LinkedIn Secretly Scans for 6,000+ Chrome Extensions, Collects Device Data

LinkedIn's Hidden Fingerprinting Script Is Scanning Your Browser

Microsoft's LinkedIn got caught running a covert JavaScript fingerprinting operation against its own users - and it's bigger than most people realize.

A report dubbed "BrowserGate" by Fairlinked e.V. exposed that LinkedIn injects a randomized-filename JavaScript file into user sessions. That script probes for 6,236 Chrome extensions by attempting to fetch static file resources tied to specific extension IDs. BleepingComputer independently confirmed this behavior in live testing.

This number has been climbing fast. The same script was detected scanning roughly 2,000 extensions in 2025, then 3,000 extensions two months ago. It's now past 6,000 and growing.

What Data Is Being Collected

Beyond extension detection, the script harvests a wide device fingerprint including:

• CPU core count and available memory
• Screen resolution and timezone
• Language and audio settings
• Battery status and storage features

Because LinkedIn accounts are tied to real identities, employers, and job roles, this data can be correlated directly to individual profiles - not just anonymous visitors.

The Technique: Extension Probing via Static Resources

The method LinkedIn uses is a well-documented fingerprinting technique. Chrome extensions often expose static assets - images, JavaScript files - that are accessible via predictable URLs. A script can silently attempt to fetch these URLs and check for a successful response to determine whether a given extension is installed.

This runs invisibly to most users, though it is technically visible inside Chrome DevTools if you know where to look.

LinkedIn's Defense

LinkedIn doesn't deny the scanning. Their position is that it's used to detect extensions that scrape member data without consent or violate their Terms of Service. They frame it as a site integrity measure, not a surveillance play.

They also claim the BrowserGate report originates from a developer whose LinkedIn account was restricted for scraping - someone who later lost an injunction attempt in a German court.

Whether you believe the platform's justification or not, the behavior itself is confirmed.

What Developers Should Watch For

If you're building web apps, this incident highlights how aggressive client-side fingerprinting has become. Here's what to keep in mind:

• Extension probing via chrome-extension:// resource fetch attempts can happen silently - audit your outbound requests
• Device data harvesting through APIs like navigator.deviceMemory, navigator.hardwareConcurrency, and the Battery API is trivial to script
• Randomized script filenames are used specifically to evade blocklists - don't trust obfuscation as evidence of legitimacy
• CSP headers can limit what third-party scripts load in your own apps - use Content-Security-Policy to lock this down

Browser fingerprinting is not inherently malicious, but at this scale - 6,000+ extension checks tied to real user identities - the line between security tooling and covert profiling gets very blurry, very fast.

Is your app vulnerable to similar attacks? Run an automated scan in 3 minutes with VibeWShield.