LinkedIn is searching your browser extensions

Original Article ↗ Hacker News Discussion ↗

What LinkedIn is doing and how

  • LinkedIn’s JavaScript on Chromium-based browsers probes for thousands of specific Chrome extension IDs.
  • It uses fetch to request chrome-extension://<id>/<file> for each target; success implies the extension is installed.
  • It also scans the DOM for chrome-extension:// traces left by content scripts.
  • This runs only when the UA string indicates “Chrome”; Firefox’s randomized extension IDs largely block this specific method.

Browser and extension security discussion

  • Several commenters stress this is possible because Chrome exposes web-accessible resources by static extension ID; Manifest V3’s use_dynamic_url can mitigate but is not default.
  • Some argue “there’s nothing to patch” because extensions opt into being visible via web_accessible_resources / externally_connectable; others reply that allowing arbitrary pages to probe those URLs is itself a browser design flaw.
  • Firefox randomizes IDs and limits detection to extensions that themselves leak information into the page.

Legal and ethical concerns

  • Many see this as invasive fingerprinting and a “massive violation of trust,” especially because the probe list includes extensions revealing religion, politics, health, or neurodivergence.
  • EU-focused commenters connect it to GDPR Article 9 (special-category data) and the DMA.
  • In the US, some point to employment law: providing tools that enable discrimination in hiring based on protected traits could be risky.
  • Others say it resembles common browser fingerprinting and question whether it is actually illegal, noting the analysis was written by non-lawyers and may overstate case law.

Motivations and use of data

  • One camp: LinkedIn is primarily trying to detect scrapers, spam/automation tools, and malicious or misleading extensions, and extension probing is a pragmatic anti-abuse technique.
  • Another camp: the same data is extremely valuable for profiling, audience segmentation, and ad targeting (e.g., inferring religious or political leanings, competitor usage), and there is no technical barrier to such use.
  • A LinkedIn-side statement in the thread claims the data is used only for ToS enforcement and site stability, not to infer sensitive traits; multiple replies express skepticism and demand proof.

Responses, mitigations, and broader context

  • Many criticize the headline (“searching your computer”) as misleading; they argue it’s “only” scanning the browser, though others counter that, functionally, the browser is a major part of “your computer.”
  • Strong sentiment against Chrome/Chromium: seen as structurally aligned with tracking; Firefox (with uBlock Origin, containers, resistFingerprinting) is repeatedly recommended.
  • Commenters emphasize that ad blockers don’t fully stop fingerprinting; disabling or restricting JS and reducing extensions are suggested.
  • Several express fatigue and resignation that such surveillance is now widespread, while others call for regulation with real penalties and, in the meantime, personal actions like deleting LinkedIn or isolating it in a separate browser/profile.