LinkedIn injects JavaScript into every page to scan for over 6,000 Chrome extensions and harvest detailed hardware data, raising serious privacy concerns about the professional networking platform's data collection practices.
LinkedIn has been caught injecting a JavaScript fingerprinting script into every page load that probes visitors' browsers for 6,236 installed Chrome extensions and collects detailed device telemetry, according to a report by Fairlinked e.V. and independently confirmed by BleepingComputer. The script, which BleepingComputer verified through its own testing, also harvests the CPU core count, available memory, screen resolution, time zone, language settings, and battery status.
A GitHub repository documented LinkedIn scanning for roughly 2,000 extensions in 2025, while a separate repo from February this year logged approximately 3,000. The current count stands at 6,236. Many of the targeted extensions are LinkedIn-related tools, including sales intelligence products from Apollo, Lusha, and ZoomInfo that directly compete with LinkedIn's offerings. The Fairlinked report claims that LinkedIn scans more than 200 competing products in total and that the script also checks for language and grammar extensions, tools for tax professionals, and other categories with no obvious connection to LinkedIn's platform.
Beyond extensions, the script gathers hardware and software fingerprinting data, such as CPU class, device memory, screen dimensions, time zone offset, battery status, and storage capabilities. These data points are commonly used in browser fingerprinting to build unique device profiles, but because LinkedIn accounts are tied to real names, employers, and job titles, the extension and device data can be linked back to positively identify individuals.
The Fairlinked report also claims the data is transmitted to HUMAN Security, an American-Israeli cybersecurity firm, though this has not been independently verified. LinkedIn told BleepingComputer the scanning is used to detect extensions that scrape data or otherwise violate its terms of service. "To protect the privacy of our members, their data, and to ensure site stability, we do look for extensions that scrape data without members' consent," a LinkedIn spokesperson told BleepingComputer. The company added that it does not use the data to "infer sensitive information about members."
LinkedIn also said the Fairlinked report was published by someone whose account had been restricted for scraping. The individual is linked to a browser extension called "Teamfluence," which LinkedIn said violated its platform terms. A German court denied that individual's request for a preliminary injunction against LinkedIn, finding that the platform was within its rights to block accounts engaged in automated data collection.
LinkedIn isn't the first major platform to use aggressive client-side fingerprinting. In 2021, eBay was found to be using JavaScript to perform automated port scans on visitors' devices to detect remote access software. The same script was later found running on sites operated by Citibank, TD Bank, and Equifax.
The scope of LinkedIn's scanning operation is particularly concerning given the professional nature of the platform. Unlike general social media sites, LinkedIn profiles contain detailed employment history, educational background, and professional connections. When combined with the granular device and extension data being collected, this creates a comprehensive profile that goes far beyond what users might expect from a professional networking site.
Security researchers have noted that the technique used by LinkedIn—attempting to access file resources tied to specific extension IDs—is a well-documented method for detecting whether extensions are installed in Chromium-based browsers. However, the scale of LinkedIn's operation, scanning for over 6,000 extensions, far exceeds typical security scanning practices.
The data collection raises questions about LinkedIn's competitive practices, as many of the extensions being scanned are from companies that compete directly with LinkedIn's own sales intelligence and recruitment tools. The inclusion of seemingly unrelated categories like tax preparation software and grammar tools suggests the scanning may serve purposes beyond simple security enforcement.
For users concerned about this type of data collection, options are limited. The scanning occurs on LinkedIn's servers and cannot be blocked through browser settings alone. Users would need to either avoid using LinkedIn altogether or employ more sophisticated privacy tools that can interfere with JavaScript execution on the site.
The revelation comes at a time when concerns about browser fingerprinting and online privacy are growing. As browsers implement stronger privacy protections and limit traditional tracking methods like cookies, companies are increasingly turning to more invasive techniques to identify and track users across the web.
Comments
Please log in or register to join the discussion