LinkedIn Secretly Scans 6,000+ Browser Extensions Without Your Consent

LinkedIn Secretly Scans 6,000+ Browser Extensions Without Your Consent

Every time you visit LinkedIn, the site secretly scans your browser for thousands of installed extensions — without your knowledge, without your consent, and without any mention in its privacy policy. That’s the bombshell finding from “BrowserGate,” an investigation by European advocacy group Fairlinked e.V. that has sent shockwaves through the tech and privacy communities this week.

The investigation reveals that LinkedIn deploys hidden JavaScript code that checks for over 6,000 Chrome extensions on every page visit, compiles the results, encrypts them, and transmits the data to LinkedIn’s servers — and potentially to third-party companies. The implications are staggering: your browser extensions can reveal your religion, political views, health conditions, neurodivergence, and whether you’re secretly job hunting on the very platform where your current employer can see your profile.

What LinkedIn Is Doing: The Technical Details

According to the BrowserGate investigation, here’s exactly how LinkedIn’s hidden scanning works:

  1. When you load any LinkedIn page in a Chrome-based browser (Chrome, Edge, Brave, Opera), hidden JavaScript executes automatically
  2. The code checks for 6,000+ specific extensions using their unique Chrome Web Store identifiers
  3. It compiles a list of which extensions you have installed
  4. The data is encrypted and transmitted to LinkedIn’s servers
  5. There is no permission prompt, no notification, and no way for most users to know it’s happening

The scan list has grown dramatically — from roughly 461 extensions in 2024 to over 6,000 by February 2026, a staggering 1,252% increase. This far exceeds what would be needed for typical bot detection, which usually checks for a handful of known automation tools.

What Your Extensions Reveal About You

This isn’t just about knowing you use an ad blocker. The BrowserGate report found that LinkedIn scans for extensions that can expose deeply sensitive personal information:

Category What Extensions Reveal Risk Level
Religion Prayer time extensions, religious text readers High — GDPR special category
Political views Political advocacy tools, news bias checkers High — GDPR special category
Health conditions Accessibility tools, health tracking extensions High — GDPR special category
Neurodivergence Dyslexia helpers, ADHD focus tools, autism aids High — GDPR special category
Job searching 509 job search tools detected Critical — visible to current employer
Developer tools Automation, scraping, testing extensions Medium — used for account restrictions
VPN/Privacy tools VPN extensions, tracker blockers Medium — reveals privacy-conscious users

The most alarming finding: LinkedIn scans for 509 job search tools. This means the platform can identify users who are actively looking for new employment — information that could be visible to recruiters, HR departments, and even their current employers browsing their LinkedIn profile.

Who Gets the Data?

The investigation alleges that LinkedIn shares this browser extension data with third-party companies, most notably HUMAN Security, an American-Israeli cybersecurity firm. While LinkedIn frames this as bot detection and platform protection, the sheer volume of extensions being scanned (6,000+) raises serious questions about whether the data collection goes far beyond security needs.

For context, a typical bot detection system checks for maybe 20-50 known automation extensions. LinkedIn’s list of 6,000+ suggests a much broader data collection objective.

The Legal Implications

Under the EU’s General Data Protection Regulation (GDPR), data revealing religious beliefs, political opinions, health conditions, or other sensitive categories is classified as “special category data” that requires explicit consent before processing. The BrowserGate investigation argues that LinkedIn’s extension scanning effectively processes this type of data without consent — a potential GDPR violation.

Fairlinked e.V. has filed legal proceedings under the EU Digital Markets Act, arguing that the scanning violates transparency requirements. If successful, this could set a precedent for how companies are allowed to interact with users’ browsers.

LinkedIn’s Response

LinkedIn has firmly denied the allegations, calling them “inaccurate.” The company stated on Hacker News that:

  • Browser detection is used solely to protect platform integrity and prevent scraping
  • The researcher behind the investigation had their account restricted due to scraping violations and Terms of Service breaches
  • The company’s actions are rooted in safeguarding user privacy and ensuring platform stability

However, privacy researchers have pointed out that the defense raises more questions than it answers. If the scanning is only for bot detection, why does the list include prayer apps, health tools, and job search extensions?

How to Protect Yourself

While there’s no way to completely prevent LinkedIn from running JavaScript on its pages (short of not using the site), here are some practical steps:

  1. Use Firefox instead of Chrome — Firefox’s extension architecture makes this type of scanning harder to execute
  2. Use LinkedIn in a separate browser profile — create a dedicated Chrome profile with no extensions installed specifically for LinkedIn
  3. Install an extension blocker — tools like uBlock Origin can potentially block some of LinkedIn’s scanning scripts
  4. Use LinkedIn’s mobile app instead — the app doesn’t have access to browser extensions
  5. Disable JavaScript on LinkedIn — nuclear option that breaks most functionality but prevents scanning entirely
  6. Review your installed extensions — remove any you don’t actively use to reduce your fingerprint

The Bigger Picture: Browser Fingerprinting at Scale

LinkedIn’s extension scanning is part of a broader trend called browser fingerprinting — where websites collect technical details about your browser setup to create a unique identifier. While cookies can be deleted and IP addresses change, your combination of browser extensions, fonts, screen resolution, and hardware creates a nearly unique fingerprint that persists across sessions.

What makes the LinkedIn case different is the scale (6,000+ extensions), the sensitivity of the data revealed, and the lack of disclosure. Most fingerprinting happens with some degree of transparency in privacy policies. LinkedIn’s scanning reportedly has none.

With 405 million potential users affected, BrowserGate could become one of the most significant corporate privacy scandals since the Cambridge Analytica affair — and it’s happening on a platform people trust with their professional lives.

Frequently Asked Questions

Does LinkedIn scan my browser extensions?

According to the BrowserGate investigation by Fairlinked e.V., yes. LinkedIn deploys hidden JavaScript that scans for over 6,000 Chrome extensions on every page visit. LinkedIn denies the allegations, saying browser detection is used solely for platform integrity and bot prevention.

What data can LinkedIn learn from my browser extensions?

Your installed extensions can reveal sensitive information including religious beliefs (prayer apps), political views, health conditions, neurodivergence (accessibility tools), and whether you are actively job searching (509 job search tools are on the scan list).

How can I prevent LinkedIn from scanning my extensions?

Use Firefox instead of Chrome (harder to scan), use a separate browser profile with no extensions for LinkedIn, install uBlock Origin to block scanning scripts, or use LinkedIn’s mobile app instead of the web version.

Is LinkedIn’s browser extension scanning legal?

Under GDPR, processing data that reveals religion, political views, or health conditions requires explicit user consent. Fairlinked e.V. has filed legal proceedings under the EU Digital Markets Act, arguing LinkedIn’s scanning violates transparency requirements. The legal outcome is pending.