BleepingComputer exposed that Microsoft’s LinkedIn is using hidden JavaScript to scan visitors’ browsers for installed extensions and collect device data — a surveillance practice dubbed “BrowserGate.” LinkedIn’s scripts scan for over 6,000 Chrome extensions, building detailed browser fingerprints that feed into AI-powered ad targeting and content recommendation systems.
What LinkedIn Is Collecting
The hidden scripts detect:
- Installed Chrome extensions: Including ad blockers, password managers, developer tools, VPNs, and productivity extensions
- Browser configuration: Installed fonts, screen resolution, WebGL renderer, canvas fingerprint
- Device data: Operating system, hardware concurrency (CPU cores), available memory
- Extension metadata: Version numbers, active/inactive status, permissions granted
Together, this creates a nearly unique browser fingerprint. Even without cookies, LinkedIn can identify and track individual users across sessions with high accuracy.
How the Hidden Scripts Work
LinkedIn embeds JavaScript that probes the browser’s extension APIs. When you visit LinkedIn, the page silently checks whether specific extension IDs respond to internal messages — a technique that reveals which extensions are installed without requiring any user interaction or permission.
The technique exploits Chrome’s extension architecture: each extension has a unique ID, and web pages can attempt to communicate with extensions via the chrome.runtime.sendMessage API. If an extension responds (or responds in a specific way), the page knows it’s installed.
The AI Training Connection
This is AI-adjacent because LinkedIn uses the collected data to train machine learning models for:
- Ad targeting: Users with specific extensions (e.g., developer tools) see different ads than users with consumer extensions
- Content recommendation: The AI surfaces different content based on inferred interests from extension profiles
- User segmentation: Browser fingerprints help build behavioral profiles that persist across cookie deletions
How to Check If You’ve Been Scanned
You can check for LinkedIn’s scanning behavior:
- Open Chrome DevTools (F12) while on LinkedIn
- Go to the Network tab and filter for requests containing “extension” or “fingerprint”
- Look for outbound requests to LinkedIn’s analytics endpoints carrying extension data
- Check the Console tab for extension probe attempts
Browser extensions like uBlock Origin and Privacy Badger can block some of these scripts, though LinkedIn’s implementation is designed to be resilient against standard blocking techniques.
What You Can Do
Firefox users are less affected — Firefox’s extension architecture makes this type of probing harder. Chrome users can use browser profiles to isolate LinkedIn in a separate profile with minimal extensions. The most effective mitigation is using LinkedIn in a dedicated browser or container tab that has no extensions installed, giving LinkedIn nothing to scan.
