LinkedIn secretly scans for 6,000+ Chrome extensions and collects device data

A new report circulating in privacy circles has raised alarms about the way LinkedIn may be fingerprinting visitors to its site. The study, titled BrowserGate, alleges that Microsoft’s professional networking platform runs hidden JavaScript scripts during user sessions to scan the browsers of visitors for thousands of installed extensions, then ties the results to identifiable LinkedIn profiles. The core claim is that this technique allows LinkedIn to assemble highly granular fingerprints of visitors, associating them with real identities, employers, and roles, and using that data to infer business relationships and competitive activity.

According to the researchers behind BrowserGate, the mechanism is not limited to a narrow subset of extensions. The report contends that LinkedIn injects a script capable of probing for thousands of browser add-ons—an approach that would enable the platform to detect whether particular extensions are present and operational within a user’s browser. The claim is that the platform maps the presence of these extensions to individual accounts, and that the collected data is used to profile corporate customers, potentially revealing which companies are engaging with competing sales tools.

The report emphasizes that LinkedIn is able to detect extensions that “directly compete with its own sales tools,” listing products and categories such as Apollo, Lusha, and ZoomInfo as examples. The implication is that LinkedIn can chart which companies use certain competitor tools by cross-referencing extension fingerprints with employer information already available on user accounts. In this view, the data gathering extends beyond mere technical defense: it becomes a way to assemble customer lists for thousands of software vendors by observing the tools their employees install in their browsers, without explicit notice to users.

Independent testing described in the article supports the core claim: a JavaScript file with a randomized filename is loaded when users visit LinkedIn, and that script purportedly attempts to access resources tied to specific extension IDs to determine whether those extensions are installed. The testing notes a fingerprinting approach that aligns with known techniques used to detect Chrome extensions, where the presence or absence of certain files or URLs indicates whether an extension is present in the browser. The report points to earlier experiments and community-shared data sets that appear to show a growth in the number of detectable extensions over time, suggesting an expanding fingerprinting surface.

The numbers cited in the report have fluctuated as new evidence has emerged. An earlier version of the fingerprinting effort reportedly detected about 2,000 extensions, while subsequent publicly available resources suggested detections in the mid-range of 3,000 extensions. The latest figures cited by BrowserGate push beyond 6,000 extensions, illustrating how the fingerprinting scope has grown. The core takeaway for proponents of BrowserGate is that the frequency and breadth of detected extensions have continued to increase, signaling a large and evolving library of potential fingerprints that can be tied to individual users.

Among the visible artifacts of LinkedIn’s fingerprinting activity are screenshots and examples of the extensions the script purportedly searches for. Some of the detected extensions, the report notes, are not obviously LinkedIn-related; language and grammar tools, typical productivity add-ons, and other seemingly unrelated utilities also appear in the list. The breadth of detected extensions raises questions about the underlying methodology and what, if any, privacy boundaries are being crossed in the process of extension detection.

In addition to enumerating extensions, the script collects a broad array of device and browser data. Reported data captures include CPU core count, available memory, screen resolution, timezone, language settings, battery status, audio information, and storage features. The implication is that the fingerprint goes beyond which extensions are installed to a more complete profile of a user’s device characteristics—data that can be combined with account information to form a robust, reusable fingerprint for cross-site tracking or targeted analysis.

BleepingComputer, which published its own coverage of BrowserGate, notes that it could not independently verify every claim about how LinkedIn uses the collected data or whether it is shared with third parties. Still, the outlet observed the fingerprinting activity firsthand in testing and highlighted how fingerprinting has historically been used to create unique browser profiles that enable cross-site tracking, a longstanding privacy concern in the web ecosystem.

LinkedIn has publicly responded to BrowserGate with a denial of the more dramatic interpretations of the report. The company stated that it does not use collected data to infer sensitive personal information about members. Instead, LinkedIn asserted that it detects specific extensions to protect the platform and its users from tools that scrape data without consent or that violate LinkedIn’s Terms of Service. The company explained that some extensions provide static resources—like images or JavaScript—that LinkedIn can detect by checking whether the extension’s static resource URL exists. This detection is described as a defensive measure designed to protect member data, safeguard site stability, and identify situations where excessive data scraping might be occurring.

LinkedIn’s statement also frames BrowserGate as the product of a dispute involving a developer of a LinkedIn-related browser extension called Teamfluence. The company asserted that the report originated from an account-holder who had been restricted for scraping and other violations of LinkedIn’s terms. In the company’s view, the BrowserGate narrative is a rehashing of that dispute rather than a broad-eyed description of LinkedIn’s data practices. The company contends that while automated data collection can raise questions under its terms of use, it does not engage in a policy where the data is used to infer sensitive information about members.

From a legal perspective, the issue has some precedent. Documents shared with press outlets indicate that a German court previously denied a preliminary injunction sought by the Teamfluence developer, finding no unlawful obstruction or discrimination by LinkedIn. The court’s analysis suggested that automated data collection could still implicate LinkedIn’s terms of use and that the platform has the right to block accounts to protect its ecosystem. The court’s ruling, however, did not label LinkedIn’s actions as fully lawful across all contexts, but it did signal that LinkedIn could pursue measures to control data scraping within the bounds of its terms.

Regardless of the specifics of BrowserGate and the court’s nuanced position, one point remains clear to observers: LinkedIn relies on a fingerprinting script that can detect thousands of extensions within a Chromium-based browser, accompanied by a suite of additional system data. The existence of such a script aligns with a broader class of fingerprinting technologies that have been deployed by several organizations in the past, sometimes with controversial outcomes.

Historical context helps frame the current debate. In 2021, for example, eBay was reported to have used JavaScript to perform automated port scans on visitors’ devices in an effort to determine whether users were running remote-access tools. While the precise motives behind that specific behavior remain a matter of debate, the broader pattern—websites employing script-based fingerprinting to identify software running on a user’s device—has been well documented. Over time, other well-known sites and institutions have been associated with similar fingerprinting activities, underscoring how pervasive the practice can be across diverse sectors.

The BrowserGate discourse thus sits at the intersection of privacy, security, and platform governance. It raises persistent questions about the line between legitimate defensive measure and invasive tracking. Proponents of fingerprinting point to the need to protect platforms from abuse, fraud, or terms-of-service violations, while critics argue that the same techniques can erode user anonymity and enable sophisticated profiling that users do not explicitly consent to.

In the end, BrowserGate contributes to an ongoing conversation about browser fingerprinting as a general technique and about the specific practices of large professional networks. It highlights how a widely used service can gather a surprising amount of metadata about a visitor’s environment, sometimes under the banner of security or compliance. As legal determinations unfold and as other researchers continue to examine the practical implications, the dialog around consent, transparency, and user control is likely to intensify. For now, the core takeaway is clear: fingerprinting remains a powerful, contentious tool in the web privacy toolbox, capable of revealing a rich portrait of a user’s software and hardware footprint, even when the intent is described as protective rather than exploitative.