LinkedIn probes 6,278 Chrome extensions per visit, encrypts results via RSA, and injects them as HTTP headers into every subsequent API request.
Key Takeaways
The extension list has grown from 38 entries in 2017 to 6,278 as of April 2026; it is actively maintained and was built with automated Chrome Web Store crawling tooling.
Two detection systems run in parallel: a hardcoded ID list probed via fetch() to chrome-extension:// URLs, and a DOM-walking system called Spectroscopy that catches extensions not on the list.
Scan modes include parallel (Promise.allSettled) and sequential with configurable delays to reduce monitoring visibility; execution can be deferred to requestIdleCallback to avoid user-visible slowdown.
Detected extension IDs are packaged into AedEvent and SpectroscopyEvent objects, RSA-encrypted, and sent to the li/track endpoint, then injected as a header into every API call for the session.
None of this is disclosed in LinkedIn’s privacy policy; extensions tied to job search, political content, religious practice, disability, and neurodivergence are in the list, attached to verified professional identity.
Hacker News Comment Review
Commenters split on whether Chrome itself is the root problem, with one asking why Chrome allows arbitrary sites to probe extension presence at all via chrome-extension:// URLs.
The criminal investigation angle drew attention: the Bavarian Central Cybercrime Prosecution Office has an open case, and browsergate.eu reportedly provided the case number to the author directly.
A factual dispute emerged over whether a quote attributed to “Milinda Lakkam” confirming LinkedIn took enforcement action against extension users is verifiable, with at least one commenter unable to locate corroboration.
Notable Comments
@3dsnano: Raises the practitioner ethics question directly: when asked to implement surveillance like this at your job, do you object and risk termination, or comply?
@stevenicr: Reports li.protechts.net consuming 2GB RAM and 8% CPU across idle LinkedIn tabs in Firefox with uBlock Origin, suggesting persistent background activity beyond the extension scan.
