Tools / News / LinkedIn's BrowserGate: Every Visit Scanned Your Browser for 6,000 Extensions
Press

LinkedIn's BrowserGate: Every Visit Scanned Your Browser for 6,000 Extensions

· VaultTools

A Fairlinked e.V. investigation published in April 2026 revealed that LinkedIn silently scans visitors' browsers for 6,167 Chrome extensions and collects 48 hardware fingerprinting attributes on every page visit, without disclosing the practice in its privacy policy. The scandal shows how browser-based surveillance can occur before any file is uploaded.

VaultTools · April 6, 2026

Surveillance cameras mounted on a wall, representing covert browser fingerprinting and undisclosed data collection by web services. Photo on Unsplash

Table of Contents


What Happened

In early April 2026, Fairlinked e.V., a European association of commercial LinkedIn users, published a detailed technical investigation revealing that LinkedIn silently injects a 2.7-megabyte JavaScript bundle on every page visit. The script probes the visitor’s browser for over 6,000 specific Chrome extensions, collects 48 hardware and software characteristics, encrypts the resulting fingerprint, and transmits it to LinkedIn’s servers with every API request made during the session. LinkedIn is owned by Microsoft.

The investigation prompted coverage from BleepingComputer, Tom’s Hardware, The Next Web, Apple Insider, and Cybernews. Fairlinked published its findings at browsergate.eu and called the practice “one of the largest undisclosed data collection operations in the history of the commercial internet.”

What the Script Collects

According to the Fairlinked report, the JavaScript bundle gathers two categories of data without user notice or consent.

The first category is extension enumeration. The script probes for 6,167 specific Chrome extensions by injecting hidden iframes and measuring browser behavior. The scan list includes 509 job search extensions used by a combined 1.4 million people, over 200 sales and recruiting tools that compete directly with LinkedIn’s own Sales Navigator product, and extensions related to health and religious content. Detection of the latter category constitutes collection of GDPR Article 9 special-category data.

The second category is hardware fingerprinting. The script records CPU class, device memory, screen dimensions, time zone offset, battery status, and storage capabilities, assembling 48 distinct device attributes per visit.

The encrypted fingerprint is attached to every API call made during the session. Fairlinked found that collected data is shared with at least one third party: HUMAN Security, an American-Israeli cybersecurity firm.

LinkedIn’s stated justification is the detection of extensions that scrape its platform in violation of its terms of service. LinkedIn told BleepingComputer: “To protect the privacy of our members, their data, and to ensure site stability, we do look for extensions that scrape data without members’ consent.” None of this is disclosed in LinkedIn’s privacy policy.

The Growth Timeline: 1,252% in Two Years

The scope of LinkedIn’s scanning grew dramatically before it was publicly documented. In 2024, LinkedIn scanned for 461 extensions. By February 2026, that list had grown to 6,167, a 1,252% increase in two years. The combined installed user base across all scanned extensions is estimated at 405 million people.

The growth rate suggests the scanning operation expanded well beyond its stated purpose of blocking scraping tools. The inclusion of competitor products and sensitive-category extensions points to a secondary commercial use.

Fairlinked argues the behavior violates three EU frameworks.

Under GDPR, the undisclosed collection of special-category data (health, religion, political opinions) requires explicit consent under Article 9. LinkedIn has no such consent on record and no disclosed exemption.

Under the ePrivacy Directive, storing or accessing information on a user’s device without consent is prohibited. The script’s extension enumeration technique accesses the browser environment without disclosure, placing it squarely within the Directive’s scope.

Under the Digital Markets Act, LinkedIn operates as a platform service and is required to disclose tracking practices to users and regulators. The complete absence of disclosure in LinkedIn’s privacy policy represents an alleged violation of DMA transparency requirements.

Fairlinked has filed formal complaints. LinkedIn’s EU lead supervisory authority is the Irish Data Protection Commission. The campaign directs users to submit individual complaints via browsergate.eu to increase regulatory pressure on the DPC to act.

What This Means for Browser-Based File Tools

BrowserGate illustrates a threat that operates before a file is uploaded or any tool is used. A web service can collect a detailed fingerprint of your device, your installed software, and your hardware profile simply by loading its JavaScript. That data is transmitted to the service’s servers and potentially to third parties, regardless of whether the user takes any action on the page.

The same JavaScript execution environment hosts every web tool opened in a browser tab. A file conversion service, PDF editor, or image compressor that injects undisclosed tracking scripts can harvest device fingerprints the moment the page loads. The file the user intended to process privately has not left the device, but a detailed digital identity profile already has.

Browser-local processing via WebAssembly changes this threat model. Tools built on WebAssembly execute their core logic entirely within the browser sandbox. They make no server calls during file processing, produce no upload transactions, and require no trust in any server infrastructure. Transparent JavaScript that calls no external endpoints cannot covertly transmit a fingerprint to a third party.

BrowserGate is not a novel attack. It is a disclosure of covert data collection that operated at scale for at least two years before it was documented. For users processing sensitive documents, contracts, or images in the browser, it is a concrete example of what client-side, no-upload architectures are designed to prevent.


Sources