A new investigation, dubbed "BrowserGate," has revealed that Microsoft's LinkedIn platform is covertly executing hidden JavaScript scripts to scan visitors' web browsers for thousands of installed extensions and collect detailed device data. According to a report by Fairlinked e.V., an association representing commercial LinkedIn users, the platform injects this code into user sessions. The scripts check for the presence of over 6,000 browser extensions and, critically, link the scan results to identifiable user profiles. Given that LinkedIn profiles are inherently tied to real-world identities, employers, and professional roles, this practice allows the platform to amass a highly sensitive dataset combining personal, corporate, and competitive intelligence.
The implications of this data collection are profound, particularly from a competitive intelligence standpoint. The report specifies that LinkedIn scans for more than 200 products that directly compete with its own sales and recruitment tools, including platforms like Apollo, Lusha, and ZoomInfo. By correlating the detected extensions with a user's employer information, LinkedIn can effectively map which companies are using competing software products. "It is extracting the customer lists of thousands of software companies from their users' browsers without anyone's knowledge," the report states. This provides LinkedIn with an unfair market advantage, allowing it to identify and potentially target the client bases of its rivals.
Beyond corporate espionage, the practice raises severe privacy and security concerns. The covert scanning occurs without explicit user consent or clear disclosure, turning a user's browser into a data-gathering tool for LinkedIn's broader business interests. Furthermore, the report alleges that LinkedIn is already leveraging this clandestinely obtained data for enforcement actions. "LinkedIn has already sent enforcement threats to users of third-party tools, using data obtained through this covert scanning to identify its targets," the authors claim. This suggests the data is not merely for analytics but is actively used to police platform use, potentially penalizing users for installing extensions LinkedIn deems undesirable.
BleepingComputer has independently confirmed key aspects of this investigation. During testing, researchers observed a JavaScript file with a randomized name being loaded from LinkedIn's domain, which contained code designed to check for a vast array of browser extensions. This validation adds technical credence to the allegations. The revelation places LinkedIn's practices under intense scrutiny, questioning compliance with data protection regulations like the GDPR in the EU and highlighting a growing trend of platforms weaponizing browser data collection for competitive gain and user control, all under the guise of standard website operation.
