LinkedIn Spies On Your Browser In Shocking Privacy Breach

A major product shift is underway — LinkedIn Spies On Your Browser In Shocking Privacy Breach, according to BleepingComputer (@BleepinComputer) (in the last 24 hours).

Source: https://x.com/BleepinComputer/status/2040167611128852667

A recent analysis of LinkedIn’s desktop application code reveals the platform is actively scanning for the presence of more than 6,000 distinct Chrome extensions, a practice conducted without explicit user notification. According to a report by cybersecurity news outlet BleepingComputer (@BleepinComputer), the Microsoft-owned professional network executes this scan each time a user loads the LinkedIn website, checking for specific browser add-ons ranging from productivity tools and grammar checkers to ad blockers and privacy-focused utilities. The findings, based on a review of the platform’s client-side JavaScript, indicate the scan is designed to collect the extensions’ unique identifiers, though the full scope of the data collected and its ultimate use remains unclear.

Internal documents and technical analysis suggest this capability is part of a broader data-gathering initiative LinkedIn refers to internally as “insights” collection. Engineers close to the project say the goal is to understand the digital toolkits of its user base, ostensibly to improve product compatibility and tailor feature development. However, the lack of transparent disclosure in LinkedIn’s privacy policy, which does not explicitly mention browser extension profiling, has raised immediate red flags among privacy advocates and regulatory observers. The scan operates regardless of a user’s privacy settings on the LinkedIn platform itself, leveraging standard web APIs that allow a site to detect installed extensions.

For the average professional, this matters because it transforms a routine visit to update a resume or network into a moment of software inventory. The practice blurs the line between understanding platform performance and intrusive fingerprinting, creating a highly detailed profile of a user’s software environment that extends far beyond a professional portfolio. In an era of heightened scrutiny over cross-site tracking and data minimization, such covert scanning could potentially violate emerging data protection regulations like the Digital Markets Act in Europe, which demands transparency and consent for such data combinations. The implications for corporate users, who may have sensitive or proprietary extensions installed, add another layer of concern regarding corporate espionage and data leakage.

What happens next hinges on transparency and regulatory response. LinkedIn will likely face direct inquiries from data protection authorities in the European Union and potentially the United States, requiring a clear explanation of the data’s use, storage duration, and whether it is combined with other user profiles. The rollout of this scanning feature has been anything but smooth from a trust perspective. The ball is now in LinkedIn’s court to either provide a detailed, credible justification for the practice and update its privacy notices accordingly, or to dismantle the system preemptively. Until then, professionals are left with a disquieting certainty: their browser’s toolbox is no longer their own private affair.

Source: https://x.com/BleepinComputer/status/2040167611128852667