LinkedIn’s Secretive Browser Extension Scanning: A Comprehensive Look
LinkedIn is secretly scanning your browser for 6,000+ extensions, and you weren’t told.
April 5, 2026 – 11:35 am
In short:
Every time you visit LinkedIn in a Chrome-based browser, a hidden JavaScript routine silently probes your browser for more than 6,000 installed extensions, collects 48 hardware and software characteristics about your device, encrypts the resulting fingerprint, and attaches it to every API request you make during your session. This practice, named "BrowserGate" by researchers, is not disclosed in LinkedIn’s privacy policy. LinkedIn claims it’s a security measure; critics argue it’s covert surveillance on a massive scale.
There exists a routine that operates undetected on your computer each time you open LinkedIn. You remain unaware of its presence and it isn’t mentioned in the company’s privacy policy. An investigation published in April 2026 by Fairlinked e.V., an European association of commercial LinkedIn users, revealed that LinkedIn injects a massive 2.7-megabyte JavaScript bundle into its website. This script silently scans visitors’ browsers for over 6,000 specific Chrome extensions, assembles a detailed device fingerprint, encrypts it, and transmits the data to LinkedIn’s servers, appending it to every subsequent action taken during the session.
This investigation, independently confirmed by BleepingComputer through testing, has been coined "BrowserGate." LinkedIn disputes several aspects of the report, though the technical details are generally agreed upon.
What the script does:
LinkedIn refers to its scanning system as "Spectroscopy." Upon loading the LinkedIn website, the script initiates up to 6,222 simultaneous requests, each targeting a specific browser extension by attempting to access associated files. The presence (or absence) of these files confirms whether an extension is installed. This operation occurs entirely in the background, without any visible prompts or notifications.
Beyond extensions, the script collects:
- CPU core count
- Available memory
- Screen resolution
- Timezone
- Language settings
- Battery status
- Audio hardware information
- Storage capacity
…and 40 additional device characteristics. This collective data creates a unique fingerprint capable of identifying a user even after clearing cookies.
Once compiled, the data is converted to JSON, encrypted with LinkedIn’s RSA public key (identifier: "apfcDfPK"), and transmitted to telemetry endpoints like li/track and /platform-telemetry/li/apfcDf. This fingerprint is then permanently embedded as an HTTP header in every API request made during the session, accompanying searches, profile views, and messages sent.
What it is looking for:
The script seeks to identify a wide range of browser extensions, many related to productivity, privacy, and security tools.