Hadi Zeinaldeen

Published On: 15 May 2019

Crashing web/mobile clients by bypassing comment character limit

Rate Limits
Linkedin | Web

Intercepting the request and adding a huge amount of text to it and then forwarding it will bypass the character count limit, causing client devices to crash while trying to load the comment.


By placing a really large comment on someone's post (potentially even big accounts like the official linkedin account followed by millions of users), an attacker can disable access to this post, and any news-feed this post appears in.

Reproduction Steps


Find a victim post and post a regular comment on it

Show Image


Intercept the POST request

Show Image


Edit the request "newCommentText":{"values":[{"value":"my comment"}]} and place a really large text in place of the comment value, then forward the request.

Show Image

Hadi 26 Mar 2019

Initial Report

Linkedin 26 Mar 2019

Begin investigation Thank you for your report. We will investigate it and get a response back to you when we have completed our analysis.

Linkedin 27 Mar 2019

Issue Confirmation We have confirmed the issue and are working towards a fix. We will be in touch as soon as we have any updates.

Linkedin 13 Apr 2019

Issue Fix We have confirmed that this issue has been resolved. Feel free to retest and let us know if your results vary. Thanks again for reporting this is ... See More

Hadi 13 Apr 2019

Fix Confirmation