LinkedIn Covert Browser Extension Scanning Program Targets 6,236 Extensions and Fingerprints Visitors' Devices

In 2025, researchers first identified that LinkedIn's website was executing JavaScript code designed to detect approximately 1,000 browser extensions installed on visitors' machines. The technique is well-documented in browser fingerprinting research: JavaScript probes for specific resource files (icons, manifest files, CSS assets) that extensions install in predictable directory paths. If the resource loads, the extension is present. If it returns an error, it is not.

LinkedIn uses content-hashed bundle filenames that change with each deployment - making the scanning code harder to locate through static analysis or URL-based detection.

By December 2025, independent researchers documented that LinkedIn's scanning list had grown to 5,459 extensions. By April 2026, the list had reached 6,236 extensions - indicating active, ongoing expansion of the surveillance program.

" The report documented the full scope of the extension scanning, the device telemetry collection, and the competitive intelligence implications. LinkedIn responded by restricting the report author's account for "violating terms of service" - a retaliatory action that mirrors the platform's documented pattern of using account restrictions to suppress criticism. The researcher filed for a preliminary injunction through a German court (Case No. 37 O 104/26, Landgericht München I). The case status is pending.

BleepingComputer independently verified the scanning behavior, confirming that LinkedIn's JavaScript actively enumerates extensions and collects device telemetry from visitors' browsers. LinkedIn acknowledged the program's existence but framed it as a defensive measure. The company stated that the detection "protects the platform" by identifying extensions that "scrape data without members' consent or otherwise violate LinkedIn's Terms of Service." LinkedIn also stated it does "not use this data to infer sensitive information about members."

The "platform protection" justification does not explain why LinkedIn scans for grammar checkers, language tools, and tax preparation software. These extensions do not scrape LinkedIn data. Their presence in the scanning list indicates that LinkedIn's program is not limited to detecting unauthorized scrapers - it is a broad-spectrum software inventory of visitors' machines.

Browser extension fingerprinting exploits a structural property of Chromium-based browsers. Each installed extension stores its resources (HTML, CSS, JavaScript, images) in a predictable directory path keyed to the extension's unique identifier. Web pages can attempt to load these resources via standard web APIs. If the resource loads successfully, the extension is installed. If it fails, it is not.

LinkedIn's implementation follows this established pattern but adds two layers of sophistication. First, the scanning code uses content-hashed bundle filenames and obfuscated variable names, making it resistant to detection by security tools that rely on signature matching or keyword analysis. Second, the scanning list of 6,236 extensions is comprehensive enough to function as a near-complete software inventory - far exceeding what would be necessary to detect a handful of unauthorized scraping tools.

LinkedIn internally refers to this system as APFC (Anti-fraud Platform Features Collection), also codenamed 'DNA.'

The device telemetry collection runs alongside the extension scanning. estimate() (available storage). This combination of data points produces a device fingerprint with high entropy - meaning it can uniquely identify most visitors even without cookies. The Electronic Frontier Foundation's research on browser fingerprinting has demonstrated that the combination of screen resolution, timezone, installed plugins, and hardware characteristics can uniquely identify over 94% of browsers.

This is the same class of surveillance technique that eBay deployed in 2020, when the company was caught running port scans against visitors' computers to detect remote access tools and fraud indicators. eBay's port scanning generated significant backlash and regulatory scrutiny.

Of the 6,236 extensions LinkedIn scans for, over 200 are products that directly compete with LinkedIn's premium offerings - Sales Navigator, Recruiter, and LinkedIn Learning. The targeted competitor products include:

Apollo.io - a sales intelligence platform that enriches LinkedIn profile data with email addresses and phone numbers for outbound prospecting. Lusha - a contact data provider that overlays direct dial numbers and email addresses on LinkedIn profiles. ZoomInfo - an enterprise B2B intelligence platform that aggregates professional contact data from multiple sources including LinkedIn. Additional categories include CRM integration tools, email finder extensions, recruiter workflow tools, and professional networking assistants.

By detecting which visitors use competitor products, LinkedIn gains intelligence on competitor adoption rates, user demographics, geographic distribution, and usage patterns - all without those companies' knowledge or consent. A user who has Apollo installed is a sales professional likely paying for a LinkedIn alternative. A user with Lusha installed is circumventing LinkedIn's paywall for contact data. This intelligence has direct commercial value for LinkedIn's product strategy, pricing decisions, and competitive positioning.

The remaining 6,000+ extensions in the scanning list include categories entirely unrelated to LinkedIn's platform: grammar and writing assistants (Grammarly, LanguageTool), translation tools, password managers, ad blockers, accessibility tools, developer utilities, and tax preparation software. LinkedIn has not explained why detecting a tax professional's browser extensions constitutes "platform protection."

• Installed browser extensions - a software inventory of 6,236 programs, revealing professional tools (CRM, sales intelligence, recruiting), personal tools (grammar, translation, accessibility), security tools (password managers, VPNs, ad blockers), and specialized software (tax preparation, developer tools). Extension data reveals occupation, employer type, professional function, disability status (accessibility tools), language proficiency, and security practices.
• CPU core count - hardware specification revealing device age, capability, and price tier.
• Available memory - hardware specification enabling device classification (budget vs. professional vs. enterprise).
• Screen resolution - display configuration revealing device type (mobile, laptop, desktop, multi-monitor), manufacturer, and model range.
• Timezone - geographic location to the regional level.
• Language settings - native language and additional languages, indicating national origin, immigration status, and multilingual capability.
• Battery status - reveals whether the device is mobile, current charge level, and charging state - a known high-entropy fingerprinting vector that Firefox removed entirely in 2017 and Chrome restricted to secure contexts due to its fingerprinting potential - the W3C added privacy mitigations to the specification but did not deprecate it.
• Audio configuration - hardware audio properties that vary by device, providing additional fingerprinting entropy.
• Storage features - available disk space and storage quotas, varying by device and contributing to unique identification.

The combination of these data points creates a device fingerprint that persists across browsing sessions, survives cookie deletion, and can be used to track users across websites if the fingerprint data is shared with or accessible to third parties. LinkedIn collects this data from every visitor to its platform without explicit consent, without a visible privacy disclosure at the point of collection, and without providing an opt-out mechanism.