Every time you open LinkedIn, a hidden JavaScript hunts through your browser for 6,000+ extensions, and you were never told.
April 2026 dropped a bombshell on the tech community. The platform long considered the “safe” corner of the internet, the professional sanctuary free from the invasive tracking of its social media peers, is now at the centre of one of the most significant privacy controversies of the year. The story has a name: BrowserGate. And the platform at the centre of it is LinkedIn.
What Is Actually Happening?
Every time you open LinkedIn in a Chrome-based browser, hidden JavaScript silently scans your computer for installed software extensions, without your knowledge, without your consent.
The disclosure comes from Fairlinked e.V., a European association representing commercial LinkedIn users. According to their BrowserGate investigation, LinkedIn injects a 2.7-megabyte JavaScript bundle into its website that silently scans visitors’ browsers for the presence of more than 6,000 specific Chrome extensions, assembles a detailed fingerprint of their hardware, encrypts it, and transmits the result to LinkedIn’s servers, where it is attached to every subsequent action taken during the session.
The most alarming part? The practice is not disclosed in LinkedIn’s privacy policy.
The Scale: From Dozens to Thousands
This practice actually dates back to 2017, when LinkedIn was scanning for just 38 extensions. By 2024, that number had grown to 461. By February 2026, it had exploded to 6,167, a 1,252% increase.
BleepingComputer independently confirmed the fingerprinting script. The script also harvests CPU core count, available memory, screen resolution, time zone, language settings, and battery status.
The results are not just sent once. The fingerprint payload is encrypted and then injected as an HTTP header into every subsequent API request made during the user’s session, meaning LinkedIn receives your fingerprint with every single action you take.
What Your Extensions Reveal About You
This is where BrowserGate moves from a technical curiosity into a genuine privacy crisis.
BrowserGate researchers identified the following high-risk categories among the 6,222 tracked extensions: 509 job search tools, including extensions for Indeed, Glassdoor, and Monster, exposing users secretly looking for work on the very platform where their current employer can see their profile; religious belief indicators such as Islamic prayer time extensions; political orientation markers like partisan fact-checking tools; disability and neurodivergent tools including ADHD management apps, autism support extensions, and screen readers; and 200+ direct competitor products including Apollo, Lusha, and ZoomInfo.
Because LinkedIn knows each user’s real name, employer, and job title, it is not searching anonymous visitors; it is searching identified people at identified companies. Millions of companies. Every day. All over the world.
Under GDPR, data that reveals religious beliefs, political opinions, or health conditions is not merely regulated; it is prohibited from being processed without explicit consent.
LinkedIn’s Defence, and Its Limits
LinkedIn told BleepingComputer that the scanning is used to detect extensions that scrape data or otherwise violate its terms of service: “To protect the privacy of our members, their data, and to ensure site stability, we do look for extensions that scrape data without members’ consent.”
LinkedIn also stated that the BrowserGate campaign was driven by someone whose account had been restricted for scraping, and that a German court denied that individual’s request for a preliminary injunction against LinkedIn, finding the platform was within its rights to block accounts engaged in automated data collection.
However, the contents of the scan list tell a different story. An independent commenter on Hacker News spent two minutes searching the full extension list and found Amazon image downloaders, delivery schedulers, pharmacy operations tools, and product scanners, none of which have any obvious connection to LinkedIn data scraping. That makes LinkedIn’s “anti-scraping only” justification very difficult to accept at face value.
Where Does the Data Go?
According to the report, harvested data is shared with HUMAN Security, a cybersecurity firm founded in Brooklyn in 2012. In 2022, the company merged with Israeli firm PerimeterX, whose co-founders are ex-officers of Unit 8200, a cyber warfare division within the Israeli Defence Forces. LinkedIn has not independently confirmed this data-sharing arrangement.
Why Enterprises Should Be Alarmed
This is not just an individual privacy issue. If an employee uses LinkedIn and has internal corporate tools or specialised dev-ops plugins installed in their browser, LinkedIn can effectively inventory that company’s entire software stack, without anyone’s knowledge or consent. For CISOs, this represents a serious shadow IT exposure: a third-party platform silently mapping your organisation’s internal tooling through your employees’ browsers.
The Legal and Regulatory Landscape
Fairlinked e.V. has filed legal proceedings under the EU’s Digital Markets Act, arguing that the scanning violates the DMA’s transparency requirements for designated gatekeepers.
The EU designated LinkedIn as a regulated gatekeeper in 2023 and ordered it to open its platform to third-party tools. LinkedIn’s response was to publish two restricted APIs that together handle approximately 0.07 calls per second, while simultaneously expanding its surveillance scan list from 461 to over 6,000 entries.
LinkedIn was fined for EU privacy violations in October 2024. A separate January 2025 lawsuit accused the platform of training AI on users’ private InMail messages. BrowserGate is the latest chapter in an expanding pattern of data collection controversies surrounding the Microsoft-owned platform.
How to Protect Yourself
Switching to Firefox is the most effective mitigation; Firefox blocks this class of extension probing by default. If you are locked into a Chromium browser for work, browsing LinkedIn in a dedicated profile with no extensions installed prevents the scan from surfacing anything meaningful.
Brave browser already blocks the key tracking endpoints by default, targeting the /sensorCollect endpoint and a hidden iframe from li.protechts.net, A Brave staffer confirmed on X that the blocking is intentional.
Safari users are less likely to be affected by this specific mechanism, as Apple’s browser model limits fingerprinting surfaces and reduces how much information sites can infer from installed extensions.
A Chrome extension called “Extension Scanner, BrowserGate” has also been published to the Chrome Web Store, letting you instantly check which of your installed extensions appear on LinkedIn’s scan list. The full 6,222-entry database is searchable at browsergate.eu/extensions.
The Bottom Line
Two things are clear from BrowserGate. First, the technical reality: this invisible data collection is happening at scale across a platform with one billion users, with no disclosure and no user-facing setting to stop it. Second, the context: LinkedIn’s anti-scraping defence has some merit, but a 6,000+ entry scan list that includes accessibility tools, prayer time reminders, and job search assistants goes far beyond what bot detection requires.
The 2026 push for governed and transparent AI and data practices is built on precisely the premise that invisible data collection of this kind should not be the default. Whether regulators move quickly enough to change that default at LinkedIn’s scale remains to be seen.
Until they do, the line between a professional network and a device fingerprinting machine has never been thinner.
