Chrome extensions each carry a stable, unique 32-character ID. Many declare certain internal files as "web accessible," meaning any page can request them. LinkedIn's script fires thousands of these resource-fetch requests simultaneously, checks which succeed (extension present) or fail (not installed), encrypts the results, and transmits them back to LinkedIn's servers. Security firm Castle documented this technique in January 2026 it's a known, legitimate anti-fraud method. The question is not the mechanism. It's the scale and scope.

Here's how it works in practice. Grammarly's extension ID is kbfnbcaeplbcioakkpcpgfkobkghlhen. Its manifest declares internal CSS files as web-accessible resources. LinkedIn's script attempts to fetch one of those files. If the fetch resolves, Grammarly is installed. That response takes milliseconds, leaves no visible trace, and repeats for thousands of other extensions during the same page load. (Castle, January 2026)

The same script also collects CPU core count, available memory, screen resolution, timezone, language settings, battery status, audio details, and storage characteristics a standard device fingerprint that, combined with extension data, makes individual browsers highly identifiable across sessions. (BleepingComputer, this week)

The script includes an isUserAgentChrome() check that restricts execution to Chromium-based browsers. Firefox and Safari users are not affected their extension architectures don't expose resources the same way. (BrowserGate, March 2026; CybersecurityNews, this week)

The list is also growing fast, not holding steady. A GitHub repository documented 2,953 extensions in February 2026. BleepingComputer's testing this week found 6,236. Analysts at CtrlAltNod tracked the list from 461 entries in 2024 to more than 6,200 by early 2026 a 1,252% increase with roughly 12 new extensions added daily between December 2025 and February 2026. That pace is not a legacy feature sitting unattended. It reflects active, ongoing development.

On a site where you're anonymous, knowing which extensions are installed in your browser tells an advertiser or fraud-detection system something about your environment. Useful for risk scoring; limited for anything else.

LinkedIn is different. When the scan runs, LinkedIn already knows your name, your employer, your job title, and your professional history. Extension data doesn't exist in a vacuum against that backdrop it attaches to an identity. A prayer-time reminder detected in an anonymous browser is an inert data point. The same detection against a named account at a named company means LinkedIn has logged a religious indicator tied to a real person's professional identity.

The same logic applies at scale to corporate intelligence. Because LinkedIn profiles display employer relationships, extension data collected across thousands of users at a single company can reveal what software stack that company runs including competitor tools they haven't publicly disclosed using. That's the claim the BrowserGate report makes about the 200-plus competitor products on the scan list, and it's the reason the logged-in context transforms what would otherwise be routine bot-detection into something with much broader potential uses. (BleepingComputer, this week)

LinkedIn's stated purpose is identifying scraping tools. That's a coherent anti-abuse rationale. The scan reportedly covers 509 job-search extensions tools integrated with Glassdoor, and Monster along with grammar tools, tax software, screen readers, ADHD management apps, and extensions associated with religious practice. (CybersecurityNews, gNerdSEC, this week) None of those categories has an obvious connection to scraping. LinkedIn has not explained their inclusion.

Two scenarios illustrate where this becomes concrete. A sales professional using Apollo or ZoomInfo both among the 200-plus competitor products reportedly on the scan list visits LinkedIn while their employer is visible on their profile. LinkedIn could map which companies use rival sales platforms without those companies' knowledge. (BleepingComputer, this week) Separately, an employee running job-search extensions from Glassdoor or Indeed while logged into their current employer's LinkedIn account would have that signal captured against a named, employer-linked identity. (CybersecurityNews, CtrlAltNod, this week)

LinkedIn's privacy policy contains no mention of browser extension scanning or fingerprinting, according to multiple sources. (gHacks, CtrlAltNod, this week) That's a concrete, verifiable gap separate from any question of legal liability. Users cannot make an informed choice about browser exposure their platform hasn't disclosed.

One prior incident is worth noting here, not as proof of wrongdoing but as context. In April 2025, The Markup reported that California's health insurance marketplace had been transmitting sensitive health data pregnancy status, disability information, domestic abuse disclosures to LinkedIn via its Insight Tag. LinkedIn's own documentation says the Insight Tag shouldn't be installed on sensitive health pages. That episode involved a different product surface entirely, but it established that data LinkedIn receives can carry far more sensitive content than platform operators anticipate.

LinkedIn told BleepingComputer it scans to identify extensions that scrape member data without consent or violate its terms, that the data is used to enforce rules and maintain site stability, and that it does not use collected information to infer sensitive details about members. The company has not disputed the scanning behavior itself.

The BrowserGate report comes from Fairlinked e.V., an advocacy group LinkedIn says is linked to a developer whose account was suspended for scraping violations. A German court denied that developer's injunction request, finding LinkedIn's actions were not unlawful obstruction. That context affects how much weight the report's more inflammatory claims deserve but it does not change what BleepingComputer found when it ran the script independently. (BleepingComputer, this week)

Advocacy sources allege LinkedIn shares collected extension and fingerprint data with third parties including HUMAN Security, and has used scan data to send enforcement threats to specific users. BleepingComputer explicitly could not verify either claim. Both should be understood as allegations until corroborated by independent technical or documentary evidence.

Privacy advocates argue that detecting extensions associated with religious practice, health conditions, or political orientation could implicate GDPR Article 9 protections for special-category data, which requires explicit consent. (CybersecurityNews, gNerdSEC, this week) Whether inference from extension data actually triggers Article 9 obligations is a legal question no source has definitively resolved, and no formal regulatory investigation has been confirmed as of publication.

The most effective option is switching browsers. Because the scan requires Chromium's extension architecture, using Firefox or Safari for LinkedIn sessions prevents extension detection entirely. The isUserAgentChrome() check excludes non-Chromium browsers from the scan. (CybersecurityNews, BrowserGate, this week)

Staying on Chrome? Create a dedicated profile used only for LinkedIn with no extensions installed. The scan runs but finds nothing to report. More disruptive than switching browsers, but it works for users locked into Chromium-based environments. (CybersecurityNews, CtrlAltNod, this week)

Two common instincts won't help here. A VPN routes network traffic but doesn't affect in-browser JavaScript execution the scan runs client-side and is independent of IP address or location. Logging out of LinkedIn likely doesn't stop the script from executing on page load, since the scan fires before session state matters. (CtrlAltNod, this week)

For technically advanced users, blocking LinkedIn's telemetry endpoints specifically linkedin.com/li/track and requests containing the payload signature apfcDf via uBlock Origin, Pi-hole, or NextDNS can intercept the transmission of scan results to LinkedIn's servers, though the local scan still runs. (Medium/Akalin, this week; treat as technically plausible and verify independently before relying on it)

LinkedIn scans Chromium browsers for roughly 6,200 extensions on every page load and collects a device fingerprint alongside that. Both the platform and independent researchers confirm this. What LinkedIn has not confirmed: why the list includes job-search tools, accessibility software, and faith-based extensions; what its retention policy is for the collected data; and why none of this appears in its privacy policy. (BleepingComputer, gHacks, this week)

The list grew from 461 entries in 2024 to more than 6,200 by early 2026, at roughly 12 additions per day during its most active expansion period. (CtrlAltNod, this week) LinkedIn has now publicly acknowledged the scanning. The reasonable follow-up is not whether this constitutes a scandal that's a conclusion requiring evidence about downstream use that hasn't been established. The reasonable follow-up is a straightforward question LinkedIn hasn't yet answered: what is on that list, why is it there, and where does the data go?