Top reports from Rockstar Games program at HackerOne:
- The return of the < to Rockstar Games - 546 upvotes, $1000
- Account Takeover using Linked Accounts due to lack of CSRF protection to Rockstar Games - 227 upvotes, $0
- Stealing Facebook OAuth Code Through Screenshot viewer to Rockstar Games - 193 upvotes, $0
- XSS STORED AT socialclub.rockstargames.com (add friend request from profile attacker) to Rockstar Games - 189 upvotes, $0
- xss on https://www.rockstargames.com/GTAOnline/jp/screens/ to Rockstar Games - 154 upvotes, $0
- Stored XSS in Snapmatic + R★Editor comments to Rockstar Games - 114 upvotes, $0
- Unserialize leading to arbitrary PHP function invoke to Rockstar Games - 113 upvotes, $0
- SocialClub Account Take Over Through Import Friends feature to Rockstar Games - 110 upvotes, $0
- Referer Leakage Vulnerability in socialclub.rockstargames.com/crew/ leads to FB'S OAuth token theft. to Rockstar Games - 106 upvotes, $0
- CSRF Vulnerability on https://signin.rockstargames.com/tpa/facebook/link/ to Rockstar Games - 99 upvotes, $0
- Password and mail address stored unencrypted in memory - Rockstar Game Launcher to Rockstar Games - 81 upvotes, $750
- Open redirect vulnerability to Rockstar Games - 80 upvotes, $250
- Blind SSRF in emblem editor (2) to Rockstar Games - 74 upvotes, $1500
- LFI and SSRF via XXE in emblem editor to Rockstar Games - 73 upvotes, $1500
- Cache Poisoning DoS on updates.rockstargames.com to Rockstar Games - 73 upvotes, $0
- XSS on rockstargames.com to Rockstar Games - 70 upvotes, $500
- Facebook OAuth Code Theft through referer leakage on support.rockstargames.com to Rockstar Games - 67 upvotes, $0
- Unquoted Service Path in "Rockstar Game Library Service" to Rockstar Games - 60 upvotes, $0
- Insecure Direct Object Reference allows Crew Invite deletion to Rockstar Games - 55 upvotes, $0
- Brute Force against VMware Horizon to Rockstar Games - 50 upvotes, $250
- Stored XSS on support.rockstargames.com to Rockstar Games - 49 upvotes, $1000
- SMB SSRF in emblem editor exposes taketwo domain credentials, may lead to RCE to Rockstar Games - 47 upvotes, $1500
- full path disclosure on www.rockstargames.com via apache filename brute forcing to Rockstar Games - 47 upvotes, $0
- DOM XSS on https://www.rockstargames.com/GTAOnline/feedback to Rockstar Games - 45 upvotes, $0
- DOM based XSS on /GTAOnline/tw/starterpack/ to Rockstar Games - 45 upvotes, $0
- Bypass CAPTCHA protection to Rockstar Games - 44 upvotes, $500
- Social Club Account Takeover Via RGL And Steam/Epic Linked Account to Rockstar Games - 43 upvotes, $1000
- Stored XSS in profile activity feed messages to Rockstar Games - 41 upvotes, $1000
- Improper Authentication inside the Rockstar Games Launcher which leads to Account takeover to some extend to Rockstar Games - 40 upvotes, $750
- CSRF in 'set.php' via age causes stored XSS on 'get.php' - http://www.rockstargames.com/php/videoplayer_cache/get.php' to Rockstar Games - 39 upvotes, $0
- Smuggle SocialClub's Facebook OAuth Code via Referer Leakage to Rockstar Games - 35 upvotes, $750
- DOM Based xss on https://www.rockstargames.com/ ( 1 ) to Rockstar Games - 33 upvotes, $0
- Exposed CDN access token allows modification of all newly uploaded Snapmatic photos to Rockstar Games - 33 upvotes, $0
- Image Injection vulnerability on screenshot-viewer/responsive/image may allow Facebook OAuth token theft. to Rockstar Games - 32 upvotes, $0
- Stored XSS on profile page via Steam display name to Rockstar Games - 31 upvotes, $1250
- Exploiting Misconfigured CORS to Steal User Information to Rockstar Games - 31 upvotes, $500
- <- Critical IDOR vulnerability in socialclub allow to insert and delete comments as another user and it discloses sensitive information -> to Rockstar Games - 31 upvotes, $0
- stored XSS (angular injection) in support.rockstargames.com using zendesk register form via name parameter to Rockstar Games - 29 upvotes, $1000
- XSS in http://www.rockstargames.com/theballadofgaytony/js/jquery.base.js to Rockstar Games - 28 upvotes, $0
- Stored XSS in snapmatic comments to Rockstar Games - 27 upvotes, $1000
- DOM based reflected XSS in rockstargames.com/newswire/tags through cross domain ajax request to Rockstar Games - 27 upvotes, $0
- CSRF Vulnerability allows attackers to steal SocialClub private token. to Rockstar Games - 27 upvotes, $0
- Reflected XSS via #tags= while using a callback in newswire http://www.rockstargames.com/newswire to Rockstar Games - 26 upvotes, $0
- Reflected XSS in /Videos/ via calling a callback http://www.rockstargames.com/videos/#/?lb= to Rockstar Games - 26 upvotes, $0
- Image Injection/XSS vulnerability affecting https://www.rockstargames.com/newswire/article to Rockstar Games - 26 upvotes, $0
- Stored XSS on member post feed to Rockstar Games - 25 upvotes, $1000
- CSRF Vulnerability on post creation page /community/create-post.json to Rockstar Games - 25 upvotes, $0
- Uninstalling Rockstar Games Launcher for Windows (64-bit), then reinstalling keeps you logged in without authentication to Rockstar Games - 24 upvotes, $250
- Open redirect on https://signin.rockstargames.com/connect/authorize/rsg to Rockstar Games - 23 upvotes, $0
- Login form on non-HTTPS page to Rockstar Games - 22 upvotes, $350
- Reflected XSS via Double Encoding to Rockstar Games - 21 upvotes, $500
- use of unsafe host header leads to open redirect to Rockstar Games - 20 upvotes, $300
- Information Disclosure in https://www.rockstargames.com/search to Rockstar Games - 20 upvotes, $0
- Comments Denial of Service in socialclub.rockstargames.com to Rockstar Games - 19 upvotes, $0
- Stored XSS with CRLF injection via post message to user feed to Rockstar Games - 19 upvotes, $0
- Open redirect in https://www.rockstargames.com/GTAOnline/restricted-content/agegate/form may lead to Facebook OAuth token theft to Rockstar Games - 19 upvotes, $0
- Race condition vulnerability on "This Rocks" button. to Rockstar Games - 19 upvotes, $0
- Table and Column Exposure to Rockstar Games - 18 upvotes, $150
- phpinfo() on graph.rockstargames.com exposes sensitive information to Rockstar Games - 18 upvotes, $0
- [IMP] - Blind XSS in the admin panel for reviewing comments to Rockstar Games - 17 upvotes, $650
- Reflected XSS in reddeadredemption Site located at www.rockstargames.com/reddeadredemption to Rockstar Games - 17 upvotes, $0
- Stored XSS via Send crew invite to Rockstar Games - 17 upvotes, $0
- Minor Account Privacy can Set to Everyone. to Rockstar Games - 17 upvotes, $0
- Dom based xss on https://www.rockstargames.com/ via
returnUrl
parameter to Rockstar Games - 16 upvotes, $0 - Open redirect affecting m.rockstargames.com/ to Rockstar Games - 15 upvotes, $0
- Dom based xss on /reddeadredemption2/br/videos to Rockstar Games - 15 upvotes, $0
- Control Character Injection In Messages to Rockstar Games - 13 upvotes, $350
- Full path Disclosure in Rockstargames.com██████████ to Rockstar Games - 13 upvotes, $0
- SocialClub's Facebook OAuth Theft through Warehouse XSS. to Rockstar Games - 13 upvotes, $0
- Client-side Template Injection in Search, user email/token leak and maybe sandbox escape to Rockstar Games - 13 upvotes, $0
- Source Code Disclosure (CGI) to Rockstar Games - 12 upvotes, $150
- dom based xss in http://www.rockstargames.com/GTAOnline/ (Fix bypass) to Rockstar Games - 12 upvotes, $0
- Warehouse dom based xss may lead to Social Club Account Taker Over. to Rockstar Games - 12 upvotes, $0
- DOM BASED XSS ON https://www.rockstargames.com/GTAOnline/features to Rockstar Games - 12 upvotes, $0
- Image Injection vulnerability in www.rockstargames.com/IV/screens/1280x720Image.html to Rockstar Games - 12 upvotes, $0
- Stored XSS on support.rockstargames.com to Rockstar Games - 11 upvotes, $1000
- Leak IP internal to Rockstar Games - 11 upvotes, $0
- Image Injection on www.rockstargames.com/screenshot-viewer/responsive/image may allow facebook oauth token theft. to Rockstar Games - 11 upvotes, $0
- Found CSRF Vulnerability in https://support.rockstargames.com/ to Rockstar Games - 10 upvotes, $150
- Your support community suffers from angularjs injection and must be fixed immediately [CRITICAL] to Rockstar Games - 10 upvotes, $0
- Flash injection vulnerability on /IV/imgPlayer/imageEmbed.swf to Rockstar Games - 10 upvotes, $0
- dom based xss in https://www.rockstargames.com/GTAOnline/ to Rockstar Games - 9 upvotes, $0
- csrf in https://www.rockstargames.com/reddeadonline/feedback/submit.json to Rockstar Games - 9 upvotes, $0
- RDR2 game service method allows adding any player to a new Posse without consent to Rockstar Games - 9 upvotes, $0
- flash injection in http://www.rockstargames.com/IV/imgPlayer/imageEmbed.swf to Rockstar Games - 8 upvotes, $0
- Image Injection on
/bully/anniversaryedition
may lead to FB's OAuth Token Theft. to Rockstar Games - 8 upvotes, $0 - Profile bio at rockstar is accepting control characters to Rockstar Games - 7 upvotes, $350
- Control characters incorrectly handled on Crew Status Update to Rockstar Games - 7 upvotes, $250
- Ability to post comments to a crew even after getting kicked out to Rockstar Games - 6 upvotes, $500
- SSLv3 POODLE Vulnerability to Rockstar Games - 6 upvotes, $0
- insecure redirect in https://www.rockstargames.com to Rockstar Games - 6 upvotes, $0
- DOM based XSS on /GTAOnline/de/news/article via "returnUrl" parameter to Rockstar Games - 6 upvotes, $0
- image injection /screenshot-viewer/responsive/image (ANOTHER FIX BYPASS) to Rockstar Games - 6 upvotes, $0
- Modifying Sprunk vs eCola crew data to Rockstar Games - 6 upvotes, $0
- Image Injection vulnerability affecting www.rockstargames.com/careers may lead to Facebook OAuth Theft to Rockstar Games - 5 upvotes, $0
- Dom based XSS on www.rockstargames.com/GTAOnline/features/freemode to Rockstar Games - 5 upvotes, $0
- Referer Leakge in language changer may lead to FB token theft. to Rockstar Games - 5 upvotes, $0
- Image injection on /screenshot-viewer/responsive/image ( FIX BYPASS) to Rockstar Games - 5 upvotes, $0
- Image Injection on /bully/anniversaryedition may lead to OAuth token theft. to Rockstar Games - 4 upvotes, $0
- Referer Referer Header Leakage in language changer may lead to FB token theft to Rockstar Games - 3 upvotes, $0
- Image injection /br/games/info may lead to phishing attacks or FB OAuth theft. to Rockstar Games - 3 upvotes, $0
- CSRF Vulnerabiliy on Facebook Linkage Page Allows Full Account takerover of Socialclub Accounts. to Rockstar Games - 3 upvotes, $0
- Image Injection Vulnerability on /bully/screens to Rockstar Games - 3 upvotes, $0