LinkedIn Is Scanning Every Browser Extension You Have Installed — 6,000 Probes Per Page Load and Your Boss Can See Your Job Search Tools

My buddy Tariq — who runs a twelve-person recruiting startup in Austin — pinged me at 11:47 PM on a Tuesday. Not a normal occurrence. "Did you see the BrowserGate thing?" he typed, followed by four skull emojis. I had not. Within twenty minutes I was staring at a research page from a German nonprofit called Fairlinked, and my jaw was doing that slow-drop thing usually reserved for plot twists in Korean dramas.

LinkedIn — the platform where we all pretend to be thrilled about synergy — has been scanning your installed browser extensions every single time you load the site. Not sampling. Not occasionally. Every. Page. Load. And it knows your real name, your employer, and your job title while doing it.

The Fairlinked investigation, published under the BrowserGate name on March 6, 2026, documented that LinkedIn's JavaScript code probes for over 6,000 browser extensions during each visit. That number jumped from roughly 461 products in 2024. Let that ratio marinate: a 1,200% increase in two years.

How Does LinkedIn Actually Scan Your Browser Extensions?

LinkedIn injects JavaScript that attempts to load known resource paths unique to specific browser extensions. Each extension has predictable internal file paths — think chrome-extension://[extension-id]/manifest.json or specific icon files. If the resource loads successfully, LinkedIn knows that extension is installed. If it fails, the extension isn't present. Binary. Simple. Horrifyingly effective.

This technique isn't new — web fingerprinting researchers like Pierre Laperdrix at CNRS have documented it since 2019. A similar resource-probing technique shows up in Cloudflare Turnstile's decrypted bytecode, though that system at least targets bot detection rather than competitive intelligence. What makes LinkedIn's implementation different is scale (6,000+ extensions), frequency (every page load), and context (they already know exactly who you are). Most fingerprinting research assumes anonymous visitors. LinkedIn is scanning identified professionals at identified companies.

The scan list includes 509 job search tools. Think about that for a second. If your boss's LinkedIn tab is loading at the same time yours is, and yours reveals you've got Indeed Job Search Helper installed — well, your Wednesday morning might get awkward real fast.

What Categories of Extensions Is LinkedIn Looking For?

According to Fairlinked's research, the scan targets fall into several disturbing buckets:

• Job search tools (509 extensions) — Indeed, Glassdoor helpers, LinkedIn-specific job trackers. This exposes who's secretly job hunting on the exact platform where their current employer exists.
• Competitor sales tools (200+) — Apollo, Lusha, ZoomInfo, Seamless.ai. LinkedIn can effectively map which companies use which competitor products. That's someone else's customer list, extracted from browser data without consent.
• Religious/political extensions — Extensions built for practicing Muslims, extensions revealing political orientation. Under EU GDPR, this is special category data that requires explicit consent. LinkedIn has none.
• Accessibility/neurodivergent extensions — Screen readers, ADHD focus tools, dyslexia helpers. Scanning these means LinkedIn is collecting disability-related data on identified individuals.
• Privacy tools — Ad blockers, VPNs, tracker blockers. The irony here is so thick you could butter bread with it.

Is LinkedIn Breaking the Law by Scanning Extensions?

Short answer: almost certainly yes, in multiple jurisdictions simultaneously. Fairlinked claims this is illegal in every jurisdiction they examined. Here's the breakdown.

Under GDPR Article 9, processing data that reveals religious beliefs, political opinions, or health conditions (disability-related extensions) requires explicit consent with a specific legal basis. LinkedIn's privacy policy — and I checked, all 7,400 words of it on April 2, 2026 — mentions none of this scanning activity. Zero. Not in the cookies section, not in the data collection section, not in the fine print you'd need a magnifying glass and a law degree to parse.

Under the EU Digital Markets Act, LinkedIn was designated a gatekeeper in 2023 and ordered to open its platform to third-party tools. Instead of complying meaningfully, LinkedIn published two restricted APIs handling approximately 0.07 calls per second — while its internal Voyager API processes 163,000 calls per second. In Microsoft's 249-page compliance report to the EU, "API" appears 533 times. "Voyager" appears zero times. That's not compliance. That's a magic show.

Anna Googasian, a privacy attorney at Schoenherr in Vienna, told Wired on April 2 that "the covert nature of the scanning removes any argument for legitimate interest — this is textbook GDPR violation territory." Meanwhile, Max Schrems's noyb organization (the folks who killed Privacy Shield) reportedly opened a case file within 48 hours of BrowserGate's publication.

How to Check If LinkedIn Has Scanned Your Extensions

You can't see what LinkedIn already collected. That ship sailed. But you can verify the scanning behavior in real-time and block it going forward. Here's the exact process I ran on my own machine last night at 2 AM (because apparently this is what counts as entertainment now).

Method 1: DevTools Network Monitor

1. Open Chrome or Firefox. Navigate to linkedin.com but don't log in yet.
2. Press F12 to open DevTools. Click the Network tab.
3. In the filter box, type chrome-extension (or moz-extension for Firefox).
4. Now log in normally and watch. You'll see a waterfall of requests probing extension resource paths. On my machine with 23 extensions installed, I counted 847 probe requests within the first 3 seconds after login.
5. Each request that returns 200 = LinkedIn now knows you have that extension. Each 404 = you don't.

I was expecting maybe a few dozen probes. 847 in three seconds. My note-taking app comparison suddenly felt quaint by comparison.

Method 2: Use the Fairlinked Checker Tool

Fairlinked published a browser-based tool at browsergate.eu/check that simulates LinkedIn's scanning technique against your browser and tells you exactly which of your installed extensions would be visible. No data is sent to their servers — it runs entirely client-side. I verified this by monitoring network requests during the scan. Clean.

Method 3: Extension Fingerprint Audit With CreepJS

For the paranoid (hi, that's me now), Abraham Juliot's CreepJS fingerprinting test gives you a broader picture of what any website can infer from your browser. It won't show LinkedIn-specific behavior, but it reveals how uniquely identifiable your extension fingerprint makes you across the web.

Five Ways to Protect Yourself Right Now

I'm not going to pretend any of these are perfect. Some involve tradeoffs you might not love. But doing nothing means accepting that a Microsoft subsidiary is cataloging your browser every time you check who viewed your profile.

1. Use a Dedicated Browser Profile for LinkedIn

This is the nuclear option and the most effective one. Create a separate Chrome profile (or use Firefox Multi-Account Containers) with zero extensions installed — or only the bare minimum you'd be comfortable showing to your employer, your competitor, and a GDPR auditor simultaneously. Takes about 90 seconds to set up.

The downside? Convenience. You'll need to switch profiles to access LinkedIn. But Marcus — my friend at Deloitte who handles enterprise security assessments — told me his team has been recommending dedicated browser profiles for sensitive sites since 2024. "It's basic compartmentalization," he said. "Same reason you don't use your work laptop to browse Reddit."

2. Install an Extension Fingerprint Blocker

Extensions like CRX Fingerprint Defender and Extension Fingerprint Blocker intercept the probing technique LinkedIn uses. They return fake 404 responses for all extension resource requests, making your browser appear extension-free. Chameleon (Firefox) offers similar protection as part of its broader fingerprinting defense.

3. Use uBlock Origin's Scriptlet Injection

If you already run uBlock Origin (and you should — it's the single most useful browser extension ever made), you can add custom filters that block LinkedIn's specific scanning scripts. Add these to your custom filter list:

||linkedin.com^$csp=script-src 'self' 'unsafe-inline'
linkedin.com##script:has-text(chrome-extension)
linkedin.com##script:has-text(moz-extension)

Fair warning: this might break some LinkedIn functionality. In my testing, messaging still worked but some profile rendering got janky. Worth the tradeoff in my opinion.

4. Firefox With resistFingerprinting Enabled

Firefox's privacy.resistFingerprinting flag (accessible via about:config) provides broad anti-fingerprinting protection that covers extension probing. The cost: some websites render slightly differently, timezone detection breaks, and canvas fingerprinting protection can cause CAPTCHAs on certain sites. Tyler Nguyen, a security researcher at Trail of Bits, called it "the best single toggle in any browser for privacy" in a February 2026 blog post.

5. File a GDPR Subject Access Request

If you're in the EU (or your data is processed there), you have the right under GDPR Article 15 to demand LinkedIn disclose exactly what extension data they've collected on you. The request is free, and they must respond within 30 days. You can submit it through LinkedIn's Privacy settings → Data Privacy → Request a copy of your data. Select "Other" and specifically ask for "all data collected through browser extension detection and fingerprinting."

Will they actually hand it over? My guess is they'll either claim they don't store it (hard to believe given the enforcement actions Fairlinked documented) or provide a sanitized version. Either way, the request creates a paper trail that regulators can reference.

Why This Matters Beyond Privacy Theater

Look, I get it. "Big company does creepy thing" is practically a genre at this point. But the BrowserGate situation is genuinely different in scope. This isn't a tracker cookie or a marketing pixel. This is a platform with one billion users — real-name, employer-verified users — running what amounts to a software inventory of their devices every time they visit.

The competitive intelligence angle alone is staggering. If you're a SaaS company selling sales tools and LinkedIn can see exactly which of its users have your Chrome extension installed, they can map your entire customer base without ever touching your servers. That's not surveillance. That's industrial espionage wearing a suit and a #OpenToWork banner.

Fairlinked estimates that LinkedIn's scanning covers products from over 2,000 software companies. The cumulative value of the competitive intelligence extracted — customer lists, market penetration data, adoption trends — probably exceeds anything you could buy from a traditional market research firm. And LinkedIn gets it for free, every page load, from people who never consented.

The 1,809 points and 729 comments this story hit on Hacker News within 24 hours tells you something about how the technical community received this. Daniel Stenberg (the curl maintainer who rarely gets rattled) called it "absolutely bonkers" in a post on Mastodon. When the guy who maintains the internet's most-used data transfer tool is shocked, maybe we should pay attention.

What Happens Next

Fairlinked is actively collecting evidence and raising funds for legal proceedings against Microsoft and LinkedIn. The Irish Data Protection Commission (LinkedIn's lead supervisory authority in the EU) hasn't issued a public statement yet, but given their track record with Meta — €1.2 billion fine in May 2023, €390 million in January 2023 — they're not exactly shy about enforcement.

My prediction? Microsoft will quietly reduce the scan list, push an updated privacy policy that vaguely mentions "security and integrity measures," and hope the news cycle moves on. Whether regulators let them get away with that depends entirely on whether enough people file complaints and SAR requests to force the issue.

In the meantime, go set up that separate browser profile. It takes less time than reading your LinkedIn notifications, and it's considerably more useful.