Tuesday, February 16, 2021

My firewall detected a UDP outbound connection from Firefox desktop (v85.0.2) when visiting the LinkedIn sign in page: https://www.linkedin.com/login
 

 
Non-authoritative answer:
Addresses: 2a00:1450:400c:c0a::7f
I was interested to check the code that was making the request, because it doesn't show up in developer tools or uBlock's Logger.
 
The request that delivered the js payload was: https://static-exp1.licdn.com/sc/h/6jblk5oqhlo45xbkmcr7s4zix
 
In the packed code was reference to stun:stun.l.google.com:19302?transport=udp. I did a auto unpack with de4js and the UDP call is related to static.getIPs method.
 
Packed code here for reference. Auto unpacked here.
 
I'm not sure why LinkedIn is executing this code on clients. There were some potentially questionable ethics in the js. For example: static.getAdBlock and static.incognitoKey static.doNotTrackKey.
 
Looks like this is a fingerprinting script that might belong or relate to fingerprintjs. Here is an older commit showing very similar code to the packed version I found on LinkedIn CDN.
Makes a website visitor identifier from a browser fingerprint. Unlike cookies and local storage, fingerprint stays the same in incognito/private mode and even when browser data is purged. 
Niiice.