social-media

LinkedIn's Hidden Scan Catalogs 6,278 Extensions, Including Apollo and Lusha

LinkedIn’s 2.7MB scanning bundle now probes 6,278 extension IDs and ties the result to your real name and employer.

LinkedIn injects a 2.7MB JavaScript bundle that probes visiting browsers for 6,278 specific Chrome extension IDs, encrypts the result, and ties the fingerprint to your real name and employer. The catalog grew from 38 entries in 2017 to over 6,000 by April 2026, with 708 extensions added between December 2025 and February 2026 alone. Apollo, Lusha, and ZoomInfo are on the list.

How the scan actually works

The trick is older than it looks. Chrome lets sites send fetch() requests to chrome-extension:// URLs, and if an extension is installed and has a web-accessible file declared in its manifest, the request returns content silently. If the extension is not there, Chrome blocks the request and logs an error. Either way, the page now knows. LinkedIn runs this in two modes: parallel via Promise.allSettled(), or sequential with configurable delays so the network tab does not look obviously suspicious. 404Privacy walked through the code in detail and the technique is reproducible with a few lines of JavaScript.

The result of the scan gets bundled into an encrypted payload, sent to the li/track endpoint with an RSA public key, and then attached as an HTTP header to every API request your session makes after that. So it is not a one-time signal. It becomes a persistent passport tied to your profile. BleepingComputer ran their own test and confirmed the script does what the report claims.

The catalog grew 1,252% in two years

In 2017 LinkedIn was scanning for 38 extensions. By 2024 it was 461. By February 2026 the list hit 6,167. That is a 1,252% increase in two years, and the December-to-February window alone added 708 entries, roughly 12 new extensions per day. The current count, per the report from Fairlinked e.V., is 6,278 as of April 2026. The full list and methodology sit at browsergate.eu.

What is actually on the list is the part nobody on LinkedIn's privacy team prepared a clean answer for. The Fairlinked report and follow-on coverage from PPC Land catalog these categories among the scanned extensions: job-search tools, sales intelligence (Apollo, Lusha, ZoomInfo and roughly 200 competing products), grammar checkers, tax professional tools, accessibility software for neurodivergent users, religious practice apps, and political content blockers.

The last few categories are the ones that turn this from a security story into a regulatory one. Under GDPR, extensions that reveal religion, political views, or health conditions sit inside the special-category data definition. Inferring those traits from a covert browser probe is exactly what Article 9 was written to stop.

The defense LinkedIn is running with

LinkedIn told Tom's Hardware and others that the scanning exists "to look for extensions that scrape data without members' consent or otherwise violate LinkedIn's Terms of Service." They added that they do not use the data to "infer sensitive information about members."

That defense holds up for maybe 200 of the 6,278 entries. The job-scraping argument does not really explain why the script also detects a German tax software extension or a religious calendar app. SecurityWeek pushed back on some of the more lurid framings in the original report and pointed out that a meaningful chunk of the catalog is genuinely focused on scraper bots, which is a real abuse problem on LinkedIn.

Both things can be true at once. The anti-scrape argument covers part of the list. The other part is harder to defend with that argument alone, and it is the part that matters to anyone running a B2B prospecting team.

Why this matters if your team runs Apollo or Lusha

If you are a sales or marketing leader, the practical concern is not really "is LinkedIn spying on me as an individual." It is "what does LinkedIn's commercial team know about my company's tech stack that I have not approved them knowing." Because every BDR on your team logs into LinkedIn as themselves. Their employer is on their profile. The extensions installed in their work browser get scanned and the fingerprint gets tied to that company.

So if 12 BDRs at your company show up running Apollo, LinkedIn now has a directional read on which competing data tool you have standardized on. From what I have seen of how Sales Navigator pricing tends to land in renewal conversations, that kind of stack visibility is exactly the thing renewal reps would love to have. I am not saying LinkedIn is using it that way. I am saying the data exists, and it sits inside a Microsoft business unit that has a sales motion to run.

There is also the inverse problem. If your team uses an extension to anonymize LinkedIn activity (some recruiting tools and security extensions do this), being detected may quietly degrade what you see in the feed or in search. The report does not prove this, but the architecture supports it.

The legal mess catching up to it

In January 2026, Estonian software company Teamfluence filed for a preliminary injunction against LinkedIn Ireland and LinkedIn Germany at the Regional Court of Munich. The complaint cites Digital Markets Act violations, EU competition law, and German data protection rules. CX Today has the docket detail.

Bavaria's Cybercrime Prosecution Office has confirmed an active criminal investigation. That is not a regulatory letter, that is a prosecutor. If even one EU court blocks the practice in a preliminary ruling, LinkedIn either has to disclose the catalog publicly (which would expose what it actually scans for), pull the scanning, or carve out a region-specific behavior. None of those options ends quietly.

US enforcement is a different story. There is no federal equivalent of GDPR, and the relevant FTC posture under the current administration has been notably less aggressive on browser-fingerprinting cases. The exposure is mostly European for now, which means the Munich preliminary ruling is the load-bearing event to watch.

The 30-minute extension audit

This is the part where the abstract becomes concrete. Three checks, none of them take more than 30 minutes.

First, look at what extensions your sales team has installed in their work Chrome profile. Most companies still do not have a managed extension policy in place. If your BDRs are running Apollo, Lusha, ZoomInfo, or a recruiter automation tool, LinkedIn already has a fingerprint that says so. The question is whether you are comfortable with that being a public-ish fact about your company. Decide, and then either accept it or move those extensions to a dedicated browser profile that does not log into LinkedIn at all.

Second, audit which categories of the 6,278 your team might fall into beyond the obvious sales tools. Grammar checkers. Job-board extensions. Anything privacy-related. The list itself is published as part of the browsergate.eu disclosure and you can match it against your team's installed extensions.

Third, if you operate in the EU, talk to your privacy counsel before next week. The Teamfluence injunction will get reported on, and a regulator inquiry to your DPO is plausible if your company shows up in the BrowserGate-adjacent press cycle. The Next Web's coverage is a clean primer to forward to legal.

For broader patterns of platforms quietly turning identity into a data product, see our coverage of Spotify's Verified Badge becoming a brand-safety tier.

The internal stack you have built is more visible to LinkedIn than your contract suggests. Treat it that way for now and revisit the assumption when the Munich court actually rules.

Notice Me Senpai Editorial

TikTok's £3.99 UK Ad-Free Tier Has the Meta 0.007% Problem

Amazon Just Put Vertical Clips Inside Prime Video's CTV Rate Card

Amazon DSP Now Targets LinkedIn Job Titles on Microsoft's CTV Inventory