惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

酷 壳 – CoolShell
酷 壳 – CoolShell
GbyAI
GbyAI
SecWiki News
SecWiki News
Project Zero
Project Zero
C
Cisco Blogs
Simon Willison's Weblog
Simon Willison's Weblog
P
Privacy International News Feed
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Scott Helme
Scott Helme
A
Arctic Wolf
Security Latest
Security Latest
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
P
Privacy & Cybersecurity Law Blog
Apple Machine Learning Research
Apple Machine Learning Research
T
Tailwind CSS Blog
The Hacker News
The Hacker News
T
Tenable Blog
雷峰网
雷峰网
有赞技术团队
有赞技术团队
V
V2EX
C
CXSECURITY Database RSS Feed - CXSecurity.com
T
Threat Research - Cisco Blogs
T
Threatpost
AWS News Blog
AWS News Blog
L
LINUX DO - 热门话题
Application and Cybersecurity Blog
Application and Cybersecurity Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
S
SegmentFault 最新的问题
月光博客
月光博客
Spread Privacy
Spread Privacy
S
Secure Thoughts
宝玉的分享
宝玉的分享
博客园 - 三生石上(FineUI控件)
Forbes - Security
Forbes - Security
T
The Exploit Database - CXSecurity.com
G
GRAHAM CLULEY
The Last Watchdog
The Last Watchdog
Y
Y Combinator Blog
I
Intezer
博客园 - 【当耐特】
B
Blog RSS Feed
Attack and Defense Labs
Attack and Defense Labs
I
InfoQ
博客园 - 叶小钗
Cyberwarzone
Cyberwarzone
V2EX - 技术
V2EX - 技术
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Hugging Face - Blog
Hugging Face - Blog
H
Help Net Security
C
CERT Recently Published Vulnerability Notes

Security Affairs

Copy Fail: New Linux bug enables Root via page‑cache corruption Agent’s claims on WhatsApp access spark security concerns Meta accused of violating DSA by failing to safeguard minors Large-scale Roblox hacking operation shut down by Ukrainian authorities CVE-2026-42208: LiteLLM bug exploited 36 hours after its disclosure Internet censorship index reveals Russia’s lead and widespread content blocking All supported cPanel versions hit by critical auth bug, now patched U.S. CISA adds Microsoft Windows Shell and ConnectWise ScreenConnect flaws to its Known Exploited Vulnerabilities catalog ShinyHunters exploit Anodot incident to target Vimeo CVE-2026-3854 GitHub flaw enables remote code execution Signal Phishing Campaign Targets German Officials in Suspected Russian Operation Microsoft fixes Entra ID flaw enabling privilege escalation New Android spyware Morpheus linked to Italian surveillance firm NCSC launches SilentGlass, a plug-in device to secure HDMI and DisplayPort links Medtronic discloses security incident after ShinyHunters claimed theft of 9M+ records Chinese spy posed as researcher in spear-phishing campaign targeting NASA to steal defense software Firefox bug CVE-2026-6770 enabled cross-site tracking and Tor fingerprinting Fast16: Pre-Stuxnet malware that targeted precision engineering software Italy moves to extradite Chinese national to the U.S. over hacking charges U.S. utility giant Itron discloses a security breach Critical bug in CrowdStrike LogScale let attackers access files GopherWhisper: new China-linked APT targets Mongolia with Go-based malware SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 94 Trigona ransomware adopts custom tool to steal data and evade detection Security Affairs newsletter Round 574 by Pierluigi Paganini – INTERNATIONAL EDITION U.S. CISA adds SimpleHelp, Samsung, and D-Link flaws to its Known Exploited Vulnerabilities catalog Over 400,000 sites at risk as hackers exploit Breeze Cache plugin flaw (CVE-2026-3844) CISA reports persistent FIRESTARTER backdoor on Cisco ASA device in federal network 12-year-old Pack2TheRoot bug lets Linux users gain root privileges Signal phishing campaign targets Germany’s Bundestag President Julia Klöckner China-linked threat actors use consumer device botnets to evade detection, warn UK and partners Luxury cosmetics giant Rituals discloses data breach impacting member personal details iOS Flaw Let Deleted Notifications Linger, Apple Issues Fix RAMP Uncovered: Anatomy of Russia’s Ransomware Marketplace U.S. CISA adds a flaw in Microsoft Defender to its Known Exploited Vulnerabilities catalog Microsoft Graph API misused by new GoGra Linux malware for hidden communication DDoS wave continues as Mastodon hit after Bluesky incident Mirai Botnet exploits CVE-2025-29635 to target legacy D-Link routers Microsoft out-of-band updates fixed critical ASP.NET Core privilege escalation flaw Critical BRIDGE:BREAK flaws impact Lantronix and Silex Technology converters Venezuela energy sector targeted by highly destructive Lotus wiper Ransomware negotiator caught secretly assisting BlackCat extortion scheme North Korea’s Lazarus APT stole $290M from Kelp DAO The US NSA is using Anthropic’s Claude Mythos despite supply chain risk U.S. CISA adds Cisco Catalyst, Kentico Xperience, PaperCut NG/MF, Synacor ZCS, Quest KACE SMA, and JetBrains TeamCity flaws to its Known Exploited Vulnerabilities catalog Bluesky hit by 24-hour DDoS attack as pro-Iran group claims responsibility France’s ANTS ID System website hit by cyberattack, possible data breach Scattered Spider member Tyler Buchanan pleads guilty to major crypto theft CVE-2023-33538 under attack for a year, but exploitation still unsuccessful Third-party AI hack triggers Vercel breach, internal environments accessed AI Model Claude Opus turns bugs into exploits for just $2,283 Cyber attacks fuel surge in cargo theft across logistics industry SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 93 Security Affairs newsletter Round 573 by Pierluigi Paganini – INTERNATIONAL EDITION Hidden VMs: how hackers leverage QEMU to stealthily steal data and spread malware Nexcorium Mirai variant exploits TBK DVR flaw to launch DDoS attacks Microsoft Defender under attack as three zero-days, two of them still unpatched, enable elevated access Kyrgyzstan-based crypto exchange Grinex shuts down after $13.7M cyber heist, blames Western Intelligence DraftKings hacker sentenced to prison, ordered to pay $1.4 Million Operation PowerOFF: 53 DDoS domains seized and 3 Million criminal accounts uncovered Inside ZionSiphon: politically driven malware aims at Israeli water systems U.S. CISA adds a flaw in Apache ActiveMQ to its Known Exploited Vulnerabilities catalog Cisco fixed four critical flaws in Identity Services and Webex Cookeville Regional Medical Center hospital data breach impacts 337,917 people AI platform n8n abused for stealthy phishing and malware delivery From clinics to government: UAC-0247 expands cyber campaign across Ukraine Sweden reports cyberattack attempt on heating plant amid rising energy threats CVE-2026-33032: severe nginx-ui bug grants unauthenticated server access U.S. CISA adds Microsoft SharePoint Server, and Microsoft Office Excel flaws to its Known Exploited Vulnerabilities catalog Mirax malware campaign hits 220K accounts, enables full remote control PHP Composer flaws enable remote command execution via Perforce VCS Microsoft Patch Tuesday for April 2026 fixed actively exploited SharePoint zero-day Personal data of 1 million gym members compromised in Basic-Fit security incident US, UK and Canada disrupt $45M crypto theft in Operation Atlantic ShinyHunters claim the hack of Rockstar Games breach and started leaking data Attackers target unpatched ShowDoc servers via CVE-2025-0520 U.S. CISA adds Adobe, Fortinet, Microsoft Exchange Server, and Microsoft Windows flaws to its Known Exploited Vulnerabilities catalog Fake Claude AI installer abuses DLL sideloading to deploy PlugX Hackers access Booking.com user data, company secures systems iPhone forensics expose Signal messages after app removal in U.S. case Citizen Lab: Webloc tracked 500M devices for global law enforcement Iran-linked group Handala claims to have breached three major UAE organizations CPUID watering hole attack spreads STX RAT malware Adobe fixes actively exploited Acrobat Reader flaw CVE-2026-34621 Hackers claim control over Venice San Marco anti-flood pumps SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 92 Security Affairs newsletter Round 572 by Pierluigi Paganini – INTERNATIONAL EDITION Censys finds 5,219 devices exposed to attacks by Iranian APTs, majority in U.S. GlassWorm evolves with Zig dropper to infect multiple developer tools CVE-2026-39987: Marimo RCE exploited in hours after disclosure Ransomware attack on ChipSoft knocks EHR services offline across hospitals in the Netherlands and Belgium UAT-10362 linked to LucidRook attacks targeting Taiwan-based institutions EngageLab SDK flaw opens door to private data on 50M Android devices Bitcoin Depot hack leads to $3.6M Bitcoin theft via stolen credentials Eurail data breach impacted 308,777 people Malicious PDF reveals active Adobe Reader zero-day in the wild Masjesu botnet targets IoT devices while evading high-profile networks The alleged breach of China’s National Supercomputing Center can have serious geopolitical consequences Internet-Exposed ICS Devices Raise Alarm for Critical Sectors U.S. CISA adds a flaw in Ivanti EPMM to its Known Exploited Vulnerabilities catalog
LINKEDIN BROWSERGATE
Pierluigi Pa · 2026-04-27 · via Security Affairs

BrowserGate claims LinkedIn secretly fingerprints users via extensions and device data, sending encrypted results to third parties for tracking.

BrowserGate is an investigation conducted by Fairlinked (https://browsergate.eu/), an association of commercial LinkedIn users, which documents what it describes as one of the largest data breach and corporate espionage scandals in digital history. The central thesis: every time one of the billions of users visits linkedin.com, hidden code scans the computer for installed software, collects the results, and transmits them to LinkedIn servers and third-party companies, including a US-Israeli cybersecurity firm.

The user is never informed nor asked for consent. LinkedIn’s privacy policy makes no mention of it.

Technical Architecture of the Attack

The system consists of three cooperating modules within a single JavaScript bundle (Webpack chunk.905, ~2.7 MB, Ember.js framework):

SystemInternal NameFunction
APFC / DNAtriggerApfc, triggerDnaApfcEventDevice fingerprinting: 48 browser characteristics
AEDAedEvent, fetchExtensionsActive extension scanning via fetch()
SpectroscopySpectroscopyEvent, scanDOMForPrefixPassive DOM scanning

Stage 1 — Active Extension Detection (AED)

Inside Webpack module 75023, there is a hardcoded array with entries in the form {id: “…”, file: “…”} where id is the Chrome Web Store extension ID and file is a path to an internal extension resource declared as web-accessible.

The probing mechanism:

Chrome extensions can expose internal files to web pages through the web_accessible_resources field in their manifest.json. When an extension is installed and has exposed a resource, a fetch() request to chrome-extension://{id}/{file} will succeed. When it is not installed, Chrome blocks the request and the promise is rejected.

Method 1 — Parallel batch scan: All fetch() requests are launched simultaneously via Promise.allSettled(). Each request that resolves as “fulfilled” indicates that extension is installed.

Method 2 — Staggered sequential scan: An alternative that probes one extension at a time with a configurable delay (staggerDetectionMs) between each request. This allows LinkedIn to throttle the scan, reducing its visibility in network monitoring tools and its CPU impact.

Scale of the list: In December 2025 the array contained 5,459 entries. By February 2026 it had grown to 6,167. The array alone occupies approximately 409,000 characters of source code. LinkedIn added 708 extensions between December 2025 and February 2026 — roughly 12 new extensions per day.

Stage 2 — Passive DOM Scanning (Spectroscopy)

Independently from AED, LinkedIn runs a second system that traverses the entire DOM tree looking for evidence of extension activity. Many Chrome extensions inject elements into web pages; when they do, the injected content often contains references to the internal URL scheme of extensions (chrome-extension://). Spectroscopy finds these references.

The function recursively inspects every node: for text nodes it checks whether the text contains chrome-extension://; for element nodes it checks every attribute value. When a match is found, it extracts the 32-character extension ID from the URL.

The complementarity of the two methods is by design:

MethodTechniqueWhat it detects
AEDfetch() on known resource pathsInstalled extensions, even if they inject nothing into the page
SpectroscopyDOM tree walkExtensions that actively modify the page, even if not in the list

Device Fingerprinting — APFC/DNA

The APFC (Anti-fraud Platform Features Collection) system, also internally referred to as DNA (Device Network Analysis), collects 48 distinct browser characteristics, including: local IP address via WebRTC, connected devices (cameras, microphones, speakers) via enumerateDevices, number of CPU cores, device RAM, canvas fingerprint, WebGL fingerprint with 65+ parameters, AudioContext fingerprint, installed system fonts, battery status, network information, and detection of incognito mode, automation, and Do Not Track.

Feature #23 deserves attention: LinkedIn collects the user’s Do Not Track preference, then excludes it from the fingerprint hash. They record that you asked not to be tracked. Then they track you.

Transmission and Encryption

The fingerprint payload is serialized to JSON, encrypted with an RSA public key identified as apfcDfPK, and transmitted to two endpoints: /platformtelemetry/li/apfcDf and /apfc/collect. The encrypted fingerprint is also injected as an HTTP header in all subsequent API requests made during the user’s session: it is not sent just once, but accompanies every API call for the entire duration of the visit.

Third Parties Involved

HUMAN Security (formerly PerimeterX): LinkedIn loads a hidden 0×0 pixel iframe from li.protechts.net, positioned at left: -9999px and marked aria-hidden=”true”, which reads and sets PerimeterX cookies (_px3, _pxhd, _pxvid, _pxcts) via cross-origin postMessage.

Merchant Pool: a separate device fingerprinting script is loaded from merchantpool1.linkedin.com, passing the user’s session cookie and a hardcoded instance ID.

Google reCAPTCHA v3 Enterprise: loaded on every page load with action “onPageLoad”.

Anti-Detection Design

Several implementation choices reveal that the system was designed to avoid detection: idle execution via requestIdleCallback (no visible performance impact), staggered probing to distribute thousands of requests over time, a 0×0px hidden iframe for HUMAN Security, silent error handling with empty catch blocks that log nothing to the console, and RSA encryption of the payload that makes the content unreadable even to those inspecting network traffic.

Legal and Regulatory Implications

The scan reveals religious beliefs, political opinions, disabilities, and job-seeking activity of identified individuals. LinkedIn scans extensions that identify practicing Muslims, political orientation, tools for neurodivergent users, and 509 job search tools that expose who is secretly looking for work on the very same platform where their current employer can see their profile. Furthermore, LinkedIn scans over 200 products that directly compete with its own sales tools. Knowing each user’s employer, it can map which companies use which competing products — effectively extracting the customer lists of thousands of software companies from users’ browsers. On the DMA front: the scan list has grown from approximately 461 products in 2024 to over 6,000 by February 2026. The EU ordered LinkedIn to open its platform to third-party tools; LinkedIn built a surveillance system to find and punish every user of those tools.

Overall Technical Assessment

This case demonstrates exemplarily how JavaScript in the browser is a first-class attack surface, not only for malicious actors but for legitimate commercial platforms. The technical vectors exploited — fetch() on chrome-extension://, DOM traversal, WebRTC IP leak, canvas/WebGL/audio fingerprinting, cross-origin iframe — are all legitimate browser APIs, not exploits. No CVE is required to conduct mass intelligence gathering on a billion users.

Vulnerable Browsers and Defense Strategies

Which browsers are vulnerable? The primary vector — AED scanning via fetch() on chrome-extension:// — is architecturally Chromium-specific. The code performs an explicit check: if the browser does not report “Chrome” in the user agent string, the scan does not start. However, as is often the case with cyber topics of this kind, the real picture is more nuanced.

BrowserEngineVulnerable AEDVulnerable SpectroscopyVulnerable APFC FingerprintNotes
ChromeChromium/BlinkYesYesYesPrimary attack vector
EdgeChromium/BlinkYesYesYesIdentical to Chrome for this vector
BraveChromium/BlinkPartial*YesPartial*Shield anti-fingerprint degrades APFC
Opera / ArcChromium/BlinkYesYesYes 
VivaldiChromium/BlinkYesYesYes 
FirefoxGeckoNo**Partial***Partialmoz-extension:// incompatible with LinkedIn list
LibreWolfGeckoNoReducedMany blocked by defaultRFP active by default, recommended choice
Tor BrowserGeckoNoVery reducedFingerprint resistantMaximum APFC protection
Firefox ESRGeckoNoPartial***PartialManual hardening required
Apple SafariWebKitNo****No*****Partial (ITP)macOS/iOS only — closed source
Safari on iOSWebKit (mandatory)NoNoVery reducedAll iOS browsers use WebKit per App Store policy
lynx / w3mNoneNoNoNoNo JS — no active vector

Table Notes

* Brave: blocks some cross-origin requests and has anti-fingerprinting shields that degrade APFC, but extensions still use chrome-extension:// — AED works unless shields are at maximum.

** Firefox — AED: uses moz-extension:// instead of chrome-extension://. LinkedIn’s hardcoded list (6,167 entries with Chrome Web Store IDs) is structurally incompatible. The userAgent.indexOf(“Chrome”) check fails as a second exclusion layer.

*** Firefox — Spectroscopy: if an extension injects elements into the DOM with references to moz-extension://, Spectroscopy does not find them because it only searches for the string chrome-extension://. De facto protection.

**** Safari — AED: double protection: user agent does not contain “Chrome” → module is not executed; the Safari extension URI scheme is safari-web-extension:// → incompatible with the list.

***** Safari — Spectroscopy: Safari extensions do not inject URLs with the chrome-extension:// scheme into the DOM → no possible match.

Residual APFC Vectors on Safari (detail)

APFC FeatureSafariReason
WebRTC IP leak (#1)PartialSafari limits WebRTC but does not disable it
Canvas fingerprint (#36)ITP adds noiseNot eliminated, degraded
WebGL (#37)VulnerableAvailable and fingerprintable
AudioContext (#42)PartialNoise added by Safari 17+
Battery API (#41)ImmuneApple never implemented the Battery Status API
enumerateDevices (#2)PartialRequires explicit permission
Font enumeration (#46-47)PartialITP limits, does not eliminate
HUMAN Security iframeVulnerableCookie partitioned by ITP, but iframe loaded
reCAPTCHA v3VulnerableLoaded on any browser

Safari deserves a separate analysis because it has a completely different extension architecture.

Safari — BrowserGate Vulnerability Analysis

Safari Extension URI Scheme

Safari does not use chrome-extension:// or moz-extension://. It uses a completely different scheme: safari-web-extension://

Up to Safari 13 (and earlier versions), extensions used yet another different scheme (safari-extension://). This means that LinkedIn’s hardcoded list — built entirely on 32-character Chrome Web Store IDs — is structurally incompatible with Safari.

The explicit check in the LinkedIn code confirms this:

function s() {

    return window?.navigator?.userAgent?.indexOf(“Chrome”) > -1;

}

if (!a() || !s()) return; // exits if not Chrome

On Safari, navigator.userAgent does not contain the string “Chrome” — it contains “Safari” and “WebKit”. The check fails and the entire AED module is not executed.

Residual Vulnerabilities on Safari

VectorSafari vulnerable?Notes
AED (fetch() on chrome-extension://)NoUser agent check fails + different scheme
Spectroscopy (DOM walk for chrome-extension://)NoSafari extensions do not inject URLs with that scheme
WebRTC IP leak (APFC #1)PartialSafari limits WebRTC, but does not disable it
Canvas fingerprint (APFC #36)Yes with limitsITP adds noise, but does not eliminate the vector
WebGL fingerprint (APFC #37)YesWebGL available and fingerprintable
AudioContext (APFC #42)PartialSafari adds noise to AudioContext from Safari 17
enumerateDevices (APFC #2)PartialRequires explicit permission
Font enumeration (APFC #46-47)PartialITP limits, does not eliminate
Battery API (APFC #41)NoApple never implemented Battery Status API
HUMAN Security iframeYesLoadable on any browser
Google reCAPTCHA v3YesLoadable on any browser
Merchant Pool scriptYesLoadable on any browser

The Role of ITP — Intelligent Tracking Prevention

Safari has a structural defense that other browsers lack by default: ITP (Intelligent Tracking Prevention), developed by Apple’s WebKit team. ITP operates at the engine level, not the extension level:

  • Partitions third-party cookie storage by first-party domain
  • Blocks cross-site tracking based on redirects
  • Limits document.cookie access for third-party scripts
  • Since 2023: also partitions the HTTP cache to prevent cache-timing attacks

This does not directly block APFC, but significantly degrades the effectiveness of cross-session tracking. The HUMAN Security iframe (li.protechts.net) is loaded but its cookies are partitioned — it cannot correlate your identity across different sessions on different sites.

Safari on iOS/iPadOS

On iOS and iPadOS the situation is even more privacy-friendly:

  • All browsers on iOS are required to use WebKit (App Store policy) — so even Chrome on iOS uses WebKit, not Blink, and does not support chrome-extension:// in the Chromium sense
  • Browser extensions on iOS have far more limited capabilities
  • WebRTC is more restricted
  • Battery API not available

On iPhone/iPad, BrowserGate is essentially inoperative on any browser.

Safari’s Limitations as a Security Choice

Despite its advantages, Safari is not the optimal choice for all contexts:

✓ Pros✗ Cons
• ITP is the best built-in anti-tracking system in a mainstream browser • No AED vulnerability by design • Battery API not implemented • Updated via OS updates — no patching delay• Available only on macOS and iOS — irrelevant for Linux/OpenBSD • Closed source — cannot be independently verified • Extensions very limited compared to Firefox • WebGL and canvas fingerprinting remain active vectors • ITP is not a substitute for Firefox’s privacy.resistFingerprinting

Safari is immune to BrowserGate’s primary vector (AED extension scanning) for solid architectural reasons: a different URI scheme and a user agent check that explicitly excludes non-Chromium browsers. ITP further reduces the effectiveness of cross-session fingerprinting.

And for LinkedIn in particular: any Firefox with a clean profile and RFP enabled beats Safari on APFC fingerprinting, because privacy.resistFingerprinting is more aggressive than ITP.

About the author: Pietro Cornelio

IT professional with 25+ years’ experience in electronics and CS, expert in system design, R&D, telecoms, and open-source.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, BrowserGate)