<?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom" ><generator uri="https://jekyllrb.com/" version="3.10.0">Jekyll</generator><link href="https://jaalso.github.io/feed.xml" rel="self" type="application/atom+xml" /><link href="https://jaalso.github.io/" rel="alternate" type="text/html" /><updated>2026-07-01T10:36:15+00:00</updated><id>https://jaalso.github.io/feed.xml</id><title type="html">jaalso</title><subtitle>Lab write-ups, CTF solutions, and security notes by Jaime — SOC analyst and junior pentester in training, Zürich.</subtitle><author><name>Jaime</name></author><entry><title type="html">Windows Telemetry — What Microsoft Sees from a Personal Host</title><link href="https://jaalso.github.io/2026/06/18/windows-telemetry-personal-host/" rel="alternate" type="text/html" title="Windows Telemetry — What Microsoft Sees from a Personal Host" /><published>2026-06-18T00:00:00+00:00</published><updated>2026-06-18T00:00:00+00:00</updated><id>https://jaalso.github.io/2026/06/18/windows-telemetry-personal-host</id><content type="html" xml:base="https://jaalso.github.io/2026/06/18/windows-telemetry-personal-host/"><![CDATA[<p>I wanted a concrete answer to a question most people wave away: what does my own
Windows machine actually send to Microsoft, without me asking it to? Not the marketing
answer — the DNS answer. So I put a DNS sinkhole between my laptop and the internet and
read the query log. The telemetry surface was immediately visible, and blocking it was
one blocklist away. This investigation is what led me to build the <a href="/labs/">hardened Pi-hole
home lab</a>.</p>

<h2 id="the-method--and-its-honest-limits">The method — and its honest limits</h2>

<p>A DNS sinkhole (Pi-hole) sees every domain a host tries to resolve before any
connection is made. That’s the right layer for this question: I’m not decrypting
payloads or claiming to read what Microsoft received — I’m documenting <em>where my host
reaches out</em>, and then stopping the connection at the door. DNS reveals the telemetry
surface; blocking at DNS means the request never leaves the network.</p>

<ul>
  <li>Observation: Pi-hole query log on a Raspberry Pi 5, laptop DNS pointed at it</li>
  <li>Attribution: <code class="language-plaintext highlighter-rouge">pihole -q &lt;domain&gt;</code> to prove <em>which</em> blocklist caught each endpoint</li>
  <li>Scope: my own EliteBook only, on my own network</li>
</ul>

<h2 id="what-showed-up">What showed up</h2>

<p>Filtering the query log for Microsoft-owned destinations, these telemetry endpoints
were being requested by the host — and blocked:</p>

<table>
  <thead>
    <tr>
      <th>Endpoint</th>
      <th>Associated with</th>
      <th>Caught by</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td><code class="language-plaintext highlighter-rouge">vortex.data.microsoft.com</code></td>
      <td>Windows diagnostic telemetry (DiagTrack)</td>
      <td>WindowsSpyBlocker</td>
    </tr>
    <tr>
      <td><code class="language-plaintext highlighter-rouge">telemetry.microsoft.com</code></td>
      <td>Windows telemetry collection</td>
      <td>WindowsSpyBlocker</td>
    </tr>
    <tr>
      <td><code class="language-plaintext highlighter-rouge">browser.events.data.msn.com</code></td>
      <td>Edge / MSN browser event telemetry</td>
      <td>HaGeZi multi</td>
    </tr>
    <tr>
      <td><code class="language-plaintext highlighter-rouge">g.live.com</code></td>
      <td>Microsoft account / Live service beacon</td>
      <td>HaGeZi (as <code class="language-plaintext highlighter-rouge">g.msn.com</code>)</td>
    </tr>
  </tbody>
</table>

<p>Each was blocked on both <strong>A and AAAA</strong> lookups — IPv6 telemetry doesn’t slip past a
sinkhole that filters AAAA too, which is a common gap when people only set IPv4 DNS.</p>

<h2 id="the-scale">The scale</h2>

<p>Across normal use, the dashboard settled at roughly <strong>24% of all DNS queries blocked</strong>.
That number isn’t all telemetry — it includes ads and trackers from a 2.3-million-domain
blocklist — but the Microsoft/Edge diagnostic endpoints are a consistent, recurring
slice of it, requested in the background without user action.</p>

<h2 id="why-it-matters">Why it matters</h2>

<p>At a personal level, this is the difference between <em>assuming</em> a machine phones home and
<em>proving</em> which endpoints it contacts, with per-domain attribution. At an organisational
level, the same DNS-layer visibility is how you’d inventory and control outbound
telemetry across an estate — and under GDPR / the Swiss nFADP, “what leaves the endpoint,
to whom” is a question a business is expected to be able to answer.</p>

<p>The honest caveat stands: DNS tells you the destination, not the contents. But for
telemetry, the destination <em>is</em> the finding — and it’s also the control point.</p>

<h2 id="from-research-to-mitigation">From research to mitigation</h2>

<p>Seeing the telemetry surface concretely is what justified building the infrastructure to
block it network-wide: a hardened Pi-hole sinkhole, verified end to end. That build is
written up separately as a <a href="/labs/">lab</a> — this piece is the reason it exists.</p>

<h2 id="takeaways">Takeaways</h2>

<ul>
  <li><strong>DNS is the cheapest visibility you’ll ever get.</strong> No agent, no packet capture — a
sinkhole shows the outbound telemetry surface of every device behind it.</li>
  <li><strong>Filter AAAA, not just A.</strong> IPv6 telemetry is a silent bypass otherwise.</li>
  <li><strong>Attribution beats a blocklist count.</strong> <code class="language-plaintext highlighter-rouge">pihole -q</code> turns “something was blocked” into
“this specific endpoint, caught by this list” — which is what makes it evidence.</li>
</ul>

<hr />

<p><em>All observation was performed on my own host and network. No third-party systems were
accessed; this documents outbound DNS requests from a personal machine and their
mitigation.</em></p>]]></content><author><name>Jaime</name></author><category term="real-world" /><category term="privacy" /><category term="telemetry" /><category term="dns" /><category term="windows" /><category term="pi-hole" /><summary type="html"><![CDATA[I wanted a concrete answer to a question most people wave away: what does my own Windows machine actually send to Microsoft, without me asking it to? Not the marketing answer — the DNS answer. So I put a DNS sinkhole between my laptop and the internet and read the query log. The telemetry surface was immediately visible, and blocking it was one blocklist away. This investigation is what led me to build the hardened Pi-hole home lab.]]></summary></entry><entry><title type="html">Booking.com Storm-1865 Phishing Triage</title><link href="https://jaalso.github.io/2026/05/13/booking-storm1865-phishing-triage/" rel="alternate" type="text/html" title="Booking.com Storm-1865 Phishing Triage" /><published>2026-05-13T00:00:00+00:00</published><updated>2026-05-13T00:00:00+00:00</updated><id>https://jaalso.github.io/2026/05/13/booking-storm1865-phishing-triage</id><content type="html" xml:base="https://jaalso.github.io/2026/05/13/booking-storm1865-phishing-triage/"><![CDATA[<p>A relative in Switzerland received three WhatsApp messages — French, German, and
English — impersonating their hotel’s reservation team and demanding they “verify”
a booking through a link. Using a structured CTI reading workflow and a triage chain
(Inoreader feed → open-source research → URLscan.io → Have I Been Pwned → NCSC.ch
advisories), I identified the campaign as Storm-1865’s “I Paid Twice” variant — a
Russian-origin operation abusing Booking.com’s April 2026 partner-portal breach. I
reported it to the Swiss NCSC, which confirmed the attribution and acknowledged the
URLscan IOC for downstream blocklist action.</p>

<h2 id="the-lure">The lure</h2>

<p>The victim received three messages in quick succession on WhatsApp from an unknown
number, claiming to be from “Diana, your check-in manager” at the booked hotel. The
messages stated that the hotel was ending its Booking.com partnership, that the
reservation had to move to the hotel’s “direct booking system”, that a 50% discount
was available for rebooking through a personal link, and that a full refund of the
original payment would follow. To “verify”, the victim was told to approve two push
notifications or SMS codes from their bank.</p>

<p>The link was hosted at <code class="language-plaintext highlighter-rouge">booking.roomstation.help/reservation/[redacted]</code>.</p>

<h2 id="initial-red-flags">Initial red flags</h2>

<table>
  <thead>
    <tr>
      <th>Indicator</th>
      <th>Why it’s suspicious</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td>WhatsApp contact</td>
      <td>Real Booking.com communication happens in-app, never via WhatsApp</td>
    </tr>
    <tr>
      <td>50% discount lure</td>
      <td>Classic financial-incentive social engineering</td>
    </tr>
    <tr>
      <td>Domain <code class="language-plaintext highlighter-rouge">roomstation.help</code></td>
      <td>Legitimate Booking.com domains are always <code class="language-plaintext highlighter-rouge">booking.com</code></td>
    </tr>
    <tr>
      <td><code class="language-plaintext highlighter-rouge">.help</code> TLD</td>
      <td>Uncommon, cheap, favoured by phishers</td>
    </tr>
    <tr>
      <td>Multilingual flood</td>
      <td>Profiling trick — attacker doesn’t know the victim’s language</td>
    </tr>
    <tr>
      <td>“Approve two bank requests”</td>
      <td>The actual attack vector — both approvals debit the victim</td>
    </tr>
    <tr>
      <td>Exact booking details quoted</td>
      <td>Confirms breach data is in use</td>
    </tr>
    <tr>
      <td>Urgent, time-limited framing</td>
      <td>Forced-decision pressure</td>
    </tr>
  </tbody>
</table>

<h2 id="triage-chain">Triage chain</h2>

<p><strong>Phase 1 — CTI feed search.</strong> Searched my personal Inoreader CTI dashboard for
Booking.com. Three relevant items surfaced from the prior weeks: BleepingComputer on
the breach forcing reservation PIN resets (April 2026), SecurityWeek confirming
attacker access to user information (April 2026), and an earlier BleepingComputer piece
on a Booking.com phishing campaign using a lookalike <code class="language-plaintext highlighter-rouge">ん</code> character (August 2025).</p>

<p><strong>Phase 2 — open-source research.</strong> Searching for the hotel-partner phishing scam
tied the activity to Storm-1865 (Microsoft’s attribution), using the ClickFix technique
against hotel employees to deploy XWorm and VenomRAT. Bridewell tracks it as intrusion
set BR-UNC-030 with Russian-origin code comments in the customer phishing kit; Krebs
documented the phishing-as-a-service infrastructure behind the 50%-discount fraud; and
the earlier name “I Paid Twice” came from Sekoia (November 2025).</p>

<p><strong>Phase 3 — Have I Been Pwned.</strong> Checking the victim’s exposure showed three breaches.
The most operationally relevant was Luxottica (2021) — name, DOB, phone, address — the
likely source of the phone number used to reach them on WhatsApp. Booking.com’s April
2026 breach supplied the booking-specific data (hotel name, dates).</p>

<table>
  <thead>
    <tr>
      <th>Breach</th>
      <th>Date</th>
      <th>Relevance</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td>Synthient Credential Stuffing</td>
      <td>2025</td>
      <td>Email + password in active credential-stuffing lists</td>
    </tr>
    <tr>
      <td>Luxottica</td>
      <td>2021</td>
      <td>Name, DOB, phone, address — likely source of the WhatsApp number</td>
    </tr>
    <tr>
      <td>Dropbox</td>
      <td>2012</td>
      <td>Salted hashes — low current relevance</td>
    </tr>
  </tbody>
</table>

<p><strong>Phase 4 — URLscan.io infrastructure analysis.</strong> Submitting the domain returned the
detail that made the whole thing click:</p>

<table>
  <thead>
    <tr>
      <th>Property</th>
      <th>Value</th>
      <th>Interpretation</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td>Domain age at scan</td>
      <td>1 minute</td>
      <td>Active campaign — freshly rotated infrastructure</td>
    </tr>
    <tr>
      <td>Main IP</td>
      <td>188.114.97.3</td>
      <td>Cloudflare (AS13335) — hides the real backend</td>
    </tr>
    <tr>
      <td>TLS issuer</td>
      <td>Let’s Encrypt E8</td>
      <td>Free, throwaway cert</td>
    </tr>
    <tr>
      <td>TLS issued</td>
      <td>11 May 2026</td>
      <td>Two days before the victim was messaged</td>
    </tr>
    <tr>
      <td>Page title</td>
      <td>“Nur einen Moment…”</td>
      <td>Loading-page lure — classic ClickFix pattern</td>
    </tr>
    <tr>
      <td>Page banner</td>
      <td>“Sicherheitsüberprüfung wird durchgeführt”</td>
      <td>Fake security check</td>
    </tr>
    <tr>
      <td>Redirects</td>
      <td>2</td>
      <td>Typical of phishing kits</td>
    </tr>
    <tr>
      <td>URLscan / Safe Browsing</td>
      <td>No classification</td>
      <td>Too new to be on blocklists yet</td>
    </tr>
  </tbody>
</table>

<p>A domain one minute old, on a cert issued two days before contact, not yet on any
blocklist — this was live, freshly rotated infrastructure, not a stale link.</p>

<p><strong>Phase 5 — NCSC.ch corroboration.</strong> The Swiss NCSC archive showed the campaign in
Wochenrückblick 47/2023 and 10/2024, confirming continuous activity against Swiss
residents for over two years. I reported the case on 13 May 2026; an NCSC analyst
confirmed the report, validated the attribution to the Booking.com breach data, and
acknowledged the URLscan IOC for downstream blocklist action.</p>

<h2 id="indicators-of-compromise">Indicators of compromise</h2>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>DOMAIN:   booking.roomstation.help
IP:       188.114.97.3 (Cloudflare front)
IP:       104.18.94.41 (Cloudflare front)
ASN:      AS13335 (CLOUDFLARENET)
TLS CN:   Let's Encrypt E8 intermediate — issued 11 May 2026
TTP:      ClickFix — "Sicherheitsüberprüfung wird durchgeführt"
THEME:    Hotel partnership-termination + 50% discount + dual-bank approval
GROUP:    Storm-1865 (Microsoft) / BR-UNC-030 (Bridewell)
CAMPAIGN: "I Paid Twice" / Booking.com partner phishing
NCSC REF: RNR-277766 (13 May 2026)
</code></pre></div></div>

<h2 id="mitre-attck-mapping">MITRE ATT&amp;CK mapping</h2>

<table>
  <thead>
    <tr>
      <th>Tactic</th>
      <th>Technique</th>
      <th>ID</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td>Initial Access</td>
      <td>Phishing: Spearphishing via Service</td>
      <td>T1566.003</td>
    </tr>
    <tr>
      <td>Initial Access</td>
      <td>Phishing: Spearphishing Link</td>
      <td>T1566.002</td>
    </tr>
    <tr>
      <td>Resource Development</td>
      <td>Acquire Infrastructure: Domains</td>
      <td>T1583.001</td>
    </tr>
    <tr>
      <td>Resource Development</td>
      <td>Acquire Infrastructure: Web Services</td>
      <td>T1583.006</td>
    </tr>
    <tr>
      <td>Resource Development</td>
      <td>Obtain Capabilities: Code Signing Certificates</td>
      <td>T1588.003</td>
    </tr>
    <tr>
      <td>Credential Access</td>
      <td>Steal Web Session Cookie</td>
      <td>T1539</td>
    </tr>
    <tr>
      <td>Defense Evasion</td>
      <td>Hide Infrastructure</td>
      <td>T1665</td>
    </tr>
  </tbody>
</table>

<h2 id="takeaways">Takeaways</h2>

<p>The decisive signal wasn’t any single red flag — it was the URLscan domain age. A
one-minute-old domain on a two-day-old cert reframes the whole case from “probably
phishing” to “live, actively rotated campaign infrastructure”. The HIBP pivot was the
other lesson: the attacker’s contact channel (the WhatsApp number) traced back to an
unrelated 2021 breach, while the booking specifics came from the 2026 one — two
separate leaks combined into one convincing lure.</p>

<h2 id="references">References</h2>

<ul>
  <li><a href="https://www.malwarebytes.com/blog/data-breaches/2026/04/booking-com-breach-gives-scammers-what-they-need-to-target-guests">Malwarebytes — Booking.com breach gives scammers what they need</a></li>
  <li><a href="https://krebsonsecurity.com/2024/11/booking-com-phishers-may-leave-you-with-reservations/">Krebs on Security — Booking.com Phishers May Leave You With Reservations</a></li>
  <li><a href="https://www.bridewell.com/insights/blogs/detail/the-booking.com-phishing-campaign-targeting-hotels-and-customers">Bridewell — The Booking.com Phishing Campaign</a></li>
  <li><a href="https://stateofsurveillance.org/news/booking-com-data-breach-reservation-data-supply-chain-phishing-2026/">State of Surveillance — Booking.com Breach Timeline</a></li>
  <li><a href="https://www.ncsc.admin.ch/ncsc/de/home/aktuell/im-fokus/2023/wochenrueckblick_47.html">NCSC.ch — Wochenrückblick 47/2023</a></li>
  <li><a href="https://www.ncsc.admin.ch/ncsc/de/home/aktuell/im-fokus/2024/wochenrueckblick_10.html">NCSC.ch — Wochenrückblick 10/2024</a></li>
</ul>

<hr />

<p><em>The targeted family member’s name and identifying details have been omitted. The case
was triaged with their consent and no personal data is reproduced.</em></p>]]></content><author><name>Jaime</name></author><category term="real-world" /><category term="phishing" /><category term="cti" /><category term="threat-intel" /><category term="ncsc" /><category term="urlscan" /><category term="mitre-attack" /><category term="storm-1865" /><summary type="html"><![CDATA[A relative in Switzerland received three WhatsApp messages — French, German, and English — impersonating their hotel’s reservation team and demanding they “verify” a booking through a link. Using a structured CTI reading workflow and a triage chain (Inoreader feed → open-source research → URLscan.io → Have I Been Pwned → NCSC.ch advisories), I identified the campaign as Storm-1865’s “I Paid Twice” variant — a Russian-origin operation abusing Booking.com’s April 2026 partner-portal breach. I reported it to the Swiss NCSC, which confirmed the attribution and acknowledged the URLscan IOC for downstream blocklist action.]]></summary></entry><entry><title type="html">BrowserGate — Independent Verification of LinkedIn Browser Fingerprinting</title><link href="https://jaalso.github.io/2026/04/28/browsergate-linkedin-fingerprinting/" rel="alternate" type="text/html" title="BrowserGate — Independent Verification of LinkedIn Browser Fingerprinting" /><published>2026-04-28T00:00:00+00:00</published><updated>2026-04-28T00:00:00+00:00</updated><id>https://jaalso.github.io/2026/04/28/browsergate-linkedin-fingerprinting</id><content type="html" xml:base="https://jaalso.github.io/2026/04/28/browsergate-linkedin-fingerprinting/"><![CDATA[<p>When the “BrowserGate” disclosure broke in April 2026 — claiming LinkedIn’s site
silently fingerprints visitors’ browsers, down to their installed extensions — I didn’t
want to take the headline on faith. So I reproduced it myself in Chrome DevTools,
confirmed the data was leaving my browser, then proved a one-step mitigation actually
stopped it. Verify, or don’t believe it.</p>

<h2 id="the-claim">The claim</h2>

<p>BrowserGate, disclosed by Fairlinked e.V. and covered by BleepingComputer and The Next
Web, alleged that LinkedIn’s production JavaScript transmits an encrypted browser
fingerprint — including the list of installed browser extensions — to its servers on
every page load, without the user’s knowledge or consent. I treated it as a
threat-verification exercise rather than news to repeat: capture the evidence, or
discard the claim.</p>

<h2 id="verifying-it-in-devtools">Verifying it in DevTools</h2>

<p>With Chrome’s DevTools Network tab open on LinkedIn, I filtered the traffic and found
the endpoint the disclosure named:</p>

<ul>
  <li><strong>3 × HTTP 200 POST</strong> requests to the <code class="language-plaintext highlighter-rouge">sensorCollect</code> endpoint per session</li>
  <li><strong>~0.4 kB per call, ~1.2 kB per session</strong> — small encrypted payloads consistent with
a fingerprint, not page content</li>
  <li>Source traced to an <strong>obfuscated Webpack bundle</strong> (<code class="language-plaintext highlighter-rouge">chunk.905</code>, module 75023) —
deliberately hard to read</li>
  <li>A <strong>third-party tracker (Human Security / PerimeterX)</strong> injected via a hidden iframe</li>
</ul>

<p>The claim held up: the data was real, it was leaving the browser, and the delivering
script was obfuscated.</p>

<h2 id="mitigation--and-proving-it-worked">Mitigation — and proving it worked</h2>

<p>Verification isn’t just confirming the problem; it’s confirming a fix. I switched to
Brave (which blocks this class of tracking by default) and re-ran the identical capture:</p>

<table>
  <thead>
    <tr>
      <th>Metric</th>
      <th>Chrome (before)</th>
      <th>Brave (after)</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td>sensorCollect calls</td>
      <td>3 × HTTP 200</td>
      <td>3 × blocked:other</td>
    </tr>
    <tr>
      <td>Data transferred</td>
      <td>1.2 kB</td>
      <td>0.0 kB</td>
    </tr>
    <tr>
      <td>LinkedIn received data</td>
      <td>yes</td>
      <td>no</td>
    </tr>
    <tr>
      <td>Extension list exposed</td>
      <td>full list</td>
      <td>randomized</td>
    </tr>
    <tr>
      <td>Time to block</td>
      <td>—</td>
      <td>14 ms</td>
    </tr>
  </tbody>
</table>

<p>Then I corroborated with an independent method — EFF’s Cover Your Tracks, which tests a
browser against 311,004+ real fingerprints:</p>

<table>
  <thead>
    <tr>
      <th>Browser</th>
      <th>Protection</th>
      <th>Fingerprint</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td>Chrome</td>
      <td>Weak</td>
      <td>unique — 18.25 bits of identifying info</td>
    </tr>
    <tr>
      <td>Brave</td>
      <td>Strong</td>
      <td>randomized</td>
    </tr>
  </tbody>
</table>

<p>Two independent methods agreed: the data left Chrome, and Brave stopped it.</p>

<h2 id="why-it-matters--the-regulatory-angle">Why it matters — the regulatory angle</h2>

<p>An installed-extension list can reveal sensitive traits — health conditions, politics,
or religion inferred from what someone installs. Under GDPR Article 9, processing
special-category data requires explicit consent, which silent fingerprinting doesn’t
obtain. The context isn’t hypothetical: LinkedIn’s parent, Microsoft, was fined
EUR 310M by the Irish DPC in October 2024 for prior data-protection violations, and the
ceiling for a breach at that scale is roughly 4% of global turnover.</p>

<h2 id="takeaways">Takeaways</h2>

<ul>
  <li><strong>Verify, don’t repeat.</strong> A disclosure is a hypothesis until reproduced. DevTools
turned a headline into confirmed evidence.</li>
  <li><strong>A fix isn’t done until it’s measured.</strong> “Switch to Brave” only counts because I
re-captured and saw <code class="language-plaintext highlighter-rouge">blocked:other</code> and 0.0 kB.</li>
  <li><strong>Privacy is a security problem.</strong> Fingerprinting is a data-protection and regulatory
exposure, not just an annoyance — the lens a Swiss or EU business actually needs.</li>
</ul>

<h2 id="source--references">Source &amp; references</h2>

<p>Full capture notes and screenshots: <a href="https://github.com/jaalso/security-research">jaalso/security-research</a>.</p>

<ul>
  <li>Fairlinked e.V. — original BrowserGate disclosure</li>
  <li><a href="https://thenextweb.com/news/linkedin-browsergate-extension-scanning-privacy-fingerprint">The Next Web — LinkedIn BrowserGate extension scanning</a></li>
  <li>EFF Cover Your Tracks — browser fingerprinting test</li>
</ul>

<hr />

<p><em>Testing was performed on my own browser and account; no LinkedIn systems were attacked
or accessed beyond normal browsing. This is independent verification of a publicly
disclosed issue.</em></p>]]></content><author><name>Jaime</name></author><category term="real-world" /><category term="privacy" /><category term="browser-fingerprinting" /><category term="devtools" /><category term="gdpr" /><category term="threat-verification" /><category term="osint" /><summary type="html"><![CDATA[When the “BrowserGate” disclosure broke in April 2026 — claiming LinkedIn’s site silently fingerprints visitors’ browsers, down to their installed extensions — I didn’t want to take the headline on faith. So I reproduced it myself in Chrome DevTools, confirmed the data was leaving my browser, then proved a one-step mitigation actually stopped it. Verify, or don’t believe it.]]></summary></entry></feed>