adblockers and letting malware to do bad things to you as consumers.
LinkedIn has been employing a lot of strange dark patterns recently:
* Overriding scroll speed on Firefox Web. Not sure why.
* Opening a profile on mobile web, then pressing back to go to last page, takes me to the LinkedIn homepage everytime.
* One of their analytic URLs is a randomly generated path on www.linkedin.com, supposedly to make it harder to block. Regex rules on ublock origin sufficiently stop this.
> This repository documents every extension LinkedIn checks for and provides tools to identify them.
I get that the CSV lists the extensions, and the tools are provided in order to show work (mapping IDs to actual software). But how was it determined that LinkedIn checks for extensions with these IDs?
Reading the fingerprint.js is interesting, it's not just the thousands of extensions. It looks like it's also probing for a long list of webgl extensions, fonts, and other capabilities. There's recaptcha v3 references in there too.
Perhaps an overly aggressive attempt to block bots.
The list of extensions being scanned for are pretty clear and obvious. What is really interesting to me are the extensions _not_ being scanned for that should be.
The big one that comes to mind is "Contact Out" which is scan-able, but LinkedIn seems to pretend like it doesn't exist? Smells like a deal happened behind the scenes...
Another thing... they alter the localStorage & sessionStorage prototype, by wrapping the native ones with a wrapper that prevent keys that not in their whitelist from being set.
LinkedIn has also started sending a great deal of spam:
A $7.5B chip merger
Pinterest prepares layoffs
Healthcare premiums surge
Autodesk to cut 7% of jobs
Ozempic keeps getting cheaper
Since the "unsubscribe" link does not lead to a working page, this seems like a trivial violation of even what laughable protections CAN-SPAM alleges to offer.
And what's with some of these? Bad mouthing employers is an odd choice for a platform that makes its money from them? Or perhaps now all the revenue is ad derived?
I didn't find popular extensions like uBlock or other ad blockers.
The list is full of scammy looking data collection and AI tools, though. Some random names from scrolling through the list:
- LinkedGPT: ChatGPT for LinkedIn
- Apollo Scraper - Extract & Export Apollo B2B Leads
- AI Social Media Assistant
- LinkedIn Engagement Assistant
- LinkedIn Lead Magnet
- LinkedIn Extraction Tool - OutreachSheet
- Highperformr AI - Phone Number and Email Finder
- AI Agent For Jobs
These look like the kind of tools scummy recruiters and sales people use to identify targets for mass spamming. I see several AI auto-application tools in there too.
So every Chrome extension that wants to avoid being detected this way needs to proxy fetch() on the target site, imagining someone with a bunch of them installed having every legit HTTP request on the target site going through a big stack of proxies
I started using Chrome at version 2 I think. It still had the 3D logo. It was such a breath of fresh air and the big innovation was running one process per tab. Firefox existed but the entire browser could (and did) hang. And IE was... well, IE.
I did have a relatively early beef with Chrome though, whcih was I couldn't completely opt out of Flash. As in, I didn't even want it installed. This turned out to be an issue because Flash turned out to be one of the earliest vectors for so-called "zombie cookies".
Fingerprinting in general has been a longstanding problem and has become more and more advanced.
Add to this that Google is, first and foremost, an advertising business and they've become increasingly hostile to ad-bloccking tech for obvious reasons.
Basically what I'm getting at is something I couldn't have imagined a decade ago where I think I really have go switch away from Chrome to something that takes privacy and security seriously so that LinkedIn can't do things like this. And I increasingly don't trust Google to do that.
I actually have more trust in Apple because they have historically been user-focused eg blocking Meta's third party cookies. But obviously Safari isn't an option because it's not cross-platform.
I'm not sure I trust the current state of Mozilla. What's the alternative? Brave? Is Opera still a thing? I honestly don't know.
What I really want is a cross-platform browser written in Rust that black-holes ads out of the box. Why Rust? Memory safety. I simply don't trust a large C/C++ code to never have buffer overruns. Memory safety has become too important.
I don't want my browser to provide information on what extensions I'm using to a site and that shouldn't be a thing I have to ask for or turn on in any way.
Linkedin is such a shity wanabe HR adult day care recruiting bs platform, if it would go offline tomorrow and never came back not a single tear would be shed by any Engineer.
I’m probably on the list. I made a LinkedIn Redactor that allowed you to add keywords and remove posts from your thread that included such words. It’s the X feature but for LinkedIn. Anyway, got a cease and desist from those lame fucks at LI. So I removed from the chrome store but it’s still available on GitHub.
LinkedIn checks for 2953 browser extensions
(github.com)513 points by mdp 5 February 2026 | 233 comments
Comments
This works by looking for web accessible resources that are provided by the extensions. For Chrome, these are are available in a webpage via the URL chrome-extension://[PACKAGE ID]/[PATH] https://developer.chrome.com/docs/extensions/reference/manif...
On Firefox, web accessible resources are available at "moz-extension://<extension-UUID>/myfile.png" <extension-UUID> is not your extension's ID. This ID is randomly generated for every browser instance. This prevents websites from fingerprinting a browser by examining the extensions it has installed. https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...
Screenshots found here https://x.com/DenisGobo/status/2018334684879438150
https://javascript.plainenglish.io/the-extensions-you-use-ar...
https://blog.castle.io/detecting-browser-extensions-for-bot-...
* Overriding scroll speed on Firefox Web. Not sure why.
* Opening a profile on mobile web, then pressing back to go to last page, takes me to the LinkedIn homepage everytime.
* One of their analytic URLs is a randomly generated path on www.linkedin.com, supposedly to make it harder to block. Regex rules on ublock origin sufficiently stop this.
Anyone know why they could be doing this?
I get that the CSV lists the extensions, and the tools are provided in order to show work (mapping IDs to actual software). But how was it determined that LinkedIn checks for extensions with these IDs?
And is this relevant for non-Chrome users?
https://www.nymeria.io/blog/linkedins-war-on-email-finder-ex...
Perhaps an overly aggressive attempt to block bots.
The big one that comes to mind is "Contact Out" which is scan-able, but LinkedIn seems to pretend like it doesn't exist? Smells like a deal happened behind the scenes...
https://chromewebstore.google.com/detail/email-finder-by-con...
You can try this by opening devtools and setting
And what's with some of these? Bad mouthing employers is an odd choice for a platform that makes its money from them? Or perhaps now all the revenue is ad derived?
const msg = createDoneMessage(); msg.style.opacity = '1';
I didn't find popular extensions like uBlock or other ad blockers.
The list is full of scammy looking data collection and AI tools, though. Some random names from scrolling through the list:
- LinkedGPT: ChatGPT for LinkedIn
- Apollo Scraper - Extract & Export Apollo B2B Leads
- AI Social Media Assistant
- LinkedIn Engagement Assistant
- LinkedIn Lead Magnet
- LinkedIn Extraction Tool - OutreachSheet
- Highperformr AI - Phone Number and Email Finder
- AI Agent For Jobs
These look like the kind of tools scummy recruiters and sales people use to identify targets for mass spamming. I see several AI auto-application tools in there too.
I did have a relatively early beef with Chrome though, whcih was I couldn't completely opt out of Flash. As in, I didn't even want it installed. This turned out to be an issue because Flash turned out to be one of the earliest vectors for so-called "zombie cookies".
Fingerprinting in general has been a longstanding problem and has become more and more advanced.
Add to this that Google is, first and foremost, an advertising business and they've become increasingly hostile to ad-bloccking tech for obvious reasons.
Basically what I'm getting at is something I couldn't have imagined a decade ago where I think I really have go switch away from Chrome to something that takes privacy and security seriously so that LinkedIn can't do things like this. And I increasingly don't trust Google to do that.
I actually have more trust in Apple because they have historically been user-focused eg blocking Meta's third party cookies. But obviously Safari isn't an option because it's not cross-platform.
I'm not sure I trust the current state of Mozilla. What's the alternative? Brave? Is Opera still a thing? I honestly don't know.
What I really want is a cross-platform browser written in Rust that black-holes ads out of the box. Why Rust? Memory safety. I simply don't trust a large C/C++ code to never have buffer overruns. Memory safety has become too important.
I don't want my browser to provide information on what extensions I'm using to a site and that shouldn't be a thing I have to ask for or turn on in any way.
Typical early hooks: • fetch wrapper • XMLHttpRequest.prototype.open/send wrapper • WebSocket constructor wrapper • history.pushState/replaceState wrapper • EventTarget.addEventListener wrapper (optional, heavy) • MutationObserver for DOM diffs • Error + unhandledrejection capture