According to a report by **Fairlinked e.V.**, a commercial **LinkedIn** users association, the platform injects JavaScript into user sessions to check for thousands of browser extensions, linking the results to identifiable user profiles. This behavior is alleged to collect sensitive personal and corporate information, given that **LinkedIn** accounts are tied to real identities, employers, and job roles. ### Extension Detection and Competitive Intelligence The report claims that **LinkedIn** scans for over 200 products that directly compete with its own sales tools, including **Apollo**, **Lusha**, and **ZoomInfo**. By correlating user profiles with detected extensions, **LinkedIn** could potentially map which companies use competitor products, essentially extracting customer lists without user knowledge. The report further alleges that **LinkedIn** has used this data to send enforcement threats to users of third-party tools. **BleepingComputer** independently confirmed parts of these claims, observing a JavaScript file with a randomized filename loaded by **LinkedIn's** website. This script checked for 6,236 browser extensions by attempting to access file resources associated with a specific extension ID, a known technique for detecting installed extensions. This fingerprinting script was previously reported in 2025 detecting approximately 2,000 extensions, but the number has grown significantly. A separate **GitHub** repository showed 3,000 extensions being detected two months ago, illustrating the increasing scope of this practice.  *Snippet of the list of extensions scanned for by LinkedIn's script* *Source: BleepingComputer* While many of the scanned extensions are related to **LinkedIn**, the script also detects language and grammar tools, tax software, and other seemingly unrelated features. ### Device Data Collection The script also collects a wide range of browser and device data, including CPU core count, available memory, screen resolution, timezone, language settings, battery status, audio information, and storage features. This data can be used for browser fingerprinting, a technique used to track users across the web.  *Gathering information about visitors' devices* *Source: BleepingComputer* **BleepingComputer** could not independently verify claims regarding the use of this data or whether it is shared with third-party companies. ### LinkedIn's Response **LinkedIn** acknowledges detecting specific browser extensions but denies using the data for nefarious purposes. The company claims the information is used to protect the platform and its users. **LinkedIn** also states that the **BrowserGate** report originates from an individual whose account was banned for scraping **LinkedIn** content and violating the site's terms of use. **LinkedIn** provided the following statement: > "The claims made on the website linked here are plain wrong. The person behind them is subject to an account restriction for scraping and other violations of LinkedIn's Terms of Service. > To protect the privacy of our members, their data, and to ensure site stability, we do look for extensions that scrape data without members' consent or otherwise violate LinkedIn's Terms of Service. > Here’s why: some extensions have static resources (images, javascript) available to inject into our webpages. We can detect the presence of these extensions by checking if that static resource URL exists. This detection is visible inside the Chrome developer console. We use this data to determine which extensions violate our terms, to inform and improve our technical defenses, and to understand why a member account might be fetching an inordinate amount of other members' data, which at scale, impacts site stability. We do not use this data to infer sensitive information about members. > For additional context, in retaliation for this website owner's account restriction, they attempted to obtain an injunction in Germany, alleging LinkedIn had violated various laws. The court ruled against them and found their claims against LinkedIn had no merit, and in fact, this individual's own data practices ran afoul of the law. > Unfortunately, this is a case of an individual who lost in the court of law, but is seeking to re-litigate in the court of public opinion without regard for accuracy." > ❖ LinkedIn **LinkedIn** claims the **BrowserGate** report stems from a dispute involving the developer of the **Teamfluence** browser extension, which **LinkedIn** says it restricted for violating the platform's terms. A German court denied the developer's request for a preliminary injunction, finding that **LinkedIn's** actions did not constitute unlawful obstruction or discrimination. ### A Broader Trend of Fingerprinting Regardless of the reasons behind the report, **LinkedIn** uses a fingerprinting script that detects over 6,000 extensions running in a Chromium browser, along with other system data. This practice is not unique to **LinkedIn**. In 2021, **eBay** was found to use JavaScript to perform automated port scans on visitors' devices to detect remote support software. Other companies, including **Citibank**, **TD Bank**, **Ameriprise**, **Chick-fil-A**, **Lendup**, **BeachBody**, **Equifax IQ connect**, **TIAA-CREF**, **Sky**, **GumTree**, and **WePay**, have also used similar fingerprinting scripts. Automated Pentesting Covers Only 1 of 6 Surfaces. Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other. This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.