Corey Prophitt


LinkedIn's Exfiltration Gambit

···

What did I find?

LinkedIn is actively spraying their users' browser with web requests and dom queries in an attempt to determine if certain browser extensions are installed. The data is then exfiltrated back to LinkedIn.

It is not clear what the data is used for or how it is used by LinkedIn. However, it is clear LinkedIn is targeting certain sales and recruiting tools. It is also common knowledge in the sales and recruiting communities that LinkedIn restricts or outright bans accounts based on the use of unapproved tools.

LinkedIn is within their right to detect malicious user behavior and take action. However, the means they are employing are problematic for a number of reasons:

  1. LinkedIn doesn't verify you are actually using the extension, they only check if the extension is currently installed and/or enabled.
  2. A number of the tools LinkedIn does not allow have legitimate uses and can be used on public web pages.
  3. The exfiltrated data could be further used for nefarious things such as browser finger printing.

Furthermore, the methods employed by LinkedIn to detect extensions take advantage of developer oversights and browser extension limitations. This comes across as shady to me.

Unraveling the Mystery

I was initially turned on to LinkedIn's data exfiltration when I noticed a large number of failed web requests while visiting a LinkedIn profile. Initially, I thought my adblocker was blocking network requests. However, upon a closer look I noticed the web requests were not being sent across the web. They were actually being sent locally, to the browser itself. This can be seen clearly when viewing the network request's path. The paths were all being made using Chrome's own extension protocol. All requests began with chrome-extension://.

For the uninitiated, the Chrome extension protocol is used to make web requests directly to an installed browser extension. Typically, this is used by the extension itself to retrieve resources or assets. However, any resources listed in an extension's manifest under the "web_accessible_resources" key are available to all web page contexts. Ironically, this section of the manifest was designed to minimize browser fingerprinting and protect the privacy of the extension user. Here's an excerpt directly from Google's own documentation regarding the web accessible resources:

Prior to manifest version 2 all resources within an extension could be accessed from any page on the web. This allowed a malicious website to fingerprint the extensions that a user has installed or exploit vulnerabilities (for example XSS bugs) within installed extensions. Limiting availability to only resources which are explicitly intended to be web accessible serves to both minimize the available attack surface and protect the privacy of users.

Unfortunately, Google's changes only minimized the attack surface and did not prevent browser fingerprinting or privacy violations. It is this very issue that is leveraged by LinkedIn to identify installed extensions.

My curiosity got the best of me and I set out to learn more about how LinkedIn was performing the scan and what they were doing with the data.

Eeny, Meeny, Miny, Moe

The sheer number of Chrome extension web requests performed by LinkedIn were staggering. I began to wonder how they were storing all of the extension information in order to make those web requests. The hunt began.

Initially, I jotted down a few of the unique extension ids in hopes of finding references to them. I looked for any reference to the ids within LinkedIn's web responses but I had no luck. I looked within LinkedIn's web resources and code, but again I had no luck. Another idea crossed my mind; Maybe they were hiding the extension information in their cookies or local storage?

My hunch led me to LinkedIn's local storage and a curious key, C_C_M. The value for the key was a large, seemingly random set of characters seen below:

eyJcdTAwNDNcdTAwNmZcdTAwNmVcdTAwNjZcdTAwNjlcdTAwNjciOnsiXHUwMDYxXHUwMDc1XHUwMDc0XHUwMDZmXHUwMDU1XHUwMDcwXHUwMDY0XHUwMDYxXHUwMDc0XHUwMDY1Ijp0cnVlLCJcdTAwNjFcdTAwNzVcdTAwNzRcdTAwNmZcdTAwNDVcdTAwNzhcdTAwNjVcdTAwNjNcdTAwNzVcdTAwNzRcdTAwNjUiOnRydWUsIlx1MDA2NVx1MDA3OFx1MDA2NVx1MDA2M1x1MDA3NVx1MDA3NFx1MDA2NVx1MDA0OVx1MDA2ZVx1MDA3NFx1MDA2NVx1MDA3Mlx1MDA3Nlx1MDA2MVx1MDA2YyI6MTgwMDAwMCwiXHUwMDY1XHUwMDZlXHUwMDYxXHUwMDYyXHUwMDZjXHUwMDY1Ijp0cnVlLCJcdTAwNjVcdTAwNzhcdTAwNjVcdTAwNjNcdTAwNzVcdTAwNzRcdTAwNjUiOmZhbHNlLCJcdTAwNjRcdTAwNmZcdTAwNmRcdTAwNTNcdTAwNjNcdTAwNjFcdTAwNmUiOnRydWUsIlx1MDA2NFx1MDA2Zlx1MDA2ZFx1MDA1M1x1MDA2M1x1MDA2MVx1MDA2ZVx1MDA1NFx1MDA2OVx1MDA2ZFx1MDA2NVx1MDA2Zlx1MDA3NVx1MDA3NCI6MTAwLCJcdTAwNzBcdTAwNjFcdTAwNzRcdTAwNjhcdTAwNTNcdTAwNjNcdTAwNjFcdTAwNmUiOnRydWUsIlx1MDA3MFx1MDA2MVx1MDA3NFx1MDA2OFx1MDA1M1x1MDA2M1x1MDA2MVx1MDA2ZVx1MDA1NFx1MDA2OVx1MDA2ZFx1MDA2NVx1MDA2Zlx1MDA3NVx1MDA3NCI6MTAwLCJcdTAwNjlcdTAwNmVcdTAwNjlcdTAwNzQiOjIyMjAwMDB9LCJcdTAwNGRcdTAwNjVcdTAwNzRcdTAwNjFcdTAwNjRcdTAwNjFcdTAwNzRcdTAwNjEiOnsiXHUwMDY1XHUwMDc4XHUwMDc0IjpbeyJcdTAwNmVcdTAwNjFcdTAwNmRcdTAwNjUiOiJcdTAwNmFcdTAwNGZcdTAwNjRcdTAwNjZcdTAwNDNcdTAwNjFcdTAwNTdcdTAwNDhcdTAwNzkiLCJcdTAwNjlcdTAwNmVcdTAwNzRcdTAwNjVcdTAwNzJcdTAwNzZcdTAwNjFcdTAwNmMiOjM2MDAwMDAsIlx1MDA2NFx1MDA2MVx1MDA3NFx1MDA2NSI6MCwiXHUwMDc0XHUwMDZmXHUwMDcwXHUwMDUwXHUwMDYxXHUwMDc0XHUwMDY4IjpbIlx1MDA3MFx1MDA3Mlx1MDA2Zlx1MDA2Nlx1MDA2OVx1MDA2Y1x1MDA2NSIsIlx1MDA3Mlx1MDA2NVx1MDA2M1x1MDA3Mlx1MDA3NVx1MDA2OVx1MDA3NFx1MDA2NVx1MDA3MiJdLCJcdTAwNjRcdTAwNmZcdTAwNmQiOnsiXHUwMDczXHUwMDY1XHUwMDZjXHUwMDY1XHUwMDYzXHUwMDc0XHUwMDZmXHUwMDcyIjpbIlx1MDAyZVx1MDA3M1x1MDA2MVx1MDA2Y1x1MDA2NVx1MDA3M1x1MDA2Y1x1MDA2Zlx1MDA2Nlx1MDA3NFx1MDAyZFx1MDA2Y1x1MDA2Zlx1MDA2N1x1MDA2ZiJdfSwiXHUwMDcwXHUwMDYxXHUwMDc0XHUwMDY4IjpbXX0seyJcdTAwNmVcdTAwNjFcdTAwNmRcdTAwNjUiOiJcdTAwNmFcdTAwNGZcdTAwNjRcdTAwNjZcdTAwNDNcdTAwNjFcdTAwNTdcdTAwNDhcdTAwNzlcdTAwNDlcdTAwNGZcdTAwNzZcdTAwNjZcdTAwNThcdTAwNDdcdTAwNjYiLCJcdTAwNjlcdTAwNmVcdTAwNzRcdTAwNjVcdTAwNzJcdTAwNzZcdTAwNjFcdTAwNmMiOjg2NDAwMDAwLCJcdTAwNjRcdTAwNjFcdTAwNzRcdTAwNjUiOjAsIlx1MDA3NFx1MDA2Zlx1MDA3MFx1MDA1MFx1MDA2MVx1MDA3NFx1MDA2OCI6WyJcdTAwNzBcdTAwNzJcdTAwNmZcdTAwNjZcdTAwNjlcdTAwNmNcdTAwNjUiLCJcdTAwNzJcdTAwNjVcdTAwNjNcdTAwNzJcdTAwNzVcdTAwNjlcdTAwNzRcdTAwNjVcdTAwNzIiXSwiXHUwMDY0XHUwMDZmXHUwMDZkIjp7Ilx1MDA3M1x1MDA2NVx1MDA2Y1x1MDA2NVx1MDA2M1x1MDA3NFx1MDA2Zlx1MDA3MiI6W119LCJcdTAwNzBcdTAwNjFcdTAwNzRcdTAwNjgiOlsiXHUwMDYzXHUwMDY2XHUwMDY2XHUwMDY3XHUwMDZhXHUwMDY3XHUwMDY5XHUwMDY3XHUwMDZhXHUwMDY2XHUwMDY3XHUwMDZhXHUwMDZiXHUwMDY2XHUwMDY0XHUwMDZmXHUwMDcwXHUwMDYyXHUwMDZmXHUwMDYyXHUwMDYyXHUwMDY0XHUwMDYxXHUwMDY0XHUwMDYxXHUwMDY1XHUwMDZjXHUwMDYyXHUwMDY4XHUwMDY1XHUwMDcwXHUwMDZmXHUwMDJmXHUwMDY5XHUwMDZkXHUwMDYxXHUwMDY3XHUwMDY1XHUwMDczXHUwMDJmXHUwMDY5XHUwMDYzXHUwMDZmXHUwMDZlXHUwMDJlMTI4XHUwMDJlXHUwMDcwXHUwMDZlXHUwMDY3Il19LHsiXHUwMDZlXHUwMDYxXHUwMDZkXHUwMDY1IjoiXHUwMDc3XHUwMDQ0XHUwMDQzXHUwMDQ3XHUwMDU3XHUwMDRiXHUwMDY2XHUwMDczXHUwMDY0XHUwMDVhIiwiXHUwMDY5XHUwMDZlXHUwMDc0XHUwMDY1XHUwMDcyXHUwMDc2XHUwMDYxXHUwMDZjIjo4NjQwMDAwMCwiXHUwMDY0XHUwMDYxXHUwMDc0XHUwMDY1IjowLCJcdTAwNzRcdTAwNmZcdTAwNzBcdTAwNTBcdTAwNjFcdTAwNzRcdTAwNjgiOlsiXHUwMDcwXHUwMDcyXHUwMDZmXHUwMDY2XHUwMDY5XHUwMDZjXHUwMDY1IiwiXHUwMDcyXHUwMDY1XHUwMDYzXHUwMDcyXHUwMDc1XHUwMDY5XHUwMDc0XHUwMDY1XHUwMDcyIl0sIlx1MDA2NFx1MDA2Zlx1MDA2ZCI6eyJcdTAwNzNcdTAwNjVcdTAwNmNcdTAwNjVcdTAwNjNcdTAwNzRcdTAwNmZcdTAwNzIiOlsiXHUwMDIzXHUwMDY0XHUwMDZjXHUwMDc5XHUwMDVmXHUwMDY5XHUwMDYzXHUwMDZmXHUwMDZlXHUwMDVmXHUwMDYxXHUwMDcyXHUwMDY1XHUwMDYxIl19LCJcdTAwNzBcdTAwNjFcdTAwNzRcdTAwNjgiOlsiXHUwMDY0XHUwMDY5XHUwMDZhXHUwMDY4XHUwMDYzXHUwMDcwXHUwMDYyXHUwMDZiXHUwMDYxXHUwMDZjXHUwMDY2XHUwMDY3XHUwMDZiXHUwMDYzXHUwMDY1XHUwMDYyXHUwMDY3XHUwMDZmXHUwMDZlXHUwMDYzXHUwMDZhXHUwMDZkXHUwMDY2XHUwMDcwXHUwMDYyXHUwMDYxXHUwMDZkXHUwMDY5XHUwMDY4XHUwMDY3XHUwMDYxXHUwMDY2XHUwMDJmXHUwMDZjXHUwMDY5XHUwMDVmXHUwMDczXHUwMDZmXHUwMDYzXHUwMDY5XHUwMDYxXHUwMDZjXHUwMDVmXHUwMDcwXHUwMDZjXHUwMDc1XHUwMDY3XHUwMDY5XHUwMDZlXHUwMDJlXHUwMDYzXHUwMDczXHUwMDczIl19LHsiXHUwMDZlXHUwMDYxXHUwMDZkXHUwMDY1IjoiXHUwMDUwXHUwMDQ3XHUwMDRkXHUwMDU2XHUwMDQ0XHUwMDczXHUwMDY2IiwiXHUwMDY5XHUwMDZlXHUwMDc0XHUwMDY1XHUwMDcyXHUwMDc2XHUwMDYxXHUwMDZjIjozNjAwMDAwLCJcdTAwNjRcdTAwNjFcdTAwNzRcdTAwNjUiOjAsIlx1MDA3NFx1MDA2Zlx1MDA3MFx1MDA1MFx1MDA2MVx1MDA3NFx1MDA2OCI6WyJcdTAwNzBcdTAwNzJcdTAwNmZcdTAwNjZcdTAwNjlcdTAwNmNcdTAwNjUiLCJcdTAwNzJcdTAwNjVcdTAwNjNcdTAwNzJcdTAwNzVcdTAwNjlcdTAwNzRcdTAwNjVcdTAwNzIiXSwiXHUwMDY0XHUwMDZmXHUwMDZkIjp7Ilx1MDA3M1x1MDA2NVx1MDA2Y1x1MDA2NVx1MDA2M1x1MDA3NFx1MDA2Zlx1MDA3MiI6WyJcdTAwMmVcdTAwNjVcdTAwNjNcdTAwNzFcdTAwNzVcdTAwNjlcdTAwNzJcdTAwNjVcdTAwMmRcdTAwNjJcdTAwNzVcdTAwNzRcdTAwNzRcdTAwNmZcdTAwNmUiXX0sIlx1MDA3MFx1MDA2MVx1MDA3NFx1MDA2OCI6W119LHsiXHUwMDZlXHUwMDYxXHUwMDZkXHUwMDY1IjoiXHUwMDUwXHUwMDc4XHUwMDQzXHUwMDc5XHUwMDRmXHUwMDRjXHUwMDU2XHUwMDY0XHUwMDY0XHUwMDQ2XHUwMDU3XHUwMDczXHUwMDU4IiwiXHUwMDY5XHUwMDZlXHUwMDc0XHUwMDY1XHUwMDcyXHUwMDc2XHUwMDYxXHUwMDZjIjo4NjQwMDAwMCwiXHUwMDY0XHUwMDYxXHUwMDc0XHUwMDY1IjowLCJcdTAwNzRcdTAwNmZcdTAwNzBcdTAwNTBcdTAwNjFcdTAwNzRcdTAwNjgiOlsiXHUwMDcwXHUwMDcyXHUwMDZmXHUwMDY2XHUwMDY5XHUwMDZjXHUwMDY1IiwiXHUwMDcyXHUwMDY1XHUwMDYzXHUwMDcyXHUwMDc1XHUwMDY5XHUwMDc0XHUwMDY1XHUwMDcyIl0sIlx1MDA2NFx1MDA2Zlx1MDA2ZCI6eyJcdTAwNzNcdTAwNjVcdTAwNmNcdTAwNjVcdTAwNjNcdTAwNzRcdTAwNmZcdTAwNzIiOlsiXHUwMDIzXHUwMDY1XHUwMDYyXHUwMDczXHUwMDc0XHUwMDYxXHUwMDYyXHUwMDYxXHUwMDcyIl19LCJcdTAwNzBcdTAwNjFcdTAwNzRcdTAwNjgiOlsiXHUwMDYyXHUwMDZlXHUwMDY1XHUwMDY1XHUwMDcwXHUwMDZlXHUwMDY3XHUwMDYyXHUwMDZkXHUwMDY0XHUwMDZlXHUwMDZhXHUwMDZmXHUwMDY0XHUwMDYxXHUwMDYzXHUwMDY1XHUwMDY1XHUwMDY2XHUwMDY2XHUwMDYzXHUwMDZmXHUwMDY0XHUwMDY5XHUwMDZmXHUwMDZlXHUwMDY2XHUwMDcwXHUwMDY4XHUwMDY3XHUwMDYzXHUwMDYyXHUwMDJmXHUwMDYzXHUwMDczXHUwMDczXHUwMDJmXHUwMDZkXHUwMDYxXHUwMDY5XHUwMDZlXHUwMDJlXHUwMDYzXHUwMDczXHUwMDczIl19LHsiXHUwMDZlXHUwMDYxXHUwMDZkXHUwMDY1IjoiXHUwMDUwXHUwMDc4XHUwMDQzXHUwMDc5XHUwMDRmXHUwMDZhXHUwMDRmXHUwMDY0XHUwMDY2XHUwMDQzXHUwMDQ4XHUwMDU3XHUwMDczXHUwMDQ3XHUwMDY2IiwiXHUwMDY5XHUwMDZlXHUwMDc0XHUwMDY1XHUwMDcyXHUwMDc2XHUwMDYxXHUwMDZjIjo4NjQwMDAwMCwiXHUwMDY0XHUwMDYxXHUwMDc0XHUwMDY1IjowLCJcdTAwNzRcdTAwNmZcdTAwNzBcdTAwNTBcdTAwNjFcdTAwNzRcdTAwNjgiOlsiXHUwMDcwXHUwMDcyXHUwMDZmXHUwMDY2XHUwMDY5XHUwMDZjXHUwMDY1IiwiXHUwMDcyXHUwMDY1XHUwMDYzXHUwMDcyXHUwMDc1XHUwMDY5XHUwMDc0XHUwMDY1XHUwMDcyIl0sIlx1MDA2NFx1MDA2Zlx1MDA2ZCI6eyJcdTAwNzNcdTAwNjVcdTAwNmNcdTAwNjVcdTAwNjNcdTAwNzRcdTAwNmZcdTAwNzIiOlsiXHUwMDJlXHUwMDY1XHUwMDYyXHUwMDczXHUwMDc0XHUwMDYxXHUwMDYyXHUwMDYxXHUwMDcyIl19LCJcdTAwNzBcdTAwNjFcdTAwNzRcdTAwNjgiOlsiXHUwMDY3XHUwMDY1XHUwMDZkXHUwMDYzXHUwMDY3XHUwMDZlXHUwMDZiXHUwMDY3XHUwMDY4XHUwMDcwXHUwMDZlXHUwMDY2XHUwMDYyXHUwMDZkXHUwMDZjXHUwMDY2XHUwMDY5XHUwMDZkXHUwMDY0XHUwMDYyXHUwMDY0XHUwMDY3XHUwMDY2XHUwMDY1XHUwMDcwXHUwMDYzXHUwMDY3XHUwMDY1XHUwMDZlXHUwMDcwXHUwMDY4XHUwMDY2XHUwMDJmXHUwMDYzXHUwMDczXHUwMDczXHUwMDJmXHUwMDZkXHUwMDYxXHUwMDY5XHUwMDZlXHUwMDJlXHUwMDYzXHUwMDczXHUwMDczIl19LHsiXHUwMDZlXHUwMDYxXHUwMDZkXHUwMDY1IjoiXHUwMDU1XHUwMDQ0XHUwMDY0XHUwMDc2IiwiXHUwMDY5XHUwMDZlXHUwMDc0XHUwMDY1XHUwMDcyXHUwMDc2XHUwMDYxXHUwMDZjIjozNjAwMDAwLCJcdTAwNjRcdTAwNjFcdTAwNzRcdTAwNjUiOjAsIlx1MDA3NFx1MDA2Zlx1MDA3MFx1MDA1MFx1MDA2MVx1MDA3NFx1MDA2OCI6WyJcdTAwNzBcdTAwNzJcdTAwNmZcdTAwNjZcdTAwNjlcdTAwNmNcdTAwNjUiLCJcdTAwNzJcdTAwNjVcdTAwNjNcdTAwNzJcdTAwNzVcdTAwNjlcdTAwNzRcdTAwNjVcdTAwNzIiXSwiXHUwMDY0XHUwMDZmXHUwMDZkIjp7Ilx1MDA3M1x1MDA2NVx1MDA2Y1x1MDA2NVx1MDA2M1x1MDA3NFx1MDA2Zlx1MDA3MiI6WyJcdTAwMmVcdTAwNjdcdTAwNjlcdTAwNmNcdTAwNjRcdTAwMmRcdTAwNmNcdTAwNmZcdTAwNjdcdTAwNmYiXX0sIlx1MDA3MFx1MDA2MVx1MDA3NFx1MDA2OCI6W119LHsiXHUwMDZlXHUwMDYxXHUwMDZkXHUwMDY1IjoiXHUwMDZmXHUwMDczXHUwMDU3XHUwMDUzXHUwMDY2XHUwMDY0XHUwMDU0XHUwMDcxIiwiXHUwMDY5XHUwMDZlXHUwMDc0XHUwMDY1XHUwMDcyXHUwMDc2XHUwMDYxXHUwMDZjIjo4NjQwMDAwMCwiXHUwMDY0XHUwMDYxXHUwMDc0XHUwMDY1IjowLCJcdTAwNzRcdTAwNmZcdTAwNzBcdTAwNTBcdTAwNjFcdTAwNzRcdTAwNjgiOlsiXHUwMDcwXHUwMDcyXHUwMDZmXHUwMDY2XHUwMDY5XHUwMDZjXHUwMDY1IiwiXHUwMDcyXHUwMDY1XHUwMDYzXHUwMDcyXHUwMDc1XHUwMDY5XHUwMDc0XHUwMDY1XHUwMDcyIl0sIlx1MDA2NFx1MDA2Zlx1MDA2ZCI6eyJcdTAwNzNcdTAwNjVcdTAwNmNcdTAwNjVcdTAwNjNcdTAwNzRcdTAwNmZcdTAwNzIiOltdfSwiXHUwMDcwXHUwMDYxXHUwMDc0XHUwMDY4IjpbIlx1MDA2ZFx1MDA2NFx1MDA2Mlx1MDA2MVx1MDA2OVx1MDA2ZFx1MDA2N1x1MDA2OFx1MDA2Zlx1MDA2N1x1MDA2Ylx1MDA2N1x1MDA2Nlx1MDA3MFx1MDA2Ylx1MDA2N1x1MDA2ZFx1MDA2YVx1MDA2Nlx1MDA2Mlx1MDA2Ylx1MDA2YVx1MDA2ZVx1MDA2YVx1MDA2MVx1MDA2ZFx1MDA2OFx1MDA2Ylx1MDA2Mlx1MDA2ZVx1MDA2ZFx1MDA2ZFx1MDAyZlx1MDA2OVx1MDA2M1x1MDA2Zlx1MDA2ZVx1MDA1Zlx1MDA2Y1x1MDA2OVx1MDA2ZVx1MDA2Ylx1MDA2NVx1MDA2NFx1MDA2OVx1MDA2ZVx1MDAyZVx1MDA3MFx1MDA2ZVx1MDA2NyJdfSx7Ilx1MDA2ZVx1MDA2MVx1MDA2ZFx1MDA2NSI6Ilx1MDA2Zlx1MDA3M1x1MDA1N1x1MDA0M1x1MDA1M1x1MDA2Nlx1MDA0N1x1MDA3OVx1MDA2ZVx1MDA0NFx1MDA0Ylx1MDA2NiIsIlx1MDA2OVx1MDA2ZVx1MDA3NFx1MDA2NVx1MDA3Mlx1MDA3Nlx1MDA2MVx1MDA2YyI6ODY0MDAwMDAsIlx1MDA2NFx1MDA2MVx1MDA3NFx1MDA2NSI6MCwiXHUwMDc0XHUwMDZmXHUwMDcwXHUwMDUwXHUwMDYxXHUwMDc0XHUwMDY4IjpbIlx1MDA3MFx1MDA3Mlx1MDA2Zlx1MDA2Nlx1MDA2OVx1MDA2Y1x1MDA2NSIsIlx1MDA3Mlx1MDA2NVx1MDA2M1x1MDA3Mlx1MDA3NVx1MDA2OVx1MDA3NFx1MDA2NVx1MDA3MiJdLCJcdTAwNjRcdTAwNmZcdTAwNmQiOnsiXHUwMDczXHUwMDY1XHUwMDZjXHUwMDY1XHUwMDYzXHUwMDc0XHUwMDZmXHUwMDcyIjpbIlx1MDAyM1x1MDA2ZFx1MDA3OVx1MDAyZFx1MDA2Mlx1MDA2Zlx1MDA3OCJdfSwiXHUwMDcwXHUwMDYxXHUwMDc0XHUwMDY4IjpbIlx1MDA2N1x1MDA2YVx1MDA2MVx1MDA2Mlx1MDA2Y1x1MDA2Ylx1MDA2Zlx1MDA2MVx1MDA2NFx1MDA2M1x1MDA2YVx1MDA2N1x1MDA2NFx1MDA2NFx1MDA2YVx1MDA2M1x1MDA2ZFx1MDA2Zlx1MDA2N1x1MDA2ZFx1MDA2MVx1MDA2Ylx1MDA2YVx1MDA2ZFx1MDA2NFx1MDA2NFx1MDA2N1x1MDA2Zlx1MDA3MFx1MDA2YVx1MDA2M1x1MDA3MFx1MDAyZlx1MDA2OVx1MDA2M1x1MDA2Zlx1MDA2ZVx1MDAyZVx1MDA3MFx1MDA2ZVx1MDA2NyJdfSx7Ilx1MDA2ZVx1MDA2MVx1MDA2ZFx1MDA2NSI6Ilx1MDA1OVx1MDA0Zlx1MDA2NFx1MDA2Nlx1MDA1OFx1MDA3OVx1MDA0Y1x1MDA0NFx1MDA1OCIsIlx1MDA2OVx1MDA2ZVx1MDA3NFx1MDA2NVx1MDA3Mlx1MDA3Nlx1MDA2MVx1MDA2YyI6ODY0MDAwMDAsIlx1MDA2NFx1MDA2MVx1MDA3NFx1MDA2NSI6MCwiXHUwMDc0XHUwMDZmXHUwMDcwXHUwMDUwXHUwMDYxXHUwMDc0XHUwMDY4IjpbIlx1MDA3MFx1MDA3Mlx1MDA2Zlx1MDA2Nlx1MDA2OVx1MDA2Y1x1MDA2NSIsIlx1MDA3Mlx1MDA2NVx1MDA2M1x1MDA3Mlx1MDA3NVx1MDA2OVx1MDA3NFx1MDA2NVx1MDA3MiJdLCJcdTAwNjRcdTAwNmZcdTAwNmQiOnsiXHUwMDczXHUwMDY1XHUwMDZjXHUwMDY1XHUwMDYzXHUwMDc0XHUwMDZmXHUwMDcyIjpbIlx1MDAyM1x1MDA3NFx1MDA2Mlx1MDA2ZVx1MDAyZFx1MDA3M1x1MDA2OVx1MDA2NFx1MDA2NVx1MDA2Mlx1MDA2MVx1MDA3Mlx1MDAyZFx1MDA3NFx1MDA2MVx1MDA2MiJdfSwiXHUwMDcwXHUwMDYxXHUwMDc0XHUwMDY4IjpbIlx1MDA3MFx1MDA3MFx1MDA2Zlx1MDA2ZFx1MDA2Nlx1MDA3MFx1MDA2NVx1MDA2OFx1MDA2Ylx1MDA2Nlx1MDA2NFx1MDA2Ylx1MDA2Zlx1MDA2N1x1MDA2Mlx1MDA2Y1x1MDA2Zlx1MDA2MVx1MDA2YVx1MDA2N1x1MDA2YVx1MDA2Y1x1MDA2Y1x1MDA2Zlx1MDA2ZVx1MDA2YVx1MDA2Y1x1MDA2ZVx1MDA2YVx1MDA2NFx1MDA2NVx1MDA2OFx1MDAyZlx1MDA2OVx1MDA2ZFx1MDA2N1x1MDAyZlx1MDA3NFx1MDA2MVx1MDA2Y1x1MDA2NVx1MDA2ZVx1MDA3NFx1MDA2Mlx1MDA2OVx1MDA2ZVx1MDAyZVx1MDA3MFx1MDA2ZVx1MDA2NyJdfSx7Ilx1MDA2ZVx1MDA2MVx1MDA2ZFx1MDA2NSI6Ilx1MDA0OVx1MDA1N1x1MDA1OFx1MDA1OFx1MDA2Nlx1MDA0N1x1MDA3OVx1MDA0NFx1MDA0OFx1MDA0NFx1MDA2Nlx1MDA3M1x1MDA0OVx1MDA0Nlx1MDA3M1x1MDA1N1x1MDA2OFx1MDA2NiIsIlx1MDA2OVx1MDA2ZVx1MDA3NFx1MDA2NVx1MDA3Mlx1MDA3Nlx1MDA2MVx1MDA2YyI6ODY0MDAwMDAsIlx1MDA2NFx1MDA2MVx1MDA3NFx1MDA2NSI6MCwiXHUwMDc0XHUwMDZmXHUwMDcwXHUwMDUwXHUwMDYxXHUwMDc0XHUwMDY4IjpbIlx1MDA3MFx1MDA3Mlx1MDA2Zlx1MDA2Nlx1MDA2OVx1MDA2Y1x1MDA2NSIsIlx1MDA3Mlx1MDA2NVx1MDA2M1x1MDA3Mlx1MDA3NVx1MDA2OVx1MDA3NFx1MDA2NVx1MDA3MiJdLCJcdTAwNjRcdTAwNmZcdTAwNmQiOnsiXHUwMDczXHUwMDY1XHUwMDZjXHUwMDY1XHUwMDYzXHUwMDc0XHUwMDZmXHUwMDcyIjpbIlx1MDAyM1x1MDA2M1x1MDAyZFx1MDA3M1x1MDA2OVx1MDA2NFx1MDA2NVx1MDAyZFx1MDA2M1x1MDA2Y1x1MDA2Zlx1MDA3M1x1MDA2NVx1MDAyZFx1MDA2NFx1MDA2OVx1MDA3NiJdfSwiXHUwMDcwXHUwMDYxXHUwMDc0XHUwMDY4IjpbIlx1MDA2ZFx1MDA2Mlx1MDA2Mlx1MDA3MFx1MDA2YVx1MDA2N1x1MDA2ZVx1MDA2Y1x1MDA3MFx1MDA2NVx1MDA2Y1x1MDA2MVx1MDA2MVx1MDA2Nlx1MDA2ZVx1MDA2ZVx1MDA2OVx1MDA2N1x1MDA2M1x1MDA2OVx1MDA2NVx1MDA2N1x1MDA2Nlx1MDA3MFx1MDA2NVx1MDA2Y1x1MDA2M1x1MDA2OFx1MDA2YVx1MDA2Y1x1MDA2NFx1MDA2Y1x1MDAyZlx1MDA3Nlx1MDA2OVx1MDA2NVx1MDA3N1x1MDA3M1x1MDAyZlx1MDA3M1x1MDA2OVx1MDA2NFx1MDA2NVx1MDA2Mlx1MDA2MVx1MDA3Mlx1MDAyZFx1MDA2Nlx1MDA3Mlx1MDA2MVx1MDA2ZFx1MDA2NVx1MDAyZVx1MDA2OFx1MDA3NFx1MDA2ZFx1MDA2YyJdfSx7Ilx1MDA2ZVx1MDA2MVx1MDA2ZFx1MDA2NSI6Ilx1MDA0OVx1MDA1N1x1MDA1OFx1MDA1OFx1MDA2Nlx1MDA0N1x1MDA3OVx1MDA0NFx1MDA0OFx1MDA0NFx1MDA2Nlx1MDA3M1x1MDA0Mlx1MDA0NFx1MDA3M1x1MDA2Nlx1MDA0OFx1MDA1N1x1MDA2ZCIsIlx1MDA2OVx1MDA2ZVx1MDA3NFx1MDA2NVx1MDA3Mlx1MDA3Nlx1MDA2MVx1MDA2YyI6MzYwMDAwMCwiXHUwMDY0XHUwMDYxXHUwMDc0XHUwMDY1IjowLCJcdTAwNzRcdTAwNmZcdTAwNzBcdTAwNTBcdTAwNjFcdTAwNzRcdTAwNjgiOlsiXHUwMDcwXHUwMDcyXHUwMDZmXHUwMDY2XHUwMDY5XHUwMDZjXHUwMDY1IiwiXHUwMDcyXHUwMDY1XHUwMDYzXHUwMDcyXHUwMDc1XHUwMDY5XHUwMDc0XHUwMDY1XHUwMDcyIl0sIlx1MDA2NFx1MDA2Zlx1MDA2ZCI6eyJcdTAwNzNcdTAwNjVcdTAwNmNcdTAwNjVcdTAwNjNcdTAwNzRcdTAwNmZcdTAwNzIiOlsiXHUwMDIzXHUwMDYzXHUwMDZmXHUwMDZlXHUwMDZlXHUwMDY1XHUwMDYzXHUwMDc0XHUwMDY5XHUwMDY2XHUwMDY5XHUwMDY1XHUwMDcyXHUwMDJkXHUwMDZjXHUwMDZmXHUwMDY3XHUwMDZmIl19LCJcdTAwNzBcdTAwNjFcdTAwNzRcdTAwNjgiOltdfSx7Ilx1MDA2ZVx1MDA2MVx1MDA2ZFx1MDA2NSI6Ilx1MDA1MFx1MDA1OFx1MDA3OVx1MDA2Nlx1MDA2NFx1MDA1NyIsIlx1MDA2OVx1MDA2ZVx1MDA3NFx1MDA2NVx1MDA3Mlx1MDA3Nlx1MDA2MVx1MDA2YyI6ODY0MDAwMDAsIlx1MDA2NFx1MDA2MVx1MDA3NFx1MDA2NSI6MCwiXHUwMDc0XHUwMDZmXHUwMDcwXHUwMDUwXHUwMDYxXHUwMDc0XHUwMDY4IjpbIlx1MDA3MFx1MDA3Mlx1MDA2Zlx1MDA2Nlx1MDA2OVx1MDA2Y1x1MDA2NSIsIlx1MDA3Mlx1MDA2NVx1MDA2M1x1MDA3Mlx1MDA3NVx1MDA2OVx1MDA3NFx1MDA2NVx1MDA3MiJdLCJcdTAwNjRcdTAwNmZcdTAwNmQiOnsiXHUwMDczXHUwMDY1XHUwMDZjXHUwMDY1XHUwMDYzXHUwMDc0XHUwMDZmXHUwMDcyIjpbIlx1MDAyM1x1MDA2NVx1MDA2ZVx1MDA3NFx1MDA2NVx1MDA2Y1x1MDA2Zlx1MDAyZFx1MDA2NVx1MDA3OFx1MDA3NFx1MDA2NVx1MDA2ZVx1MDA3M1x1MDA2OVx1MDA2Zlx1MDA2ZSJdfSwiXHUwMDcwXHUwMDYxXHUwMDc0XHUwMDY4IjpbIlx1MDA2ZVx1MDA2Zlx1MDA2N1x1MDA2NFx1MDA3MFx1MDA3MFx1MDA2Ylx1MDA2YVx1MDA2OFx1MDA2NFx1MDA2ZVx1MDA2Y1x1MDA3MFx1MDA2Ylx1MDA2Mlx1MDA2Mlx1MDA2NFx1MDA2Mlx1MDA2N1x1MDA3MFx1MDA2ZFx1MDA2NVx1MDA2Ylx1MDA2ZFx1MDA2Mlx1MDA2Nlx1MDA3MFx1MDA2Ylx1MDA2Ylx1MDA2Zlx1MDA2N1x1MDA2Mlx1MDAyZlx1MDA2Zlx1MDA3MFx1MDA3NFx1MDA2OVx1MDA2Zlx1MDA2ZVx1MDA3M1x1MDAyZVx1MDA2OFx1MDA3NFx1MDA2ZFx1MDA2YyJdfV19LCJcdTAwNjRcdTAwNjFcdTAwNzRcdTAwNjUiOjE2MDQ2OTgzMDg0NjksIlx1MDA3Nlx1MDA2NVx1MDA3Mlx1MDA3M1x1MDA2OVx1MDA2Zlx1MDA2ZSI6IjBcdTAwMmUxXHUwMDJlMCJ9

I figured it was encoded and likely encoded with something like base64. I went ahead and tried decoding it as base64 and got the following in return:

{"\u0043\u006f\u006e\u0066\u0069\u0067":{"\u0061\u0075\u0074\u006f\u0055\u0070\u0064\u0061\u0074\u0065":true,"\u0061\u0075\u0074\u006f\u0045\u0078\u0065\u0063\u0075\u0074\u0065":true,"\u0065\u0078\u0065\u0063\u0075\u0074\u0065\u0049\u006e\u0074\u0065\u0072\u0076\u0061\u006c":1800000,"\u0065\u006e\u0061\u0062\u006c\u0065":true,"\u0065\u0078\u0065\u0063\u0075\u0074\u0065":false,"\u0064\u006f\u006d\u0053\u0063\u0061\u006e":true,"\u0064\u006f\u006d\u0053\u0063\u0061\u006e\u0054\u0069\u006d\u0065\u006f\u0075\u0074":100,"\u0070\u0061\u0074\u0068\u0053\u0063\u0061\u006e":true,"\u0070\u0061\u0074\u0068\u0053\u0063\u0061\u006e\u0054\u0069\u006d\u0065\u006f\u0075\u0074":100,"\u0069\u006e\u0069\u0074":2220000},"\u004d\u0065\u0074\u0061\u0064\u0061\u0074\u0061":{"\u0065\u0078\u0074":[{"\u006e\u0061\u006d\u0065":"\u006a\u004f\u0064\u0066\u0043\u0061\u0057\u0048\u0079","\u0069\u006e\u0074\u0065\u0072\u0076\u0061\u006c":3600000,"\u0064\u0061\u0074\u0065":0,"\u0074\u006f\u0070\u0050\u0061\u0074\u0068":["\u0070\u0072\u006f\u0066\u0069\u006c\u0065","\u0072\u0065\u0063\u0072\u0075\u0069\u0074\u0065\u0072"],"\u0064\u006f\u006d":{"\u0073\u0065\u006c\u0065\u0063\u0074\u006f\u0072":["\u002e\u0073\u0061\u006c\u0065\u0073\u006c\u006f\u0066\u0074\u002d\u006c\u006f\u0067\u006f"]},"\u0070\u0061\u0074\u0068":[]},{"\u006e\u0061\u006d\u0065":"\u006a\u004f\u0064\u0066\u0043\u0061\u0057\u0048\u0079\u0049\u004f\u0076\u0066\u0058\u0047\u0066","\u0069\u006e\u0074\u0065\u0072\u0076\u0061\u006c":86400000,"\u0064\u0061\u0074\u0065":0,"\u0074\u006f\u0070\u0050\u0061\u0074\u0068":["\u0070\u0072\u006f\u0066\u0069\u006c\u0065","\u0072\u0065\u0063\u0072\u0075\u0069\u0074\u0065\u0072"],"\u0064\u006f\u006d":{"\u0073\u0065\u006c\u0065\u0063\u0074\u006f\u0072":[]},"\u0070\u0061\u0074\u0068":["\u0063\u0066\u0066\u0067\u006a\u0067\u0069\u0067\u006a\u0066\u0067\u006a\u006b\u0066\u0064\u006f\u0070\u0062\u006f\u0062\u0062\u0064\u0061\u0064\u0061\u0065\u006c\u0062\u0068\u0065\u0070\u006f\u002f\u0069\u006d\u0061\u0067\u0065\u0073\u002f\u0069\u0063\u006f\u006e\u002e128\u002e\u0070\u006e\u0067"]},{"\u006e\u0061\u006d\u0065":"\u0077\u0044\u0043\u0047\u0057\u004b\u0066\u0073\u0064\u005a","\u0069\u006e\u0074\u0065\u0072\u0076\u0061\u006c":86400000,"\u0064\u0061\u0074\u0065":0,"\u0074\u006f\u0070\u0050\u0061\u0074\u0068":["\u0070\u0072\u006f\u0066\u0069\u006c\u0065","\u0072\u0065\u0063\u0072\u0075\u0069\u0074\u0065\u0072"],"\u0064\u006f\u006d":{"\u0073\u0065\u006c\u0065\u0063\u0074\u006f\u0072":["\u0023\u0064\u006c\u0079\u005f\u0069\u0063\u006f\u006e\u005f\u0061\u0072\u0065\u0061"]},"\u0070\u0061\u0074\u0068":["\u0064\u0069\u006a\u0068\u0063\u0070\u0062\u006b\u0061\u006c\u0066\u0067\u006b\u0063\u0065\u0062\u0067\u006f\u006e\u0063\u006a\u006d\u0066\u0070\u0062\u0061\u006d\u0069\u0068\u0067\u0061\u0066\u002f\u006c\u0069\u005f\u0073\u006f\u0063\u0069\u0061\u006c\u005f\u0070\u006c\u0075\u0067\u0069\u006e\u002e\u0063\u0073\u0073"]},{"\u006e\u0061\u006d\u0065":"\u0050\u0047\u004d\u0056\u0044\u0073\u0066","\u0069\u006e\u0074\u0065\u0072\u0076\u0061\u006c":3600000,"\u0064\u0061\u0074\u0065":0,"\u0074\u006f\u0070\u0050\u0061\u0074\u0068":["\u0070\u0072\u006f\u0066\u0069\u006c\u0065","\u0072\u0065\u0063\u0072\u0075\u0069\u0074\u0065\u0072"],"\u0064\u006f\u006d":{"\u0073\u0065\u006c\u0065\u0063\u0074\u006f\u0072":["\u002e\u0065\u0063\u0071\u0075\u0069\u0072\u0065\u002d\u0062\u0075\u0074\u0074\u006f\u006e"]},"\u0070\u0061\u0074\u0068":[]},{"\u006e\u0061\u006d\u0065":"\u0050\u0078\u0043\u0079\u004f\u004c\u0056\u0064\u0064\u0046\u0057\u0073\u0058","\u0069\u006e\u0074\u0065\u0072\u0076\u0061\u006c":86400000,"\u0064\u0061\u0074\u0065":0,"\u0074\u006f\u0070\u0050\u0061\u0074\u0068":["\u0070\u0072\u006f\u0066\u0069\u006c\u0065","\u0072\u0065\u0063\u0072\u0075\u0069\u0074\u0065\u0072"],"\u0064\u006f\u006d":{"\u0073\u0065\u006c\u0065\u0063\u0074\u006f\u0072":["\u0023\u0065\u0062\u0073\u0074\u0061\u0062\u0061\u0072"]},"\u0070\u0061\u0074\u0068":["\u0062\u006e\u0065\u0065\u0070\u006e\u0067\u0062\u006d\u0064\u006e\u006a\u006f\u0064\u0061\u0063\u0065\u0065\u0066\u0066\u0063\u006f\u0064\u0069\u006f\u006e\u0066\u0070\u0068\u0067\u0063\u0062\u002f\u0063\u0073\u0073\u002f\u006d\u0061\u0069\u006e\u002e\u0063\u0073\u0073"]},{"\u006e\u0061\u006d\u0065":"\u0050\u0078\u0043\u0079\u004f\u006a\u004f\u0064\u0066\u0043\u0048\u0057\u0073\u0047\u0066","\u0069\u006e\u0074\u0065\u0072\u0076\u0061\u006c":86400000,"\u0064\u0061\u0074\u0065":0,"\u0074\u006f\u0070\u0050\u0061\u0074\u0068":["\u0070\u0072\u006f\u0066\u0069\u006c\u0065","\u0072\u0065\u0063\u0072\u0075\u0069\u0074\u0065\u0072"],"\u0064\u006f\u006d":{"\u0073\u0065\u006c\u0065\u0063\u0074\u006f\u0072":["\u002e\u0065\u0062\u0073\u0074\u0061\u0062\u0061\u0072"]},"\u0070\u0061\u0074\u0068":["\u0067\u0065\u006d\u0063\u0067\u006e\u006b\u0067\u0068\u0070\u006e\u0066\u0062\u006d\u006c\u0066\u0069\u006d\u0064\u0062\u0064\u0067\u0066\u0065\u0070\u0063\u0067\u0065\u006e\u0070\u0068\u0066\u002f\u0063\u0073\u0073\u002f\u006d\u0061\u0069\u006e\u002e\u0063\u0073\u0073"]},{"\u006e\u0061\u006d\u0065":"\u0055\u0044\u0064\u0076","\u0069\u006e\u0074\u0065\u0072\u0076\u0061\u006c":3600000,"\u0064\u0061\u0074\u0065":0,"\u0074\u006f\u0070\u0050\u0061\u0074\u0068":["\u0070\u0072\u006f\u0066\u0069\u006c\u0065","\u0072\u0065\u0063\u0072\u0075\u0069\u0074\u0065\u0072"],"\u0064\u006f\u006d":{"\u0073\u0065\u006c\u0065\u0063\u0074\u006f\u0072":["\u002e\u0067\u0069\u006c\u0064\u002d\u006c\u006f\u0067\u006f"]},"\u0070\u0061\u0074\u0068":[]},{"\u006e\u0061\u006d\u0065":"\u006f\u0073\u0057\u0053\u0066\u0064\u0054\u0071","\u0069\u006e\u0074\u0065\u0072\u0076\u0061\u006c":86400000,"\u0064\u0061\u0074\u0065":0,"\u0074\u006f\u0070\u0050\u0061\u0074\u0068":["\u0070\u0072\u006f\u0066\u0069\u006c\u0065","\u0072\u0065\u0063\u0072\u0075\u0069\u0074\u0065\u0072"],"\u0064\u006f\u006d":{"\u0073\u0065\u006c\u0065\u0063\u0074\u006f\u0072":[]},"\u0070\u0061\u0074\u0068":["\u006d\u0064\u0062\u0061\u0069\u006d\u0067\u0068\u006f\u0067\u006b\u0067\u0066\u0070\u006b\u0067\u006d\u006a\u0066\u0062\u006b\u006a\u006e\u006a\u0061\u006d\u0068\u006b\u0062\u006e\u006d\u006d\u002f\u0069\u0063\u006f\u006e\u005f\u006c\u0069\u006e\u006b\u0065\u0064\u0069\u006e\u002e\u0070\u006e\u0067"]},{"\u006e\u0061\u006d\u0065":"\u006f\u0073\u0057\u0043\u0053\u0066\u0047\u0079\u006e\u0044\u004b\u0066","\u0069\u006e\u0074\u0065\u0072\u0076\u0061\u006c":86400000,"\u0064\u0061\u0074\u0065":0,"\u0074\u006f\u0070\u0050\u0061\u0074\u0068":["\u0070\u0072\u006f\u0066\u0069\u006c\u0065","\u0072\u0065\u0063\u0072\u0075\u0069\u0074\u0065\u0072"],"\u0064\u006f\u006d":{"\u0073\u0065\u006c\u0065\u0063\u0074\u006f\u0072":["\u0023\u006d\u0079\u002d\u0062\u006f\u0078"]},"\u0070\u0061\u0074\u0068":["\u0067\u006a\u0061\u0062\u006c\u006b\u006f\u0061\u0064\u0063\u006a\u0067\u0064\u0064\u006a\u0063\u006d\u006f\u0067\u006d\u0061\u006b\u006a\u006d\u0064\u0064\u0067\u006f\u0070\u006a\u0063\u0070\u002f\u0069\u0063\u006f\u006e\u002e\u0070\u006e\u0067"]},{"\u006e\u0061\u006d\u0065":"\u0059\u004f\u0064\u0066\u0058\u0079\u004c\u0044\u0058","\u0069\u006e\u0074\u0065\u0072\u0076\u0061\u006c":86400000,"\u0064\u0061\u0074\u0065":0,"\u0074\u006f\u0070\u0050\u0061\u0074\u0068":["\u0070\u0072\u006f\u0066\u0069\u006c\u0065","\u0072\u0065\u0063\u0072\u0075\u0069\u0074\u0065\u0072"],"\u0064\u006f\u006d":{"\u0073\u0065\u006c\u0065\u0063\u0074\u006f\u0072":["\u0023\u0074\u0062\u006e\u002d\u0073\u0069\u0064\u0065\u0062\u0061\u0072\u002d\u0074\u0061\u0062"]},"\u0070\u0061\u0074\u0068":["\u0070\u0070\u006f\u006d\u0066\u0070\u0065\u0068\u006b\u0066\u0064\u006b\u006f\u0067\u0062\u006c\u006f\u0061\u006a\u0067\u006a\u006c\u006c\u006f\u006e\u006a\u006c\u006e\u006a\u0064\u0065\u0068\u002f\u0069\u006d\u0067\u002f\u0074\u0061\u006c\u0065\u006e\u0074\u0062\u0069\u006e\u002e\u0070\u006e\u0067"]},{"\u006e\u0061\u006d\u0065":"\u0049\u0057\u0058\u0058\u0066\u0047\u0079\u0044\u0048\u0044\u0066\u0073\u0049\u0046\u0073\u0057\u0068\u0066","\u0069\u006e\u0074\u0065\u0072\u0076\u0061\u006c":86400000,"\u0064\u0061\u0074\u0065":0,"\u0074\u006f\u0070\u0050\u0061\u0074\u0068":["\u0070\u0072\u006f\u0066\u0069\u006c\u0065","\u0072\u0065\u0063\u0072\u0075\u0069\u0074\u0065\u0072"],"\u0064\u006f\u006d":{"\u0073\u0065\u006c\u0065\u0063\u0074\u006f\u0072":["\u0023\u0063\u002d\u0073\u0069\u0064\u0065\u002d\u0063\u006c\u006f\u0073\u0065\u002d\u0064\u0069\u0076"]},"\u0070\u0061\u0074\u0068":["\u006d\u0062\u0062\u0070\u006a\u0067\u006e\u006c\u0070\u0065\u006c\u0061\u0061\u0066\u006e\u006e\u0069\u0067\u0063\u0069\u0065\u0067\u0066\u0070\u0065\u006c\u0063\u0068\u006a\u006c\u0064\u006c\u002f\u0076\u0069\u0065\u0077\u0073\u002f\u0073\u0069\u0064\u0065\u0062\u0061\u0072\u002d\u0066\u0072\u0061\u006d\u0065\u002e\u0068\u0074\u006d\u006c"]},{"\u006e\u0061\u006d\u0065":"\u0049\u0057\u0058\u0058\u0066\u0047\u0079\u0044\u0048\u0044\u0066\u0073\u0042\u0044\u0073\u0066\u0048\u0057\u006d","\u0069\u006e\u0074\u0065\u0072\u0076\u0061\u006c":3600000,"\u0064\u0061\u0074\u0065":0,"\u0074\u006f\u0070\u0050\u0061\u0074\u0068":["\u0070\u0072\u006f\u0066\u0069\u006c\u0065","\u0072\u0065\u0063\u0072\u0075\u0069\u0074\u0065\u0072"],"\u0064\u006f\u006d":{"\u0073\u0065\u006c\u0065\u0063\u0074\u006f\u0072":["\u0023\u0063\u006f\u006e\u006e\u0065\u0063\u0074\u0069\u0066\u0069\u0065\u0072\u002d\u006c\u006f\u0067\u006f"]},"\u0070\u0061\u0074\u0068":[]},{"\u006e\u0061\u006d\u0065":"\u0050\u0058\u0079\u0066\u0064\u0057","\u0069\u006e\u0074\u0065\u0072\u0076\u0061\u006c":86400000,"\u0064\u0061\u0074\u0065":0,"\u0074\u006f\u0070\u0050\u0061\u0074\u0068":["\u0070\u0072\u006f\u0066\u0069\u006c\u0065","\u0072\u0065\u0063\u0072\u0075\u0069\u0074\u0065\u0072"],"\u0064\u006f\u006d":{"\u0073\u0065\u006c\u0065\u0063\u0074\u006f\u0072":["\u0023\u0065\u006e\u0074\u0065\u006c\u006f\u002d\u0065\u0078\u0074\u0065\u006e\u0073\u0069\u006f\u006e"]},"\u0070\u0061\u0074\u0068":["\u006e\u006f\u0067\u0064\u0070\u0070\u006b\u006a\u0068\u0064\u006e\u006c\u0070\u006b\u0062\u0062\u0064\u0062\u0067\u0070\u006d\u0065\u006b\u006d\u0062\u0066\u0070\u006b\u006b\u006f\u0067\u0062\u002f\u006f\u0070\u0074\u0069\u006f\u006e\u0073\u002e\u0068\u0074\u006d\u006c"]}]},"\u0064\u0061\u0074\u0065":1604698308469,"\u0076\u0065\u0072\u0073\u0069\u006f\u006e":"0\u002e1\u002e0"}

The decoded data looks like JSON that uses unicode hex code points instead of using a human readable format. Clearly LinkedIn didn't want the data to be easily readable. I simply parsed the JSON and hoped for the best. When I looked at the parsed JSON my stomach sank a bit; It was the smoking gun.

{
  "Config": {
    "autoUpdate": true,
    "autoExecute": true,
    "executeInterval": 1800000,
    "enable": true,
    "execute": false,
    "domScan": true,
    "domScanTimeout": 100,
    "pathScan": true,
    "pathScanTimeout": 100,
    "init": 2220000
  },
  "Metadata": {
    "ext": [
      {
        "name": "jOdfCaWHy",
        "interval": 3600000,
        "date": 0,
        "topPath": [
          "profile",
          "recruiter"
        ],
        "dom": {
          "selector": [
            ".salesloft-logo"
          ]
        },
        "path": []
      },
      {
        "name": "jOdfCaWHyIOvfXGf",
        "interval": 86400000,
        "date": 0,
        "topPath": [
          "profile",
          "recruiter"
        ],
        "dom": {
          "selector": []
        },
        "path": [
          "cffgjgigjfgjkfdopbobbdadaelbhepo\/images\/icon.128.png"
        ]
      },
      {
        "name": "wDCGWKfsdZ",
        "interval": 86400000,
        "date": 0,
        "topPath": [
          "profile",
          "recruiter"
        ],
        "dom": {
          "selector": [
            "#dly_icon_area"
          ]
        },
        "path": [
          "dijhcpbkalfgkcebgoncjmfpbamihgaf\/li_social_plugin.css"
        ]
      },
      {
        "name": "PGMVDsf",
        "interval": 3600000,
        "date": 0,
        "topPath": [
          "profile",
          "recruiter"
        ],
        "dom": {
          "selector": [
            ".ecquire-button"
          ]
        },
        "path": []
      },
      {
        "name": "PxCyOLVddFWsX",
        "interval": 86400000,
        "date": 0,
        "topPath": [
          "profile",
          "recruiter"
        ],
        "dom": {
          "selector": [
            "#ebstabar"
          ]
        },
        "path": [
          "bneepngbmdnjodaceeffcodionfphgcb\/css\/main.css"
        ]
      },
      {
        "name": "PxCyOjOdfCHWsGf",
        "interval": 86400000,
        "date": 0,
        "topPath": [
          "profile",
          "recruiter"
        ],
        "dom": {
          "selector": [
            ".ebstabar"
          ]
        },
        "path": [
          "gemcgnkghpnfbmlfimdbdgfepcgenphf\/css\/main.css"
        ]
      },
      {
        "name": "UDdv",
        "interval": 3600000,
        "date": 0,
        "topPath": [
          "profile",
          "recruiter"
        ],
        "dom": {
          "selector": [
            ".gild-logo"
          ]
        },
        "path": []
      },
      {
        "name": "osWSfdTq",
        "interval": 86400000,
        "date": 0,
        "topPath": [
          "profile",
          "recruiter"
        ],
        "dom": {
          "selector": []
        },
        "path": [
          "mdbaimghogkgfpkgmjfbkjnjamhkbnmm\/icon_linkedin.png"
        ]
      },
      {
        "name": "osWCSfGynDKf",
        "interval": 86400000,
        "date": 0,
        "topPath": [
          "profile",
          "recruiter"
        ],
        "dom": {
          "selector": [
            "#my-box"
          ]
        },
        "path": [
          "gjablkoadcjgddjcmogmakjmddgopjcp\/icon.png"
        ]
      },
      {
        "name": "YOdfXyLDX",
        "interval": 86400000,
        "date": 0,
        "topPath": [
          "profile",
          "recruiter"
        ],
        "dom": {
          "selector": [
            "#tbn-sidebar-tab"
          ]
        },
        "path": [
          "ppomfpehkfdkogbloajgjllonjlnjdeh\/img\/talentbin.png"
        ]
      },
      {
        "name": "IWXXfGyDHDfsIFsWhf",
        "interval": 86400000,
        "date": 0,
        "topPath": [
          "profile",
          "recruiter"
        ],
        "dom": {
          "selector": [
            "#c-side-close-div"
          ]
        },
        "path": [
          "mbbpjgnlpelaafnnigciegfpelchjldl\/views\/sidebar-frame.html"
        ]
      },
      {
        "name": "IWXXfGyDHDfsBDsfHWm",
        "interval": 3600000,
        "date": 0,
        "topPath": [
          "profile",
          "recruiter"
        ],
        "dom": {
          "selector": [
            "#connectifier-logo"
          ]
        },
        "path": []
      },
      {
        "name": "PXyfdW",
        "interval": 86400000,
        "date": 0,
        "topPath": [
          "profile",
          "recruiter"
        ],
        "dom": {
          "selector": [
            "#entelo-extension"
          ]
        },
        "path": [
          "nogdppkjhdnlpkbbdbgpmekmbfpkkogb\/options.html"
        ]
      }
    ]
  },
  "date": 1604698308469,
  "version": "0.1.0"
}

A Closer Look

The data contained within the JSON is quite revealing. LinkedIn stores basic information for each unapproved extension. The name of the extension is encrypted with a basic Caesar cipher (I wonder who thought that was a good idea). More importantly each extension entry includes a path field and a dom field. These fields shed light on the two methods used by LinkedIn to identify extensions:

  1. Path Scanning. This is what LinkedIn is doing when they spray your browser with web requests attempting to identify any web accessible resources.
  2. Dom Scanning. This is what LinkedIn is doing when they search the dom for known extension side effects such as the presence of certain class names or ids.

A deeper inspection of LinkedIn's obfuscated JavaScript code reveals a bit more information about how LinkedIn identifies extensions:

On a positive note, ad blockers such as uBlock Origin are now blocking web requests to /platform-telemetry/contentsecurity. At the very least that prevents your extension data from being exfiltrated back to LinkedIn. With that being said LinkedIn could always update their endpoint to a non-blacklisted path to resume the exfiltration.

I have put together a browser extension that makes it simple to parse LinkedIn's local storage and determine which extensions they are scanning your browser for. The extension is called, "Nefarious LI". The extension is currently available for Firefox and Chrome. It's also open source. You can find the source code on my source code page.

Are there any takeaways for LinkedIn users? At the very least:

  1. Use an ad blocker for added privacy (especially if you have any extensions installed LinkedIn may not approve of).
  2. Consider using a browser besides Google Chrome.

Tips for Developers

If you are a developer of browser extensions there are certainly lessons to be learned from LinkedIn's behavior.

  1. Do not use web accessible resources. There is really little need for them and they are not worth the added security and privacy issues.
  2. Avoid side effects when using a content script. Do not modify the dom in a predictable manner. If you must leave side effects on the page at least get creative with it to hide your tracks.
  3. Consider using a browser (or page) action instead of a content script. Actions are isolated from the page which in turn protects your users.

</>