Security researchers report that Microsoft’s LinkedIn platform is running hidden scripts on its site to check users’ browsers for installed extensions. A newly published investigation, named BrowserGate by its authors, claims LinkedIn’s pages inject a large JavaScript bundle that probes for over 6,000 specific Chrome extensions and gathers device details.
The findings come from Fairlinked e.V., a European LinkedIn user group, and have been confirmed by tech media. The report says the code links extension data to real user profiles and sends it to LinkedIn’s servers.
According to the report and independent testing, the hidden script runs each time a user opens LinkedIn in a Chrome-based browser. It fires thousands of simultaneous requests, each attempting to load a file unique to a particular extension ID. If a file returns, the extension is deemed installed. Bleeping Computer verified this behavior and found a script that checked for 6,236 browser extensions by attempting to access file resources for each ID.
The script reportedly contains identifiers for more than 6,200 extensions. The entire scan happens in milliseconds and is invisible to the user. In the process, the code also collects 48 device attributes to build a hardware/software fingerprint.
A Threat to Data and Privacy!
Analysts warn that the list of extensions being probed includes more than just LinkedIn-related tools. It reportedly covers 509 job search extensions, including Indeed, Glassdoor, and Monster. Additionally, extensions linked to religion, politics, or disability support, along with over 200 sales or recruitment competitors.
Because LinkedIn profiles show names, employers, and roles, knowing which extensions a user runs can reveal personal details. For example, someone may be job hunting or have a particular faith. EU regulators classify data on religion, health, or political views as sensitive, meaning that collecting it without consent may violate privacy laws.
Fairlinked’s report notes the extension list soared from about 461 identifiers in 2024 to over 6,000 by February 2026.
What LinkedIn Has to Say on the Issue?
LinkedIn says it does check for certain extensions, but only for security reasons. In statements to the media, a company spokesperson called the published claims ‘plain wrong’ and noted the report came from someone whose LinkedIn account was restricted for scraping. LinkedIn said it looks for extensions that violate its terms to ‘protect the privacy of our members’.
The firm emphasized that it does not use this data to infer sensitive information about users. LinkedIn did not dispute detecting extensions but did not address whether any data is shared with third parties.
Why Should Users Be Concerned?
Millions of LinkedIn users on Chrome-based browsers are subject to this hidden scan with no way to opt out as of now. The investigation has caught the attention of privacy experts and EU regulators, since LinkedIn already faced a major GDPR fine in 2024 for other data practices. This can pose significant privacy issues for the over 1.2 million active LinkedIn users across 200 nations.
Follow our timely news updates to stay aligned with every major happening in the tech-driven world.
Also Read:
How Can Social Media Users Manage Their Privacy Settings Effectively?
