[gkoberger]

The repo says "A look at how LinkedIn spies on its users"

I'm not convinced this is LinkedIn spying on users... rather, it's them protecting its users from the spammy people using these extensions. There's not a single extensions on that list that doesn't result in someone getting an unsolicited email.

[gkoberger]

Here's the full list; they're all spammy recruiting/sales extensions (nothing legit like uBlock or LastPass):

    daxtra
    SalesloftProspector
    SalesLoftCadence
    discoverly
    Ecquire
    Ebstabullhorn
    EbstaSalesforce
    ProspectHive
    talentbin
    Entelo
    Nimble
    amazinghiring
    colabo extension
    StepWells(colabo)
    found.ly
    datananas
    Linkedin-Hubspot Connector
    dux-soup(fixed)
    data Scraper
    aevy
    Lusha
    Lead Generator
    Candidate.ai
    Email Hunter
    Prospectify
    iMacros
    Prophet
    Leadiq
    HirEtuaL
    Contact Out
    Prospect.io
    saleslift.io
    Skrapp
    Slik
    CleverStaff
    Linked Helper
    Get Email
    Sourcehub
    Salestools
    SellHack
    Sourcebreaker
    turboHiring
    LinMailPro
    LinMailNavigator
    Leonard for Linkedin
    LinkeLead
    Loxo Social import
    Jlenty
    Social2Sugar
    Emply
    Linkedroid
    eLink Pro
    LinkMatch for zoho CrM
    LinkMatch for zoho recruit
    inkMatch for CatS
    LinkMatch for PCrecruiter
    LinkMatch for Pipedrive
    LinkMatch for Greenhouse
    Snapaddy Grabber
    ramper
    Linklead.io
    alore.io
    Hr-Skyen
    SeekOut
    Leadkedin
    icebreaker
    Spider for Linkedin
    recruiterNerd
    Crelate
    EyeMail
    Sales Lead Multiplier
    Email Finder
    Linkedin assistant Lily
    auto Connect tools Lily
    adapt Prospector
    Leadconnect
    Linkedbot
    People.camp
    instant data Scraper
    LinkMe tool
    adorito
    gay2sms
    Lusha (FireFox Extension)
    LinkedPro
    LeadGibbon
    Socialbff

And here's the code you can run yourself: https://pastebin.com/Ux684VtL

[me_bx]

> There's not a single extensions on that list that doesn't result in someone getting an unsolicited email.

Nimble is just a CRM. Their extension does not crawl for email addresses, as far as I remember. Why does linkedIn need to "protect its users" from it? Isn't it rather to protect itself against the competition?

[Buge]

iMacros is a legit extension. But yeah, I guess there are recruiters using it to spam people.

[eastendguy]

Agree. iMacros is a completely fine macro recorder. Similar extensions like Kantu and Selenium IDE are not in the list.

[disiplus]

well iMacros looks like another scraping tool, while those others look like testing tools that can be used for scraping.

[pedrocx486]

>gay2sms

That's a malware, isn't it?

[majewsky]

No idea, but if it is, and this is about protecting users from malicious addons, why did LinkedIn not just report that extension to Google?

[acct1771]

> result in someone getting an unsolicited email.

That's pretty ballsy to bring up in a defense of LinkedIn.

[mirimir]

Right. It ought to be "... result in someone getting an unsolicited email that didn't earn income for LinkedIn".

[baxtr]

Well, another good reason for LinkedIn to thi is to protect their revenues. I heard of headhunters who don’t want to pay their (high) monthly subscription fees and instead “hack” their system. I guess “hacking” includes using these extensions.

[derefr]

Right. I once worked for a company that was trying to perform a business “matchmaking” service. We considered, as part of the implementation possibility-space, scraping people’s connections from LinkedIn in order to enhance our results. But LinkedIn has many advanced anti-scraping heuristics in their backend; this is just one of many. So we scrapped that option (before ever getting around to considering the ethics of it.)

[kodablah]

Can you link to where they say that? I would figure someone doing something so helpful for users would at least document it. There's no reason to be surreptitious when doing such a favor. One wonders if they'll start offering a LinkedIn AntiVirus download with such an altruistic approach towards protecting users from what they have installed.

[gkoberger]

I think you're misunderstanding. LinkedIn isn't protecting the people with the extensions installed; they're protecting users FROM the people with the extensions.

[peteretep]

Where they'll happily throw the same people under the bus if the user with the extensions installed is paying for an expensive recruiter license. Curious!

[kodablah]

Ah, as an anti-scraper/anti-bot method, every user has all these local network requests made? Maybe it's the true reason, maybe not. Transparency is key here to assume anything more than the worst. Of course any of the rest of us with a modicum of smarts would just side load a custom extension via CLI args (or we'd just browser automate, headless if not detected). Even given the most generous justification, it reeks of careless decision makers playing whack-a-mole (likely fruitlessly) with the users in the crossfire.

[Buge]

I think it's a cat and mouse game. The more that Linkedin publishes about their anti-spam techniques, the more information spammers have to try to evade those anti-spam techniques.

[vidarh]

I know one company at least that sets up a proxy physically near their clients use to obscure that they have a team on the Philippines manually assisting clients with their LinkedIn profiles.

Ultimately they need to police actual negative behaviour, not the mechanics of how people are doing it. But that means potentially restricting engagement of some of their most active users as well.

[kodablah]

It can seem that way with server-side anti-scraping techniques with brute force detection and the like. But at some point you have to accept that playing the game on the client-side needs to stop escalating once you're making dozens of local extension resource requests in a user's browser. It makes me want to publish and maintain a legit scraper for LinkedIn that replicates human interaction. They'd DMCA the repo I'm sure, but it goes to show who fights against the open web. I see a "get X, Y, and Z features for free when you use LinkedIn Desktop instead of the website" coming.

[userbinator]

I see a "get X, Y, and Z features for free when you use LinkedIn Desktop instead of the website" coming.

...and then the scrapers replicate interaction with that app instead. UI automation isn't hard these days.

[crankylinuxuser]

Why do we accept this argument of obscurity, when discussing security vulnerabilities proper doesn't elicit the same response?

Why is obscurity OK in these situations? Wouldn't we all benefit with removing scammers if everyone legitimate worked together in the public? Its easy to defeat a single adversary. Its mighty hard to defeat a cooperating team.

[jsnell]

Security vulnerabilities tend to be pretty binary. Either the vulnerability is there and it's exploitable, or it isn't. And once there's a fix, deploying that fix will permanently solve that problem.

Fighting abuse is different. The abusers are using the same request endpoints that the real users are, but just in a way that the service provider doesn't approve of. (Whether it's sending spam, payment fraud, scraping, or something else). There's no single hole to plug, unless you block all the requests outright which also affects real users. Instead you have to classify the incoming traffic, find out the abusive subset, and then act on it appropriately. But unlike with vulnerabilities this doesn't solve the problem permanently.

The moment attackers find out which signals are used by a site, they can start faking them or working around the signals. As a simple example, early email spam classifiers worked by simple matching against a blacklist of highly spammy terms. So the spam adapted to using creative mis-spellings like "v1agra".

[derefr]

LinkedIn doesn’t publish anything about their anti-spam techniques. This was published by a third party, because it was a client-side feature that third parties could discover. Most of LinkedIn’s anti-bot logic is on the backend and completely opaque.

[osozg]

In my mind I am associating this with LinkedIn's failed attempt to keep scrapers off their website by suing them (ref: https://arstechnica.com/tech-policy/2017/08/court-rejects-li...)

Other companies are making money with these extensions on LinkedIn's website and LinkedIn is not happy about it