What Is BrowserGate, and What Did LinkedIn Actually Do?
Security researchers have published findings — quickly labelled 'BrowserGate' by the community — showing that LinkedIn embeds hidden JavaScript on its pages that probes visitors' browsers for the presence of more than 6,000 Chrome extensions. The script works by attempting to access extension-specific resource files, which behave differently depending on whether the extension is installed. By reading these responses, LinkedIn can build a detailed map of which tools a visitor has loaded in their browser. The data gathered goes beyond extension lists. Researchers identified that the scanning also collects device characteristics including screen resolution, installed fonts, and browser configuration details. Combined, this information creates what security professionals call a browser fingerprint — a profile specific enough to identify and track an individual across sessions, even without cookies. LinkedIn has not denied the behaviour. Microsoft, which owns LinkedIn, has not issued a detailed public explanation of why 6,000+ extensions are being probed or what the collected data is used for. That silence is itself telling. The original report was covered by BleepingComputer and has since drawn attention from privacy researchers and enterprise security teams across the UK and internationally.
Why Browser Fingerprinting Is a Security Problem, Not Just a Privacy One
The immediate reaction from many is to frame this as a privacy concern — and it is. But the security implications run deeper, and they matter specifically to IT and security teams protecting business environments. Here's the problem: your employees' browsers are a window into your security posture. The extensions installed on a corporate device can reveal which security tools are active, which are absent, and which might have known vulnerabilities. A browser scan that identifies the presence (or absence) of a corporate VPN extension, a password manager, or an endpoint security plugin gives any observer — not just LinkedIn — a partial inventory of your defences. If that data is stored, aggregated, or ever exposed through a breach, it becomes reconnaissance material. Threat actors who know which security extensions your workforce uses (and which they don't) can tailor attacks accordingly. This is the same logic behind why attackers probe networks before launching an attack — the data reduces uncertainty and improves targeting. BrowserGate also raises a harder question: if LinkedIn is doing this, who else is? The technique is not new. Advertisers and data brokers have used extension probing and browser fingerprinting for years. LinkedIn's scale simply made it newsworthy. Any high-traffic website your employees visit could be running similar scripts.
What This Reveals About Your Organisation's Exposed Attack Surface
Most organisations think about their attack surface in terms of servers, endpoints, and network perimeters. Browser behaviour sits in a grey zone — it's acknowledged as a risk but rarely measured systematically. Every time an employee visits a site that runs fingerprinting scripts, they potentially disclose: The security tools installed in their browser — or the absence of them. Outdated extensions with known CVEs that haven't been patched or removed. Personal extensions installed on corporate devices that bypass acceptable use policies. Browser configuration details that correlate with specific operating system versions or patch levels. For organisations without visibility into browser extension inventory across their fleet, this is an unmonitored data leak happening at scale — every single day, on every site visit. This is precisely the kind of exposure that attack surface management tools are built to surface. Hadrian, which Kyanite Blue offers for continuous attack surface monitoring, maps externally visible risk including the kind of configuration signals that fingerprinting exploits. Understanding what an external observer can learn about your environment is the first step to reducing it. You can learn more at /products/hadrian.
- Security tool inventory disclosed through extension probing
- Outdated extensions with unpatched CVEs become visible externally
- Personal extensions on corporate devices bypass policy controls
- Browser configuration signals correlate with OS version and patch level
The Data Collection Problem: Where Does It Go After the Scan?
Even if you trust LinkedIn's stated intentions, the data collection itself creates risk independent of purpose. Any dataset that is collected can be breached, subpoenaed, or sold. LinkedIn has experienced significant data scraping incidents before — in 2021, data associated with approximately 700 million LinkedIn users was scraped and posted for sale online, affecting roughly 93% of the platform's user base at the time (reported by RestorePrivacy, June 2021). When browser fingerprint data gets added to that kind of profile, the risk compounds. A fingerprint tied to a named professional profile, their employer, their device characteristics, and their installed security tools is a target-rich dataset for spear phishing, business email compromise, and social engineering campaigns. Put simply: the more data that exists about your employees' devices and digital habits, the more material attackers have to work with. Data exfiltration risk isn't only about data leaving your network. It also includes data about your network and people being harvested by third parties and later weaponised. Organisations handling sensitive data, operating in regulated industries, or managing privileged access should treat this kind of passive browser data collection as part of their data risk surface — not an abstract privacy concern.
What Should Organisations Actually Do About This?
There is no single patch for BrowserGate. The technique exploits how browsers work by design. That said, there are concrete steps organisations can take to reduce exposure. Manage browser extensions centrally. In enterprise environments, IT teams should enforce extension allowlists via browser management policies — Google Chrome Enterprise and Microsoft Edge for Business both support this. Employees should not be able to install arbitrary extensions on corporate devices. Every unapproved extension is an unaudited variable in your security posture. Audit what is installed. Run an inventory of extensions across your fleet. Look for extensions that are outdated, have excessive permissions, or have been flagged in vulnerability databases. The CVE database regularly includes browser extension vulnerabilities — these don't receive the same attention as OS or application CVEs, but they are exploitable. Apply browser hardening. Disable or restrict web APIs that fingerprinting scripts rely on. Browser security policies can limit what JavaScript can probe. Security-conscious organisations should include browser hardening as part of their endpoint configuration baseline. Consider what sites your workforce visits — and from what devices. If employees access LinkedIn, social media, and other high-traffic commercial platforms from the same devices used for privileged corporate access, the fingerprinting risk is amplified. Network segmentation and device policy both play a role here. Monitor for data exfiltration patterns. Browser-based data collection that escapes to third-party servers can, in some configurations, be detected at the network level. Tools that monitor outbound data flows — particularly those watching for unusual or high-volume requests to analytics and tracking endpoints — provide an additional layer of visibility.
The Bigger Pattern: Legitimate Platforms as Data Collection Vectors
BrowserGate fits a pattern that threat intelligence teams have been watching for several years. The boundary between legitimate commercial data collection and behaviour that creates security risk is increasingly blurred. Advertising networks, analytics platforms, social media embeds, and now professional networks are all running code on your employees' browsers. That code has access to the same browser environment as everything else running in that session. The attack surface isn't just the dark web and phishing emails — it's also the entirely routine sites your workforce visits during a normal working day. This matters for supply chain risk as well. Organisations that have invested in third-party risk management through tools like Panorays (/products/panorays) understand that their risk extends to every service their vendors and partners touch. A vendor whose employees' browsers are being fingerprinted at scale is a vendor whose security posture is partially visible to external parties — and that visibility flows back to you. The security industry has spent years hardening the network perimeter. The browser is now one of the most consequential points of exposure, and it receives a fraction of the attention.
How to Protect Your Business Against Browser-Based Data Exposure
BrowserGate is a prompt to reassess how your organisation treats browser environments — and what visibility you have into what data leaves them. For UK businesses, Coro (/products/coro) provides unified protection across endpoints, email, and cloud applications. Within an endpoint security framework, Coro helps enforce device policies that restrict unauthorised software and extension installation, reducing the number of variables that a fingerprinting scan could expose. Consistent endpoint policy is the foundation of reducing browser-based risk. For attack surface visibility, Hadrian (/products/hadrian) gives organisations continuous, AI-driven mapping of their external exposure. Understanding what an attacker — or a fingerprinting script — can learn about your environment from the outside is the only way to reduce that signal. Hadrian identifies exposed assets and configuration details that organisations often don't know are visible. For data exfiltration risk specifically, BlackFog (/products/blackfog) addresses the outbound data problem directly. BlackFog's anti data exfiltration technology monitors and blocks unauthorised data leaving devices — including the kind of browser-level data collection that fingerprinting scripts perform. Where conventional security tools focus on what comes in, BlackFog focuses on what goes out. You can assess your current data exfiltration exposure at /data-exfiltration-risk. If you're uncertain where browser risk sits in your current security posture, the right starting point is an honest assessment. Talk to the Kyanite Blue team about what your organisation's browser attack surface actually looks like, and where the gaps are. Visit /contact to start that conversation — no commitment required, just clarity.
Frequently Asked Questions
What is browser fingerprinting and why is it a security risk?
Browser fingerprinting is the practice of collecting device and browser characteristics — such as installed extensions, screen resolution, and font lists — to create a unique identifier for a visitor. It poses a security risk because it can expose which security tools are installed on a device, reveal outdated software, and generate profile data that attackers can use for targeted phishing or social engineering campaigns.
Can LinkedIn scanning Chrome extensions affect my organisation's security?
Yes. LinkedIn's extension scanning can reveal which security tools are present or absent on an employee's browser, including corporate VPN clients and endpoint protection plugins. If that data is later breached or aggregated, it becomes reconnaissance material for attackers. Organisations without central extension management policies are particularly exposed to this type of passive information disclosure.
How do I stop websites from scanning my browser extensions?
Organisations can reduce browser extension scanning exposure by enforcing extension allowlists through enterprise browser management policies such as Chrome Enterprise or Edge for Business, applying browser hardening configurations that restrict JavaScript API access, and using endpoint security tools that enforce consistent device policy. Monitoring outbound data flows can also help detect unusual browser-to-server data collection activity.