LinkedIn is facing allegations that it quietly scans users' browsers for installed Chrome extensions. The German group Fairlinked e.V. goes so far as to claim that the site is "running one of the largest corporate espionage operations in modern history."

"The program runs silently, without any visible indicator to the user," the group says. "It does not ask for consent. It does not disclose what it is doing. It reports the results to LinkedIn's servers. This is not a one-time check. The scan runs on every page load, for every visitor." PCMag reports: This browser extension "fingerprinting" technique has been spotted before, but it was previously found to probe only 2,000 to 3,000 extensions. Fairlinked alleges that LinkedIn is now scanning for 6,222 extensions that could indicate a user's political opinions or religious views. For example, the extensions LinkedIn will look for include one that flags companies as too "woke," one that can add an "anti-Zionist" tag to LinkedIn profiles, and two others that can block content forbidden under Islamic teachings.

It would also be a cakewalk to tie the collected extension data to specific users, since LinkedIn operates as a vast professional social network that covers people's work history. Fairlinked's concern is that Microsoft and LinkedIn can allegedly use the data to identify which companies use competing products. "LinkedIn has already sent enforcement threats to users of third-party tools, using data obtained through this covert scanning to identify its targets," the group claims. However, LinkedIn claims that Fairlinked mischaracterizes a LinkedIn safeguard designed to prevent web scraping by browser extensions. "We do not use this data to infer sensitive information about members," the company says. "To protect the privacy of our members, their data, and to ensure site stability, we do look for extensions that scrape data without members' consent or otherwise violate LinkedIn's Terms of Service," LinkedIn adds.

[...] The statement goes on to allege that Fairlinked is from a developer whose account was previously suspended for web scraping. One of the group's board members is listed as "S.Morell," which appears to be Steven Morell, the founder of Teamfluence, a tool that helps businesses monitor LinkedIn activity. [...] Still, the Microsoft-owned site is facing some blowback for not clearly disclosing the browser extension scanning in LinkedIn's privacy policy. Fairlinked is soliciting donations for a legal fund to take on Microsoft and is urging the public to encourage local regulators to intervene.

BrianFagioli writes: Google says it will finally release Chrome for ARM64 Linux in the second quarter of 2026, bringing the company's full browser to a platform that has existed for years without official support. Until now, Linux users running Arm hardware have largely relied on Chromium builds or unofficial packages if they wanted something close to Chrome. Google says the new build will include the same features found on other platforms, including Google account syncing, Chrome Web Store extensions, built-in translation, Safe Browsing protections, and Google Password Manager.

The timing reflects how ARM hardware is becoming more common across the Linux ecosystem, from developer laptops to AI systems. Google also pointed to NVIDIA's DGX Spark, a compact AI supercomputing device built on the Grace Blackwell architecture, which will support installing Chrome through NVIDIA's package management tools. For many Linux users, the announcement feels like a "finally" moment, as ARM64 Linux systems have been widespread for years despite the absence of an official Chrome build.

A bug report filed on the Chromium Issue Tracker inadvertently exposed Google's desktop Android interface for the first time, revealing a system codenamed "Aluminum OS" running on existing Chromebook hardware. The report, ostensibly about Chrome Incognito tabs, included screen captures from an HP Elite Dragonfly 13.5 Chromebook running Android 16.

The status bar has been redesigned for large screens -- taller than the tablet version, displaying time with seconds, date, battery, Wi-Fi, a notification bell, keyboard language indicator and a Gemini icon. The taskbar remains identical to the current implementation, though the mouse cursor now features a subtle tail. Chrome's interface includes an Extensions button, a feature currently exclusive to the desktop browser. Window controls mirror ChromeOS, placing minimize, fullscreen, and close buttons at the top-right.

An anonymous reader quotes a report from Cyber Press: A newly uncovered Chinese threat group, DarkSpectre, has been linked to one of the most widespread browser-extension malware operations to date, compromising more than 8.8 million users of Chrome, Edge, Firefox, and Opera over the past seven years. According to research by Koi.ai, the group operates three interconnected campaigns: ShadyPanda, GhostPoster, and a newly identified one named The Zoom Stealer, forming a single, strategically organized operation.

DarkSpectre's structure differs from that of ordinary cybercrime operations. The group runs separate but interconnected malware clusters, each with distinct goals. The ShadyPanda campaign, responsible for 5.6 million infections, focuses on long-term user surveillance and e-commerce affiliate fraud. Its extensions have appeared legitimate for years, offering new tab pages and translation utilities, before secretly downloading malicious configurations from command-and-control servers such as jt2x.com and infinitynewtab.com. Once activated, they inject remote scripts, hijack search results, and track browsing activity.

The second campaign, GhostPoster, spreads via Firefox and Opera extensions that conceal malicious payloads in PNG images via steganography. After lying dormant for several days, the extensions extract and execute JavaScript hidden within images, enabling stealthy remote code execution. This campaign has affected over one million users and relies on domains like gmzdaily.com and mitarchive.info for payload delivery.

The most recent discovery, The Zoom Stealer, exposes around 2.2 million users to corporate espionage. These extensions masquerade as productivity tools or video downloaders while secretly harvesting corporate meeting links, credentials, and speaker profiles from more than 28 video conferencing platforms, including Zoom, Microsoft Teams, and Google Meet. The extensions use real-time WebSocket connections to exfiltrate data to Firebase databases, such as zoocorder.firebaseio.com, and to Google Cloud functions, such as webinarstvus.cloudfunctions.net.

An anonymous reader shares a report: Browser extensions with more than 8 million installs are harvesting complete and extended conversations from users' AI conversations and selling them for marketing purposes, according to data collected from the Google and Microsoft pages hosting them.

Security firm Koi discovered the eight extensions, which as of late Tuesday night remained available in both Google's and Microsoft's extension stores. Seven of them carry "Featured" badges, which are endorsements meant to signal that the companies have determined the extensions meet their quality standards. The free extensions provide functions such as VPN routing to safeguard online privacy and ad blocking for ad-free browsing. All provide assurances that user data remains anonymous and isnâ(TM)t shared for purposes other than their described use.

Tech entrepreneur/blogger Anil Dash has been critical of AI browsers like ChatGPT Atlas. (He's written that Atlas "substitutes its own AI-generated content for the web, but it looks like it's showing you the web," while its prompt-based/command-line interface resembles a clunky text adventure, and it's true purpose seems to be ingesting more training data.)

And at the Mozilla Festival in Spain, "Virtually everyone shared some version of what I'd articulated as the majority view on AI, which is approximately that LLMs can be interesting as a technology, but that Big Tech, and especially Big AI, are decidedly awful and people are very motivated to stop them from committing their worst harms upon the vulnerable."

But... Another reality that people were a little more quiet in acknowledging, and sometimes reluctant to engage with out loud, is the reality that hundreds of millions of people are using the major AI tools every day... I don't know why today's Firefox users, even if they're the most rabid anti-AI zealots in the world, don't say, "well, even if I hate AI, I want to make sure Firefox is good at protecting the privacy of AI users so I can recommend it to my friends and family who use AI"...

My personal wishlist would be pretty simple:

* Just give people the "shut off all AI features" button. It's a tiny percentage of people who want it, but they're never going to shut up about it, and they're convinced they're the whole world and they can't distinguish between being mad at big companies and being mad at a technology so give them a toggle switch and write up a blog post explaining how extraordinarily expensive it is to maintain a configuration option over the lifespan of a global product.

* Market Firefox as "The best AI browser for people who hate Big AI". Regular users have no idea how creepy the Big AI companies are — they've just heard their local news talk about how AI is the inevitable future. If Mozilla can warn me how to protect my privacy from ChatGPT, then it can also mention that ChatGPT tells children how to self-harm, and should be aggressive in engaging with the community on how to build tools that help mitigate those kinds of harms — how do we catalyze that innovation?

* Remind people that there isn't "a Firefox" — everyone is Firefox. Whether it's Zen, or your custom build of Firefox with your favorite extensions and skins, it's all part of the same story. Got a local LLM that runs entirely as a Firefox extension? Great! That should be one of the many Firefoxes, too. Right now, so much of the drama and heightened emotions and tension are coming from people's (well... dudes') egos about there being One True Firefox, and wanting to be the one who controls what's in that version, as an expression of one set of values. This isn't some blood-feud fork, there can just be a lot of different choices for different situations. Make it all work.

BrianFagioli shares a report from NERDS.xyz: Mozilla is testing a new Firefox feature that delivers direct results inside the address bar instead of forcing users through a search results page. The company says the feature will use a privacy framework called Oblivious HTTP, encrypting queries so that no single party can see both what you type and who you are. Some results could be sponsored, but Mozilla insists neither it nor advertisers will know user identities. The system is starting in the U.S. and may expand later if performance and privacy benchmarks are met. Further reading: Mozilla to Require Data-Collection Disclosure in All New Firefox Extensions

A web browser linked to Chinese online gambling websites and downloaded millions of times routes all internet traffic through servers in China and covertly installs programs that run in the background, according to findings published by network security company Infoblox. The researchers said the Universe Browser, which advertises itself as offering privacy protection, includes features similar to malware such as key logging and surreptitious connections.

Infoblox collaborated with the United Nations Office on Drugs and Crime on the research. The investigators found links between the browser and Southeast Asia's cybercrime ecosystem, which has connections to money laundering, illegal online gambling, human trafficking and scam operations using forced labor. The browser is directly linked to BBIN, a major online gambling company that has existed since 1999. Infoblox researchers examined the Windows version of the browser and found that it checks users' locations and languages when launched, installs two browser extensions, and disables security features including sandboxing.

"Good news, everyone! The new version of Mozilla's browser now makes even more extensive use of AI," writes the Register, "providing summaries of linked content and offering developers the ability to add LLM support to extensions." Firefox 142 brings some visible shininess, but due to the combination of regional restrictions and Mozilla's progressive rollout system, not everybody can see all the features just yet... Not geofenced but subject to phased rollout are link previews, for various native-English-speaking regions. Hover over, long-press, or right-click a link and pick Preview Link, and a summary should appear. Mozilla's summary says: "Previews can optionally include AI-generated key points, which are processed on your device to protect your privacy."
"Link Previews is gradually rolling out to ensure performance and quality," Firefox says in their release notes, "and is now available in en-US, en-CA, en-GB, en-AU for users with more than 3 GB of available RAM." (The notes also add a welcome for "the developers who contributed their first code change to Firefox in this release, 20 of whom were brand new volunteers!")

The Register notes that Firefox 142 also gives developers the ability to add LLM support to extensions using wllama, a Wasm binding interfacing with llama.cpp, which lets you run Meta's Llama LLM and other models, locally or in the cloud.

Over 240 browser extensions with nearly a million total installs have been covertly turning users' browsers into web-scraping bots. "The extensions serve a wide range of purposes, including managing bookmarks and clipboards, boosting speaker volumes, and generating random numbers," reports Ars Technica. "The common thread among all of them: They incorporate MellowTel-js, an open source JavaScript library that allows developers to monetize their extensions." Ars Technica reports: Some of the data swept up in the collection free-for-all included surveillance videos hosted on Nest, tax returns, billing invoices, business documents, and presentation slides posted to, or hosted on, Microsoft OneDrive and Intuit.com, vehicle identification numbers of recently bought automobiles along with the names and addresses of the buyers, patient names and the doctors they saw, travel itineraries hosted on Priceline, Booking.com, and airline websites, Facebook Messenger attachments and Facebook photos, even when the photos were set to be private. The dragnet also collected proprietary information belonging to Tesla, Blue Origin, Amgen, Merck, Pfizer, Roche, and dozens of other companies.

Tuckner said in an email Wednesday that the most recent status of the affected extensions is:

- Of 45 known Chrome extensions, 12 are now inactive. Some of the extensions were removed for malware explicitly. Others have removed the library.
- Of 129 Edge extensions incorporating the library, eight are now inactive.
- Of 71 affected Firefox extensions, two are now inactive.

Some of the inactive extensions were removed for malware explicitly. Others have removed the library in more recent updates. A complete list of extensions found by Tuckner is here.

Hackers have stolen hundreds of millions of dollars from cryptocurrency holders and disrupted major retailers by targeting outsourced call centers used by American corporations to reduce costs, WSJ reported Thursday. The attackers exploit low-paid call center workers through bribes and social engineering to bypass two-factor authentication systems protecting bank accounts and online portals.

Coinbase faces potential losses of $400 million after hackers compromised data belonging to 97,000 customers by bribing call center workers in India with payments of $2,500. The criminals also used malicious tools that exploited vulnerabilities in Chrome browser extensions to collect customer data in bulk.

TaskUs, which handled Coinbase support calls, shut down operations at its Indore, India facility and laid off 226 workers. Retail attacks targeted Marks & Spencer and Harrods with hackers impersonating corporate executives to pressure tech support workers into providing network access. The same technique compromised MGM Resorts systems in 2023. Call center employees typically possess sensitive customer information including account balances and recent transactions that criminals use to masquerade as legitimate company representatives.

Apple users noticed a change in 2023, "when streaming platforms like Netflix, HBO Max, Amazon Prime, and the Criterion Channel imposed a quiet embargo on the screenshot," noted the film blog Screen Slate: At first, there were workarounds: users could continue to screenshot by using the browser Brave or by downloading extensions or third-party tools like Fireshot. But gradually, the digital-rights-management tech adapted and became more sophisticated. Today, it is nearly impossible to take a screenshot from the most popular streaming services, at least not on a Macintosh computer. The shift occurred without remark or notice to subscribers, and there's no clear explanation as to why or what spurred the change...

For PC users, this story takes a different, and happier, turn. With the use of Snipping Tool — a utility exclusive to Microsoft Windows, users are free to screen grab content from all streaming platforms. This seems like a pointed oversight, a choice on the part of streamers to exclude Mac users (though they make up a tiny fraction of the market) because of their assumed cultural class.
"I'm not entirely sure what the technical answer to this is," tech blogger John Gruber wrote this weekend, "but on MacOS, it seemingly involves the GPU and video decoding hardware..." These DRM blackouts on Apple devices (you can't capture screenshots from DRM video on iPhones or iPads either) are enabled through the deep integration between the OS and the hardware, thus enabling the blackouts to be imposed at the hardware level. And I don't think the streaming services opt into this screenshot prohibition other than by "protecting" their video with DRM in the first place. If a video is DRM-protected, you can't screenshot it; if it's not, you can.

On the Mac, it used to be the case that DRM video was blacked-out from screen capture in Safari, but not in Chrome (or the dozens of various Chromium-derived browsers). But at some point a few years back, you stopped being able to capture screenshots from DRM videos in Chrome, too -- by default. But in Chrome's Settings page, under System, if you disable "Use graphics acceleration when available" and relaunch Chrome, boom, you can screenshot everything in a Chrome window, including DRM video...

What I don't understand is why Apple bothered supporting this in the first place for hardware-accelerated video (which is all video on iOS platforms -- there is no workaround like using Chrome with hardware acceleration disabled on iPhone or iPad). No one is going to create bootleg copies of DRM-protected video one screenshotted still frame at a time -- and even if they tried, they'd be capturing only the images, not the sound. And it's not like this "feature" in MacOS and iOS has put an end to bootlegging DRM-protected video content.
Gruber's conclusion? "This 'feature' accomplishes nothing of value for anyone, including the streaming services, but imposes a massive (and for most people, confusing and frustrating) hindrance on honest people simply trying to easily capture high-quality (as opposed to, say, using their damn phone to take a photograph of their reflective laptop display) screenshots of the shows and movies they're watching."

Microsoft Edge is following Chrome's lead by disabling uBlock Origin and other Manifest V2-based extensions in its browser. Neowin reports: The latest Edge Canary version started disabling Manifest V2-based extensions with the following message: "This extension is no longer supported. Microsoft Edge recommends that you remove it." Although the browser turns off old extensions without asking, you can still make them work by clicking "Manage extension" and toggling it back (you will have to acknowledge another prompt).

Google started phasing out Manifest V2 extensions in June 2024, and it has a clear roadmap for the process. Microsoft's documentation, however, still says "TBD," so the exact dates are not known yet. This leads to some speculating about the situation being one of "unexpected changes" coming from Chromium. Either way, sooner or later, Microsoft will ditch MV2-based extensions, so get ready as we wait for Microsoft to shine some light on its plans.

Another thing worth noting is that the change does not appear to be affecting Edge's stable release or Beta/Dev Channels. For now, only Canary versions disable uBlock Origin and other MV2 extensions, leaving users a way to toggle them back on. Also, the uBlock Origin is still available in the Edge Add-ons store, which recently received a big update.

Brave Browser version 1.75 introduces "custom scriptlets," a new feature that allows advanced users to inject their own JavaScript into websites for enhanced customization, privacy, and usability. The feature is similar to the TamperMonkey and GreaseMonkey browser extensions, notes BleepingComputer. From the report: "Starting with desktop version 1.75, advanced Brave users will be able to write and inject their own scriptlets into a page, allowing for better control over their browsing experience," explained Brave in the announcement. Brave says that the feature was initially created to debug the browser's adblock feature but felt it was too valuable not to share with users. Brave's custom scriptlets feature can be used to modify webpages for a wide variety of privacy, security, and usability purposes.

For privacy-related changes, users write scripts that block JavaScript-based trackers, randomize fingerprinting APIs, and substitute Google Analytics scripts with a dummy version. In terms of customization and accessibility, the scriptlets could be used for hiding sidebars, pop-ups, floating ads, or annoying widgets, force dark mode even on sites that don't support it, expand content areas, force infinite scrolling, adjust text colors and font size, and auto-expand hidden content.

For performance and usability, the scriptlets can block video autoplay, lazy-load images, auto-fill forms with predefined data, enable custom keyboard shortcuts, bypass right-click restrictions, and automatically click confirmation dialogs. The possible actions achievable by injected JavaScript snippets are virtually endless. However, caution is advised, as running untrusted custom scriptlets may cause issues or even introduce some risk.

The Register's Thomas Claburn reports: Google's overhaul of Chrome's extension architecture continues to pose problems for developers of ad blockers, content filters, and privacy tools. [...] While Google's desire to improve the security, privacy, and performance of the Chrome extension platform is reasonable, its approach -- which focuses on code and permissions more than human oversight -- remains a work-in-progress that has left extension developers frustrated.

Alexei Miagkov, senior staff technology at the Electronic Frontier Foundation, who oversees the organization's Privacy Badger extension, told The Register, "Making extensions under MV3 is much harder than making extensions under MV2. That's just a fact. They made things harder to build and more confusing." Miagkov said with Privacy Badger the problem has been the slowness with which Google addresses gaps in the MV3 platform. "It feels like MV3 is here and the web extensions team at Google is in no rush to fix the frayed ends, to fix what's missing or what's broken still." According to Google's documentation, "There are currently no open issues considered a critical platform gap," and various issues have been addressed through the addition of new API capabilities.

Miagkov described an unresolved problem that means Privacy Badger is unable to strip Google tracking redirects on Google sites. "We can't do it the correct way because when Google engineers design the [chrome.declarativeNetRequest API], they fail to think of this scenario," he said. "We can do a redirect to get rid of the tracking, but it ends up being a broken redirect for a lot of URLs. Basically, if the URL has any kind of query string parameters -- the question mark and anything beyond that -- we will break the link." Miagkov said a Chrome developer relations engineer had helped identify a workaround, but it's not great. Miagkov thinks these problems are of Google's own making -- the company changed the rules and has been slow to write the new ones. "It was completely predictable because they moved the ability to fix things from extensions to themselves," he said. "And now they need to fix things and they're not doing it."

An anonymous reader quotes a report from The Record: Cybersecurity researchers have uncovered dozens of attacks that involve malicious updates for Chrome browser extensions, one week after a security firm was compromised in a similar incident. As of Wednesday, a total of 36 Chrome extensions injected with data-stealing code have been detected, mostly related to artificial intelligence (AI) tools and virtual private networks (VPNs), according to a report by ExtensionTotal, a platform that analyzes extensions listed on various marketplaces and public registries. These extensions, collectively used by roughly 2.6 million people, include third-party tools such as ChatGPT for Google Meet, Bard AI Chat, YesCaptcha Assistant, VPNCity and Internxt VPN. Some of the affected companies have already addressed the issue by removing the compromised extensions from the store or updating them, according to ExtensionTotal's analysis. [...]

It remains unclear whether all the compromised extensions are linked to the same threat actor. Security researchers warn that browser extensions "shouldn't be treated lightly," as they have deep access to browser data, including authenticated sessions and sensitive information. Extensions are also easy to update and often not subjected to the same scrutiny as traditional software. ExtensionTotal recommends that organizations use only pre-approved versions of extensions and ensure they remain unchanged and protected from malicious automatic updates. "Even when we trust the developer of an extension, it's crucial to remember that every version could be entirely different from the previous one," researchers said. "If the extension developer is compromised, the users are effectively compromised as well -- almost instantly."

Hackers have compromised several different companies' Chrome browser extensions in a series of intrusions dating back to mid-December, according to one of the victims and experts who have examined the campaign. From a report: Among the victims was the California-based Cyberhaven, a data protection company that confirmed the breach in a statement to Reuters on Friday. "Cyberhaven can confirm that a malicious cyberattack occurred on Christmas Eve, affecting our Chrome extension," the statement said.

It cited public comments from cybersecurity experts. These comments, said Cyberhaven, suggested that the attack was "part of a wider campaign to target Chrome extension developers across a wide range of companies." Cyberhaven added: "We are actively cooperating with federal law enforcement." The geographical extent of the hacks was not immediately clear.

An anonymous reader shares a report: If you're a fan of uBlock Origin, don't be surprised if it stops functioning on Chrome. The Google-owned browser has started disabling the free ad blocker as part of the company's plan to phase out older "Manifest V2" extensions. On Tuesday, the developer of uBlock Origin, Raymond Hill, retweeted a screenshot from one user, showing the Chrome browser disabling the ad blocker. "These extensions are no longer supported. Chrome recommends that you remove them," the pop-up from the Chrome browser told the user. In response, Hill wrote: "The depreciation of uBO in the Chrome Web Store has started."

Google is developing a version of Chrome for Android that supports browser extensions, a feature long absent from mobile versions, AndroidAuthority reports. The report adds: Specifically, the company is experimenting with "desktop" builds of Chrome for Android. These "desktop" builds are currently intended for Chromebooks as they transition to use more parts of Android, but there's hope the work will benefit mobile devices, too.

A New York federal court has ordered (PDF) the operators of shadow library LibGen to pay $30 million in copyright damages to publishers. The default judgment also comes with a broad injunction that affects third-party services including domain registries, browser extensions, CDN providers, IPFS gateways, advertisers, and more. These parties must restrict access to the pirate site. An anonymous reader quotes a report from TorrentFreak: Yesterday, U.S. District Court Judge Colleen McMahon granted the default judgment without any changes. The anonymous LibGen defendants are responsible for willful copyright infringement and their activities should be stopped. "Plaintiffs have been irreparably harmed as a result of Defendants' unlawful conduct and will continue to be irreparably harmed should Defendants be allowed to continue operating the Libgen Sites," the order reads. The order requires the defendants to pay the maximum statutory damages of $150,000 per work, a total of $30 million, for which they are jointly and severally liable. While this is a win on paper, it's unlikely that the publishers will get paid by the LibGen operators, who remain anonymous.

To address this concern, the publishers' motion didn't merely ask for $30 million in damages, they also demanded a broad injunction. Granted by the court yesterday, the injunction requires third-party services such as advertising networks, payment processors, hosting providers, CDN services, and IPFS gateways to restrict access to the site. [...] The injunction further targets "browser extensions" and "other tools" that are used to provide direct access to the LibGen Sites. While site blocking by residential Internet providers is mentioned in reference to other countries, ISP blocking is not part of the injunction itself. In addition to the broad measures outlined above, the order further requires domain name registrars and registries to disable or suspend all active LibGen domains, or alternatively, transfer them to the publishers. This includes Libgen.is, the most used domain name with 16 million monthly visits, as well as Libgen.rs, Libgen.li and many others.

At the moment, it's unclear how actively managed the LibGen site is, as it has shown signs of decay in recent years. However, when faced with domain seizures, sites typically respond by registering new domains. The publishers are aware of this risk. Therefore, they asked the court to cover future domain names too. The court signed off on this request, which means that newly registered domain names can be taken over as well; at least in theory. [...] All in all, the default judgment isn't just a monetary win, on paper, it's also one of the broadest anti-piracy injunctions we've seen from a U.S. court.