LinkedIn Secretly Scans for More Than 6,000 Chrome Extensions and Collects Device Data

What happened

LinkedIn is using hidden JavaScript on its website to detect more than 6,000 browser extensions and collect device information from visitors using Chromium-based browsers. The script checks whether specific extensions are installed by attempting to access files associated with each extension ID. The detected list includes tools tied to LinkedIn, competing sales products, grammar and language extensions, tax-related tools, and other unrelated software. The script also gathers device and browser information including CPU core count, available memory, screen resolution, timezone, language settings, battery status, audio information, and storage features. LinkedIn said it uses extension detection to identify tools that scrape data or violate its terms of service, improve technical defenses, and understand unusual account activity. 

Who is affected

The direct exposure affects visitors using LinkedIn in Chromium-based browsers where the fingerprinting script can check for installed extensions and collect device-related information. The company said the detection is tied to extension-based scraping and site stability concerns, while the report challenging the practice said the data could be linked to identifiable user profiles. 

Why CISOs should care

This matters because the activity involves silent collection of browser extension and device-level information tied to a professional identity platform where accounts are often linked to real names, employers, and roles. It also highlights how anti-abuse controls can overlap with privacy, software inventory visibility, and employee-use patterns on corporate-managed devices. 

3 practical actions

1. Review browser extension governance: Make sure managed endpoints have clear policies for approved browser extensions, especially where extension usage could reveal internal tooling choices or business workflows. 
2. Assess web privacy exposure on managed devices: Evaluate whether employee browsing to major platforms could expose extension inventories and device characteristics that create unnecessary organizational visibility. 
3. Separate anti-abuse controls from privacy expectations: Ensure security and privacy teams understand where platform-side detection of extensions and device traits may create data collection concerns for workforce users. 

For more news about security and privacy developments affecting enterprise risk, click Cybersecurity to read more.