Every visit to LinkedIn triggers a silent scan. JavaScript code probes your Chrome browser for thousands of extensions. No consent. No warning in the privacy policy.
The practice runs on Chromium-based browsers like Chrome and Edge. It fires fetch() requests to chrome-extension:// URLs tied to 6,278 specific extensions, as detailed in a February 2026 analysis by 404 Privacy. Missing extensions? Chrome blocks the requests, logging failures that LinkedIn captures. Installed ones? Requests succeed quietly. Results bundle into encrypted events sent to LinkedIn’s servers via the /li/track endpoint.
A companion system called Spectroscopy combs the DOM for stray chrome-extension:// references. It catches extensions that inject content into pages. Parallel or sequential modes spread the load—Promise.allSettled() for speed, delays for stealth. The whole operation hides in a 1.6MB obfuscated script, part of LinkedIn’s APFC fingerprinting suite gathering 48 device traits: canvas hashes, WebGL details, fonts, battery levels, WebRTC IPs, and more.
How This Builds Shadow Profiles
LinkedIn ties scans to verified identities—names, jobs, employers, networks. Detected extensions reveal job hunts via 509 tools. Religious practices through prayer timers or Torah readers. Neurodivergence with ADHD aids or dyslexia helpers. Politics from anti-Zionist taggers or content filters. Competitors like Apollo, Lusha, ZoomInfo show up too, letting LinkedIn map rival adoption across firms, as BrowserGate outlines in its report by Fairlinked e.V.
Aggregate employee data from one company. Spot patterns in security stacks, workflows, subscriptions. No direct access needed. Users unwittingly supply corporate intel. And it’s grown: 38 extensions in 2017, 461 in 2024, 6,222 by early 2026 per BrowserGate’s list. Categories span workflow tools, accessibility aids, developer kits—even grammar checkers unrelated to scraping.
BleepingComputer verified 6,236 probes in tests. A dynamically named script loads, hits extension resources, grabs CPU cores, memory, screen resolution, timezone, battery status. Independent checks match the claims. Yet LinkedIn insists it’s anti-abuse: “To protect the privacy of our members, their data, and to ensure site stability, we do look for extensions that scrape data without members’ consent,” per their statement to BleepingComputer.
But why scan Islamic filters like PordaAI or neurodivergent tools like Simplify? LinkedIn says no sensitive inferences. Critics see pretext. Enforcement already happened—users banned for extensions, as court testimony confirmed: “LinkedIn took action against users who had specific extensions installed,” from 404 Privacy.
Data flows beyond LinkedIn. Encrypted payloads hit HUMAN Security (ex-PerimeterX) via hidden iframes, plus Google’s reCAPTCHA. Third-party cuts without disclosure. EU gatekeeper status under Digital Markets Act adds irony—regulators demand third-party access; LinkedIn scans to thwart it.
Lawsuits Pile On as Regulators Circle
Two California class actions hit April 8, 2026. Nicholas Farrell and Jeff Ganan sue over privacy invasions, citing California’s Constitution, computer fraud laws, and the federal Electronic Communications Privacy Act. Filings in U.S. District Court, Northern District of California, demand damages and injunctions, per Ars Technica. They quote BrowserGate heavily, allege undisclosed surveillance exceeds any policy nod to “web browser and add-ons.”
LinkedIn calls it a “house of cards built entirely upon a fabrication,” linking critics to Teamfluence, whose scraping extension got banned. A Munich court sided with LinkedIn in January 2026, upholding suspensions. Privacy policy mentions “cookies and similar technologies” for browser and add-ons data—but the tool returned no exact hits on scanning specifics, contradicting LinkedIn’s defense to PCMag.
Germany probes deeper. Bavarian Cybercrime Unit investigates. Fairlinked seeks donations for fights. On X, posts from @iAnonymous3000 and @heyshrutimishra amplify: Brave blocks the endpoints, scans reveal captive users’ secrets. Hacker News threads dissect the code.
Users spot it in dev tools—console errors for blocked fetches. But most don’t look. Professionals can’t quit LinkedIn easily. Scans run every load. Privacy erodes one probe at a time.
Switch browsers? Firefox evades Chrome-specific tricks. Containers isolate. But LinkedIn adapts. The list expands. Questions linger on enforcement, sales pitches tuned to rivals detected, profiles fattened silently.
This isn’t isolated. Fingerprinting arms race. Platforms guard data; users pay with exposure. LinkedIn’s scale—billion users—makes it massive. Consent? Buried. Transparency? Absent. Until courts or regulators force change.
WebProNews is an iEntry Publication