Tuesday, February 16, 2021

LinkedIn attempt at persistent device fingerprinting?

My firewall detected a UDP outbound connection from Firefox desktop (v85.0.2) when visiting the LinkedIn sign in page: https://www.linkedin.com/login

Non-authoritative answer:
Addresses: 2a00:1450:400c:c0a::7f
I was interested to check the code that was making the request, because it doesn't show up in developer tools or uBlock's Logger (as far as I could see).
The request that delivered the js payload was: https://static-exp1.licdn.com/sc/h/6jblk5oqhlo45xbkmcr7s4zix
In the packed code was reference to stun:stun.l.google.com:19302?transport=udp. I did a auto unpack with de4js and the UDP call is related to static.getIPs method.
Packed code here for reference. Auto unpacked here.
I'm not sure why LinkedIn is executing this code on clients. There were some potentially questionable ethics in the js. For example: static.getAdBlock and static.incognitoKey static.doNotTrackKey.
Looks like this is a fingerprinting script that might belong or relate to fingerprintjs. Here is an older commit showing very similar code to the packed version I found on LinkedIn CDN.
Makes a website visitor identifier from a browser fingerprint. Unlike cookies and local storage, fingerprint stays the same in incognito/private mode and even when browser data is purged. 
Niiice. 😲🤮