Extension fingerprinting explained: what websites can read about you from your installed add-ons
LinkedIn scanned 6,236 Chrome extensions to fingerprint users without consent. Here's how extension fingerprinting works and how to check if you're exposed.
Every time you visited LinkedIn recently, a hidden script on that page was probing your browser for 6,236 installed Chrome extensions. Not checking for one or two abuse-related tools. Six thousand two hundred thirty-six.
According to BleepingComputer's reporting in April 2026, that script bundled the results — alongside your CPU core count, available memory, screen resolution, timezone, and battery status — into encrypted telemetry attached to every API request the site made.
This isn't a data breach. Nobody hacked LinkedIn. The technique is built into how browsers work, and any website can do it. That's the part worth sitting with for a moment.
What extension fingerprinting actually is
Extension fingerprinting is when a webpage detects which browser extensions you have installed — without your permission, without any browser API calls, and without triggering any browser prompts.
The mechanism exploits a feature of the Chrome extension model called web-accessible resources. When an extension wants to display an icon inside a webpage — or inject a stylesheet, or expose a helper script to page content — it declares those files as accessible to web pages in its manifest.json. Once declared, any webpage can attempt to load those files using a direct URL:
chrome-extension://[extension-id]/icon.png
The logic is dead simple: if the fetch succeeds, the extension is installed. If it fails with a network error, it isn't. Script this probe against thousands of known extension IDs and you've mapped exactly what's running in someone's browser in under a second.
No permissions needed. No browser prompt. No indicator in the address bar. The user never knows.
What a website learns from your extension list
An extension list is more revealing than most people assume.
A password manager tells a site you're security-conscious and probably use strong unique passwords. A religious text reader suggests faith affiliation. A job board extension suggests active job hunting — information you might not want your current employer to infer. A disability assistance tool could indicate health conditions. Add extensions for political news sites or campaign tools, and the inference gets more pointed.
None of these inferences require the website to ask you anything. They fall directly out of which extensions you have installed.
According to research by Fairlinked e.V. — an association of commercial LinkedIn users — and verified by BleepingComputer, LinkedIn's script specifically targeted 200+ extensions that compete directly with LinkedIn's own sales intelligence products: Apollo, Lusha, ZoomInfo. Because LinkedIn already knows which employer each user works for, the data can theoretically map which companies' employees are using which competitor tools — extracted from browsers without anyone's knowledge or consent.
Cameron Eckelberry at Malwarebytes put the broader issue plainly: "Your browser extensions can be used to build a profile of you for advertisers and scammers."
The LinkedIn BrowserGate case
The scope of LinkedIn's scanning is what makes this case significant. BleepingComputer reported the detection list grew from around 2,000 extensions in 2025 to about 3,000 a few months ago, and then to 6,236 by April 2026. That rate of expansion is hard to explain with a fraud-prevention justification alone.
LinkedIn's public position: "We do disclose that we scan for browser extensions in our Privacy Policy, in order to detect abuse and provide defense for site stability." — LinkedIn spokesperson, as reported by BleepingComputer.
That defense is now being tested in court. Two class-action lawsuits were filed in April 2026 in the U.S. District Court for the Northern District of California. According to CX Today's reporting — corroborated by BleepingComputer's underlying reporting on BrowserGate — the suits allege violations across six legal theories: the Federal Wiretap Act, California computer fraud statute, California pen register law, California wiretapping statute, the California Constitutional privacy clause, and common-law intrusion upon seclusion.
The complaints specifically flag that among the 6,236 targeted extensions were religious practice tools, political affiliation markers, disability assistance software, and 509 job-search extensions — categories that reportedly fall under GDPR Article 9 special category data protections.
LinkedIn has not publicly responded to the class action filings specifically. A German court previously denied a preliminary injunction against LinkedIn for the same underlying conduct.
When extension scanning crosses a line
Extension scanning isn't inherently wrong. A banking site checking for a handful of known phishing-assist extensions to prevent session hijacking is a reasonable security measure. That's fundamentally different from a B2B platform cataloging 6,236 extensions to build competitive intelligence about which rival tools are installed in employees' browsers.
A few factors separate legitimate use from a privacy violation:
Scope. Scanning 5-10 known malicious extensions is defensible. Scanning 6,236 to build comprehensive device fingerprints is something else.
Sensitive categories. If your scan inevitably catches religious practice tools, disability software, or job-seeking extensions, you're collecting protected-class information. The design creates the exposure even without explicit intent.
Persistence. Extension fingerprints don't expire. Unlike cookies, you can't clear your extension list without literally removing extensions. If the fingerprint is stored server-side, it persists indefinitely across sessions, devices, and email addresses.
Standard privacy tools don't block this. uBlock Origin and Privacy Badger are built to intercept third-party tracker domains. chrome-extension:// resource probes aren't third-party requests — they look like internal browser fetches. A VPN doesn't change this either. The technique sidesteps the entire category of defenses most users rely on.
How to check which of your extensions can be detected
Not every extension is fingerprint-able. An extension only shows up in a webpage's probe if it declares web_accessible_resources in its manifest. Extensions that run entirely in the background with no exposed files are invisible to this technique.
The key question is: which of your extensions expose web-accessible resources?
You can check each of your extensions in the Extenshi catalog. The manifest data for each extension shows whether web_accessible_resources is declared — and if so, which files are exposed. An extension with no web-accessible resources cannot be fingerprinted this way. One with them can be detected by any site that knows its ID.
There's no complete fix within Chrome's current architecture. Eckelberry at Malwarebytes noted it "is not fully possible for an extension to hide itself without some changes to a browser's underlying technology." This is a structural gap in Chrome's extension model, not something an individual extension developer can fully patch.
What you can do right now:
- Remove extensions you don't actively use. Fewer extensions = smaller fingerprint surface.
- Check your extension manifests. Look up your installed extensions on catalog.extenshi.io and see whether they declare web-accessible resources.
- Use Firefox for sensitive sessions. Firefox with
privacy.resistFingerprintingenabled randomizes extension resource URLs per site, breaking the side-channel. You can browse privacy-focused extensions in the catalog to find ones that work across browsers. - Incognito mode doesn't help by default. Extensions enabled in incognito mode are still detectable via the same technique.
The LinkedIn case is almost certainly not the only example of this happening — it's just the one that got caught and verified. Any ad platform, recruiter tool, or SaaS product that runs JavaScript on pages you visit could be running similar probes. The technique is trivial to implement and costs almost nothing.
See which of your installed extensions expose web-accessible resources — and which ones a fingerprinting script could detect.
This article is based on publicly available security research and news reporting. Extenshi does not independently verify all claims made by third-party researchers. References to specific companies or products reflect the findings of cited sources and do not constitute accusations of intentional wrongdoing. If you believe any information is inaccurate, please contact us at [email protected].
Related Articles
The `tabs` permission explained: what browser extensions can really see in your open tabs
The tabs permission lets Chrome extensions log every URL you visit in real time — no history permission needed. Here's what it does and how to audit yours.
AI extension data collection explained: what your Chrome AI tools can really access
52% of AI Chrome extensions collect user data, a 2026 study found. Here's what permissions like scripting actually let them see and how to check yours.
The `nativeMessaging` permission explained: what browser extensions can really do outside your browser
The native messaging permission lets browser extensions talk to native apps outside Chrome's sandbox. Here's what it really enables — and how to check yours.