Open LinkedIn in Chrome right now. While you're scrolling through another "I'm humbled to announce" post, JavaScript is quietly running in your browser, probing your installed extensions one by one. Not a handful of them. Thousands.
This isn't speculation. It's documented, investigated, and already the subject of a legal case in Munich.
What LinkedIn Is Actually Doing
A German nonprofit called Fairlinked e.V. published findings showing that LinkedIn executes hidden JavaScript on page load that systematically probes for Chrome extensions. The technique is straightforward: the script attempts to load known resource files from extension directories. If the file loads, the extension is installed. If it fails, it's not.
The scan covers somewhere between 2,900 and 6,000+ extensions depending on the session and timing. The results are encrypted and sent to LinkedIn's servers as well as to HUMAN Security, the bot-detection company formerly known as PerimeterX.
Here's a simplified version of how extension detection works in any browser. This is not LinkedIn's exact code, but it demonstrates the core technique:
// Extensions expose files at chrome-extension://<id>/path
// Attempting to load a known resource reveals installation status
function checkExtension(extensionId, resourcePath) {
return new Promise((resolve) => {
const img = new Image();
img.onload = () => resolve({ id: extensionId, installed: true });
img.onerror = () => resolve({ id: extensionId, installed: false });
img.src = "chrome-extension://" + extensionId + "/" + resourcePath;
});
}
// Scan a list of known extension IDs
async function scanExtensions(extensionList) {
const results = await Promise.all(
extensionList.map((ext) =>
checkExtension(ext.id, ext.knownResource)
)
);
return results.filter((r) => r.installed);
}
The method exploits a fundamental design decision in Chrome's extension architecture: web-accessible resources. Extensions declare certain files as accessible from web pages, and any website can attempt to load them. If the load succeeds, the extension is present.
What Extensions They're Scanning For
This is where it gets uncomfortable. Among the 2,900+ extensions in the scan list:
509 are job-search tools -- extensions that help users find jobs on competing platforms, compare salaries, or automate applications. LinkedIn is effectively surveilling whether you're using tools that compete with its core business.
Over 200 are sales and recruiting applications. Tools like Apollo, Lusha, and similar extensions that recruiters use to extract contact information. LinkedIn Premium competes directly with these tools.
Then there are extensions that have nothing to do with professional networking. Accessibility tools. Ad blockers. Extensions associated with specific religious communities, political orientations, and neurodivergent users. The scan makes no distinction. It probes everything on the list.
The Privacy Policy Says Nothing
LinkedIn's privacy policy does not mention browser extension scanning. Users are not asked for consent. There is no opt-out toggle buried in settings. No banner. No disclosure of any kind.
This matters legally, especially in the EU. Under GDPR, processing personal data requires a lawful basis. Extension fingerprinting can reveal sensitive categories of personal data -- religion, political beliefs, health conditions -- which triggers Article 9 protections requiring explicit consent.
Fairlinked e.V. has already filed a legal case in Munich and is actively looking for additional plaintiffs to join the action against Microsoft (LinkedIn's parent company). As of publication, neither LinkedIn nor Microsoft has issued a public response.
How to Check for Yourself
You can observe this behavior using Chrome DevTools. Open LinkedIn, then open the Network tab and filter for requests to extension-related URLs or requests to HUMAN Security endpoints.
A more direct approach is to use a request interceptor:
// In DevTools Console on linkedin.com, monitor extension probing
const originalFetch = window.fetch;
window.fetch = function(...args) {
const url = args[0]?.toString() || args[0];
if (url && url.includes("chrome-extension://")) {
console.warn("[Extension Probe Detected]", url);
}
return originalFetch.apply(this, args);
};
// Also monitor image-based probing
const origImage = window.Image;
window.Image = function() {
const img = new origImage();
const origSet = Object.getOwnPropertyDescriptor(
HTMLImageElement.prototype, "src"
).set;
Object.defineProperty(img, "src", {
set(value) {
if (value.includes("chrome-extension://")) {
console.warn("[Extension Probe via Image]", value);
}
origSet.call(this, value);
}
});
return img;
};
You can also use browser extensions like uBlock Origin's logger to watch for outbound requests containing extension fingerprint data.
Why "Nothing to Hide" Doesn't Apply
The reflexive response to surveillance disclosures is always the same: "I have nothing to hide." But extension scanning isn't about hiding. It's about informed consent and power asymmetry.
Your installed extensions form a behavioral fingerprint. Someone running a screen reader, a prayer-time reminder, and a job-search aggregator paints a specific picture -- one that was never meant to be transmitted to a third-party ad-tech company during a LinkedIn session.
Extension fingerprinting is also a tracking mechanism. Even if you clear cookies, block trackers, and use private browsing, your unique combination of installed extensions can identify you across sessions and across websites. It's a supercookie that lives in your browser's extension directory.
For developers specifically, extension scanning reveals your toolchain. It can expose whether you're using competitive intelligence tools, security testing extensions, or debugging utilities that might indicate what you're working on. That information has commercial value.
What You Can Do
The practical options are limited but worth knowing:
Use Firefox. Mozilla's extension architecture doesn't expose web-accessible resources the same way Chrome does, making this specific fingerprinting technique significantly harder.
Use separate browser profiles. Keep a clean Chrome profile with zero extensions for LinkedIn and other sites you don't trust with your extension inventory.
Review your extensions' manifest files. Extensions that declare web_accessible_resources are the ones vulnerable to probing. Extensions that don't declare any accessible resources can't be detected this way.
Follow the Munich case. If you're an EU resident and have used LinkedIn, you may have standing to join the legal action. Fairlinked e.V. is actively seeking plaintiffs.
The broader question is whether this behavior will prompt Chrome to rethink web-accessible resources entirely. Until then, every website you visit has the technical capability to inventory your extensions. LinkedIn just happens to be the one that got caught doing it at scale.
Top comments (0)