LinkedIn secretly scans for over 6,000 Chrome extensions, collects data

Microsoft's professional network is cataloging your browser add-ons without explicit consent.

In a revelation that highlights the ongoing tension between platform security and user privacy, Microsoft’s LinkedIn has been found to be systematically scanning visitors' browsers for a list of over 6,000 installed Chrome extensions. The practice, dubbed "BrowserGate" by the security researcher who discovered it, involves a hidden script that collects data on user browser configurations, raising significant questions about transparency and the potential for detailed user profiling.

Background: The "BrowserGate" discovery

The issue was brought to light in a detailed report published on February 20, 2024, by security researcher Michael K. His investigation found that LinkedIn's website automatically executes a JavaScript file designed to probe for the presence of thousands of specific browser extensions. When a user visits LinkedIn on a Chromium-based browser like Google Chrome, Microsoft Edge, or Brave, this script runs in the background, effectively taking an inventory of certain add-ons.

LinkedIn has since confirmed the practice. In a statement provided to BleepingComputer, the company asserted that the data collection is for benign purposes. "We use this information for security and fraud prevention purposes, to keep our members safe, and to prevent abuse on our platform," a spokesperson said. The company also claimed it only collects "non-identifiable data" and does not share it with third parties. However, privacy advocates and the original researcher argue that the scope of the scan and the lack of explicit user consent are deeply concerning.

Technical details: How the scan works

The mechanism behind LinkedIn's scan is both simple and effective. It relies on a JavaScript file, `browser-extensions-v8-l.js`, which contains a list of over 6,000 unique extension IDs. For each ID on its list, the script utilizes the `chrome.runtime.sendMessage` API call. This function is a standard way for a web page to communicate with a specific browser extension.

The script doesn't need to read the extension's data; it simply checks for a response. If an extension with a matching ID is installed and active, it will acknowledge the `sendMessage` request. The script interprets this successful connection as confirmation of the extension's presence. Upon detection, it logs the extension's unique ID and its version number. This collected information is then transmitted back to LinkedIn's servers.

The list of targeted extensions is remarkably diverse, covering nearly every category of browser add-on, including:

• Security and Privacy Tools: Ad blockers like uBlock Origin, privacy guards, and extensions for VPN service providers.
• Password Managers: Popular tools such as LastPass, 1Password, and Bitwarden.
• Developer Tools: A wide range of debugging and web development aids.
• Financial Tools: Cryptocurrency wallets and financial service extensions.
• Productivity and Social Media Add-ons: Note-takers, grammar checkers, and social media enhancers.

This is not a software vulnerability or a malicious attack in the traditional sense. It is a data collection feature deliberately built into LinkedIn's own website code. The primary concern is not that the site is compromised, but rather what the platform is choosing to do with its access to a user's browser environment.

Impact assessment: A profile in extensions

The primary impact is on the privacy of every individual using a Chromium-based browser to access LinkedIn. While the company claims the data is "non-identifiable," this assertion is debatable in context. The unique combination of extensions installed in a browser can create a highly specific fingerprint, which, when combined with an authenticated LinkedIn session, can hardly be considered anonymous.

The collection of this data enables highly detailed user profiling. An individual's choice of browser extensions can reveal a great deal about their interests, habits, and affiliations:

• Professional Role: The presence of specific developer tools, design software extensions, or marketing analytics add-ons can indicate a user's job function with high accuracy.
• Security Posture: Knowledge that a user has multiple ad blockers, privacy tools, and a password manager suggests a security-conscious individual. Conversely, a lack of these could signal a potentially more vulnerable target for social engineering.
• Personal Interests: Shopping coupon extensions, cryptocurrency wallets, or grammar checkers reveal hobbies, financial activities, and even writing habits.

While LinkedIn states this data is for fraud prevention—for instance, to detect automated bots that typically lack a normal user's extension profile—the potential for this data to be used for other purposes, now or in the future, remains a significant risk. In the event of a data breach at LinkedIn, a threat actor could gain access to this list of extensions, providing them with valuable reconnaissance information for crafting targeted phishing or malware attacks against specific users based on their known software stack.

How to protect yourself

While users cannot directly prevent LinkedIn's servers from running this script, there are several steps you can take to mitigate this and similar forms of browser fingerprinting.

1. Use a Non-Chromium Browser: The specific detection method used by LinkedIn relies on a `chrome.runtime` API call. Browsers like Mozilla Firefox, which are not built on the Chromium engine, are not susceptible to this exact scanning technique.
2. Employ Script Blockers: Advanced browser extensions like uBlock Origin (in medium or hard mode) or NoScript can be configured to block first-party scripts, including the one LinkedIn uses for its scan. This requires some technical configuration, as blocking all scripts can break website functionality.
3. Limit Your Extensions: Regularly audit the extensions installed in your browser. Remove any that you no longer use or trust. A minimalist approach reduces your digital footprint and attack surface, making you harder to profile.
4. Review Privacy Policies: While often dense, privacy policies are where companies are supposed to disclose their data collection practices. The fact that this specific, extensive scan was not clearly articulated in LinkedIn's policy is a key part of the controversy.
5. Compartmentalize Your Browsing: Consider using separate browsers or browser profiles for different activities. For example, use one browser for professional networking sites like LinkedIn and another for personal browsing to prevent cross-context profiling.

The "BrowserGate" incident serves as a stark reminder that data collection on the modern web is often invisible and far more extensive than users assume. LinkedIn's justification of security is a common one used by platforms to engage in browser fingerprinting. However, without transparent disclosure and explicit user consent, such practices will continue to erode user trust and blur the line between legitimate security measures and invasive surveillance.