Waalaxy is extremely dangerous for your LinkedIn account

Linked Helper
Linked Helper
Published in
3 min readJul 7, 2022

Waalaxy (ex ProspectIn) is a Chrome extension for LinkedIn automation. They do black-hat marketing claiming other solutions are unsafe for LinkedIn automation, although the Waalaxy itself has a fragile architecture from the security point of view. I will show you why.

The article will be a little bit for techies, but there are no other ways to deal with such a subject.

How can we analyze a Chrome extension if we don’t have its source code? Actually, due to Chrome store policies — all extensions must have readable, not minimized or obfuscated code — we have access to it.

First of all, let’s go to your Chrome extensions list:

…and switch on the Developer mode:

Now let’s click on the Waalaxy extension tile “Inspect views background page”:

And now we see the Waalaxy source code:

And here we can see really dumb things. LinkedIn website uses part of these API end-points to report your browser and behavior telemetry and, more importantly, it sends signs and fingerprints of found Chrome extensions, like Waalaxy.

So what Waalaxy did to avoid detection — they just blocked the above listed LinkedIn API end-points via the standard Chrome extensions webRequest API https://developer.chrome.com/docs/extensions/reference/webRequest/.

Is it a good solution? Definitely not and here is why:

Let’s imagine I’m a LinkedIn software engineer, and my boss told me to shut down Chrome extensions for LinkedIn automation, like Waalaxy. After 5 minutes of analyzing the Waalaxy source code, I quickly see how they avoided LinkedIn detection algorithm.

What can I do with that? It’s super easy: as they hardcoded LinkedIn reporting API end-points, I can just change the technical names of these end-points, for example:

www.linkedin.com/platform-telemetry/ -> www.linkedin.com/v2/platform-telemetry/

Or even go further — for each user I can have a unique end-point name, so only LinkedIn servers will be able to understand what end-point has been encrypted within this particular request:

www.linkedin.com/platform-telemetry/ -> https://www.linkedin.com/c70c518cc40b9419ded6082441e615cb

As all end-points are hardcoded within Waalaxy code, the extension will still block all API requests — this way LinkedIn will successfully find out that you’re using Waalaxy.

Now let’s check how Waalaxy automates your activity such as connection requests

Waalaxy dangerous way of sending LinkedIn connection requests via API

They just send API requests to the LinkedIn server in order to send a connection request on your behalf.

Is it ok? NO! As you can see, the whole API request is hardcoded. So in case LinkedIn decides to add some technical information to the request unique per each user, — for example, a unique name and value into request headers — it can easily detect that the connection requests sent by Waaxy are different from the connection requests sent by LinkedIn website.

Safe alternative

Don’t start to panic just yet — you can switch to a safe alternative: Linked Helper 2 https://www.linkedhelper.com/

Linked Helper 2 is not a Chrome extension! It’s a web browser like Chrome. In order to automate your activity, such as connection requests, Linked Helper 2 does not call LinkedIn API nor inserts its code snippets into LinkedIn page. Linked Helper 2 really reproduces your activity such as text typing, mouse-clicking or page scrolling. You can see it in this video: