LinkedIn Silently Scans 6,000+ Chrome Extensions on Every Page Load

LinkedIn has been quietly scanning 6,236 Chrome extensions every time a page loads, according to a new investigation. German nonprofit Fairlinked e.V. published a report dubbed "BrowserGate," and BleepingComputer independently verified the existence of the scanning script.

The scan targets include 509 job-search tools, over 200 products that compete with LinkedIn's own services, and extensions related to religious practices, political views, and disabilities—such as Islamic prayer time notifiers and ADHD focus aids. The combined user base of the scanned extensions totals 405 million people.

What LinkedIn Is Doing

When you open a LinkedIn page, a hidden JavaScript file executes automatically. The filename is randomly generated, making it difficult to identify at first glance.

The script uses a well-known technique called "extension fingerprinting," documented at browserleaks.com. It attempts to access file resources that Chrome extensions expose to websites—such as icons or manifest files—and determines that an extension is installed if those resources are found.

What makes this harder to notice is the timing. Security researchers have pointed out that the script uses the browser's requestIdleCallback, running only when the browser is idle. There's no visible delay or loading spinner—you just see LinkedIn.

In addition to scanning extensions, the following device data is also collected.

Combined, this data creates a highly precise "browser fingerprint" that can identify individual users. Because each person's extension setup is unique, tracking becomes possible even without cookies.

What Extensions Are Being Scanned

The core issue lies in what's on the scan list. According to the BrowserGate report, the 6,236 extensions LinkedIn checks for include the following categories.

Job search tools: 509

Extensions that help users find jobs and manage applications. This means LinkedIn is in a position to know who is secretly job hunting—on the very platform where their current employer can see their profile.

Competitor products: 200+

Sales and recruiting tools that directly compete with LinkedIn's Sales Navigator, including Apollo, Lusha, and ZoomInfo.

Religion, politics, and disability-related

The list includes extensions that notify users of Islamic prayer times, provide daily Torah readings, help ADHD users focus, and alter fonts for users with dyslexia. Under GDPR Article 9, these relate directly to "special category data"—religious beliefs, political opinions, and health data—which requires explicit consent to process.

Why This Is Becoming an Issue Now

LinkedIn's extension scanning isn't entirely new. In 2025, researchers identified about 2,000 extensions being scanned. Two months ago, a GitHub repository listed roughly 3,000. By February 2026, that number had surged to 6,236—triggering the current investigation.

← Swipe to navigate

The investigation was conducted by Fairlinked e.V., a German registered association of LinkedIn commercial users and tool developers. The full report and evidence pack are available at browsergate.eu.

Following the report, BleepingComputer conducted its own tests and confirmed the JavaScript file loading and the resource access attempts targeting 6,236 extensions. However, BleepingComputer could not verify claims about how the collected data is used or whether it is shared with third parties.

LinkedIn's Response vs. Fairlinked's Rebuttal

LinkedIn does not deny that it detects browser extensions. In response to BleepingComputer's inquiry, LinkedIn stated:

LinkedIn further stated that the data is used to "determine which extensions violate our terms" and to "inform and improve our technical defenses"—not to "infer sensitive information about members."

LinkedIn also questioned the source of the report, claiming it originated from the developer of Teamfluence, an extension that LinkedIn restricted for violating its terms. A court in Munich, Germany denied the developer's request for a preliminary injunction.

Fairlinked's counter-argument is straightforward: regardless of who published the report, BleepingComputer independently verified the technical facts. The question isn't who made the accusation—it's what LinkedIn is doing.

Where Does the Collected Data Go

The BrowserGate report identifies three separate scripts running on LinkedIn pages.

The first is a fingerprinting script served from LinkedIn's own servers. The second loads from Google. The third is an invisible tracking element from HUMAN Security (formerly PerimeterX), a US-Israeli cybersecurity company.

According to the report, the HUMAN Security element loads as a zero-pixel-wide invisible element and sets cookies without the user's knowledge. All data is encrypted before transmission, making external verification of the data flow difficult.

An important caveat: BleepingComputer confirmed the script exists but could not verify whether data is actually shared with third-party companies. The claims from Fairlinked and LinkedIn's denials remain in dispute.

GDPR and Regulatory Implications

Fairlinked e.V. argues that LinkedIn's practices may violate multiple EU regulations.

First, GDPR Article 9. Information about religion, politics, and health qualifies as "special category data," requiring explicit consent for collection. Detecting prayer time apps and ADHD support tools falls squarely within this provision.

Second, the EU's Digital Markets Act (DMA). LinkedIn was designated as a DMA "gatekeeper" in 2023. The DMA requires gatekeepers to open their platforms to third-party tools. Scanning 200+ competing sales tools and potentially using that data to disadvantage competitors would run counter to the DMA's intent.

The Munich Regional Court rejected the Teamfluence developer's injunction, but that ruling addressed whether LinkedIn's account restrictions constituted unlawful obstruction—not the legality of the scanning itself. Complaints to EU regulatory authorities across multiple member states are reportedly underway.

Does This Happen on Other Websites Too

Browser-based data collection of this kind isn't unique to LinkedIn.

In 2020, eBay was found to be port-scanning users' PCs. In that case, a script from ThreatMetrix (now under LexisNexis) was detecting remote access tools like TeamViewer to prevent fraudulent purchases.

According to gHacks Tech News, similar fingerprinting scripts have been detected on banking sites including Citibank, TD Bank, and Equifax.

However, Hacker News discussions highlight a key difference: LinkedIn is a jobs platform, and users effectively have no choice but to use it for their careers. "Other sites do it too" doesn't carry the same weight when the service is essentially mandatory for professional life.

Online Reactions

How to Check If Your Browser Is Being Scanned

There are two ways to check whether LinkedIn's scanning is active in your browser.

Method 1: Use Chrome DevTools

While logged into LinkedIn, open Chrome DevTools (F12) and switch to the "Network" tab. Reload the page, then find the large JavaScript bundle file (such as chunk.905) and search within it for chrome-extension:// or fetchExtensions. If you find matching code, the scanning script is active.

Method 2: Use the Extension Scanner

The BrowserGate project offers a Chrome extension called Extension Scanner. Once installed, it cross-references your installed extensions against 2,953 known IDs that LinkedIn actively probes, showing you exactly which of your extensions are being scanned.

Note that Chromium-based browsers (Chrome, Edge, Brave) are the targets. Firefox uses a different architecture, and the same scanning technique has not been confirmed there.

Summary and Outlook

The fact that LinkedIn scans for 6,236 Chrome extensions on every page load has been independently verified by BleepingComputer. LinkedIn says the purpose is anti-scraping protection and platform stability, but the inclusion of extensions tied to religion, health, and political views is difficult to explain by that rationale alone.

Whether collected data is shared with third parties remains disputed between Fairlinked and LinkedIn, with no independent verification completed. The focus going forward will be on how EU regulators respond under GDPR and DMA frameworks.

For most people, not using LinkedIn isn't a realistic option. The most practical step right now is to check your browser's status using DevTools or the Extension Scanner, and to clean up any extensions you no longer need.

Sources

• ▸ BleepingComputer - LinkedIn secretly scans for 6,000+ Chrome extensions, collects data (April 3, 2026)
• ▸ BrowserGate - LinkedIn Is Illegally Searching Your Computer (March 6, 2026)
• ▸ gHacks Tech News - LinkedIn Uses Hidden JavaScript to Scan for Over 6,000 Chrome Extensions (April 4, 2026)
• ▸ Tom's Hardware - LinkedIn scans visitors' browsers for over 6,000 Chrome extensions (April 4, 2026)
• ▸ PiunikaWeb - Investigation says LinkedIn scans browser extensions (April 3, 2026)
• ▸ AppleInsider - Microsoft's LinkedIn is scanning installed browser extensions without user permission (April 3, 2026)
• ▸ Hacker News - LinkedIn is searching your browser extensions (discussion)
• ▸ GDPR Article 9 - Processing of special categories of personal data
• ▸ Dan Nemec - eBay is port scanning visitors to their website (2020)