LinkedIn probes Chrome for 6,278 extensions on every visit, encrypts results with RSA, and injects them as an HTTP header into every subsequent API request.
Key Takeaways
The hardcoded extension list grew from 38 entries in 2017 to 6,278 as of April 2026; it is actively maintained via automated Chrome Web Store crawling.
Two detection systems run in parallel: a fetch()-based probe against chrome-extension://{id}/{file} URLs, and Spectroscopy, which walks the DOM for any extension-injected references.
Results feed into APFC (Anti-fraud Platform Features Collection), also called DNA (Device Network Analysis), alongside 48 other signals including canvas, WebGL, WebRTC local IP, and battery level.
LinkedIn can infer job-search intent, political/religious affiliation, disability accommodations, and employer tooling stacks from the extension inventory, all tied to a verified professional identity.
The Bavarian Central Cybercrime Prosecution Office has opened a criminal investigation; browsergate.eu argues LinkedIn’s enforcement against extension users violates the EU Digital Markets Act.
Hacker News Comment Review
Commenters flagged writing quality red flags – broken GitHub links pointing to a 9-year-old abandoned repo and phrasing consistent with LLM-assisted drafting – raising sourcing credibility concerns before the technical claims.
A key quote attributed to LinkedIn’s Milinda Lakkam (“LinkedIn took action against users who had specific extensions installed”) could not be independently verified by at least one commenter, flagging it as potentially fabricated.
Debate split between “this is Chrome’s fault for exposing web_accessible_resources to any webpage” and “LinkedIn built deliberate infrastructure to exploit it at scale” – both can be true simultaneously.
Notable Comments
@ro_bit: Reframes the root issue as a Chrome API problem: why does the browser expose installed extensions to arbitrary websites at all.
@StilesCrisis: Could not locate the Milinda Lakkam sworn testimony quote anywhere, flagging it as a potential hallucination in the article.
@3dsnano: Raises the practitioner ethics question directly: when asked to build surveillance like this, do you object and lose the job, or comply.
