Skip to content

Latest commit

 

History

History
105 lines (104 loc) · 14.6 KB

TOPROCKSTARGAMES.md

File metadata and controls

105 lines (104 loc) · 14.6 KB

Top reports from Rockstar Games program at HackerOne:

  1. The return of the < to Rockstar Games - 546 upvotes, $1000
  2. Account Takeover using Linked Accounts due to lack of CSRF protection to Rockstar Games - 227 upvotes, $0
  3. Stealing Facebook OAuth Code Through Screenshot viewer to Rockstar Games - 193 upvotes, $0
  4. XSS STORED AT socialclub.rockstargames.com (add friend request from profile attacker) to Rockstar Games - 189 upvotes, $0
  5. xss on https://www.rockstargames.com/GTAOnline/jp/screens/ to Rockstar Games - 154 upvotes, $0
  6. Stored XSS in Snapmatic + R★Editor comments to Rockstar Games - 114 upvotes, $0
  7. Unserialize leading to arbitrary PHP function invoke to Rockstar Games - 113 upvotes, $0
  8. SocialClub Account Take Over Through Import Friends feature to Rockstar Games - 110 upvotes, $0
  9. Referer Leakage Vulnerability in socialclub.rockstargames.com/crew/ leads to FB'S OAuth token theft. to Rockstar Games - 106 upvotes, $0
  10. CSRF Vulnerability on https://signin.rockstargames.com/tpa/facebook/link/ to Rockstar Games - 99 upvotes, $0
  11. Password and mail address stored unencrypted in memory - Rockstar Game Launcher to Rockstar Games - 81 upvotes, $750
  12. Open redirect vulnerability to Rockstar Games - 80 upvotes, $250
  13. Blind SSRF in emblem editor (2) to Rockstar Games - 74 upvotes, $1500
  14. LFI and SSRF via XXE in emblem editor to Rockstar Games - 73 upvotes, $1500
  15. Cache Poisoning DoS on updates.rockstargames.com to Rockstar Games - 73 upvotes, $0
  16. XSS on rockstargames.com to Rockstar Games - 70 upvotes, $500
  17. Facebook OAuth Code Theft through referer leakage on support.rockstargames.com to Rockstar Games - 67 upvotes, $0
  18. Unquoted Service Path in "Rockstar Game Library Service" to Rockstar Games - 60 upvotes, $0
  19. Insecure Direct Object Reference allows Crew Invite deletion to Rockstar Games - 55 upvotes, $0
  20. Brute Force against VMware Horizon to Rockstar Games - 50 upvotes, $250
  21. Stored XSS on support.rockstargames.com to Rockstar Games - 49 upvotes, $1000
  22. SMB SSRF in emblem editor exposes taketwo domain credentials, may lead to RCE to Rockstar Games - 47 upvotes, $1500
  23. full path disclosure on www.rockstargames.com via apache filename brute forcing to Rockstar Games - 47 upvotes, $0
  24. DOM XSS on https://www.rockstargames.com/GTAOnline/feedback to Rockstar Games - 45 upvotes, $0
  25. DOM based XSS on /GTAOnline/tw/starterpack/ to Rockstar Games - 45 upvotes, $0
  26. Bypass CAPTCHA protection to Rockstar Games - 44 upvotes, $500
  27. Social Club Account Takeover Via RGL And Steam/Epic Linked Account to Rockstar Games - 43 upvotes, $1000
  28. Stored XSS in profile activity feed messages to Rockstar Games - 41 upvotes, $1000
  29. Improper Authentication inside the Rockstar Games Launcher which leads to Account takeover to some extend to Rockstar Games - 40 upvotes, $750
  30. CSRF in 'set.php' via age causes stored XSS on 'get.php' - http://www.rockstargames.com/php/videoplayer_cache/get.php' to Rockstar Games - 39 upvotes, $0
  31. Smuggle SocialClub's Facebook OAuth Code via Referer Leakage to Rockstar Games - 35 upvotes, $750
  32. DOM Based xss on https://www.rockstargames.com/ ( 1 ) to Rockstar Games - 33 upvotes, $0
  33. Exposed CDN access token allows modification of all newly uploaded Snapmatic photos to Rockstar Games - 33 upvotes, $0
  34. Image Injection vulnerability on screenshot-viewer/responsive/image may allow Facebook OAuth token theft. to Rockstar Games - 32 upvotes, $0
  35. Stored XSS on profile page via Steam display name to Rockstar Games - 31 upvotes, $1250
  36. Exploiting Misconfigured CORS to Steal User Information to Rockstar Games - 31 upvotes, $500
  37. <- Critical IDOR vulnerability in socialclub allow to insert and delete comments as another user and it discloses sensitive information -> to Rockstar Games - 31 upvotes, $0
  38. stored XSS (angular injection) in support.rockstargames.com using zendesk register form via name parameter to Rockstar Games - 29 upvotes, $1000
  39. XSS in http://www.rockstargames.com/theballadofgaytony/js/jquery.base.js to Rockstar Games - 28 upvotes, $0
  40. Stored XSS in snapmatic comments to Rockstar Games - 27 upvotes, $1000
  41. DOM based reflected XSS in rockstargames.com/newswire/tags through cross domain ajax request to Rockstar Games - 27 upvotes, $0
  42. CSRF Vulnerability allows attackers to steal SocialClub private token. to Rockstar Games - 27 upvotes, $0
  43. Reflected XSS via #tags= while using a callback in newswire http://www.rockstargames.com/newswire to Rockstar Games - 26 upvotes, $0
  44. Reflected XSS in /Videos/ via calling a callback http://www.rockstargames.com/videos/#/?lb= to Rockstar Games - 26 upvotes, $0
  45. Image Injection/XSS vulnerability affecting https://www.rockstargames.com/newswire/article to Rockstar Games - 26 upvotes, $0
  46. Stored XSS on member post feed to Rockstar Games - 25 upvotes, $1000
  47. CSRF Vulnerability on post creation page /community/create-post.json to Rockstar Games - 25 upvotes, $0
  48. Uninstalling Rockstar Games Launcher for Windows (64-bit), then reinstalling keeps you logged in without authentication to Rockstar Games - 24 upvotes, $250
  49. Open redirect on https://signin.rockstargames.com/connect/authorize/rsg to Rockstar Games - 23 upvotes, $0
  50. Login form on non-HTTPS page to Rockstar Games - 22 upvotes, $350
  51. Reflected XSS via Double Encoding to Rockstar Games - 21 upvotes, $500
  52. use of unsafe host header leads to open redirect to Rockstar Games - 20 upvotes, $300
  53. Information Disclosure in https://www.rockstargames.com/search to Rockstar Games - 20 upvotes, $0
  54. Comments Denial of Service in socialclub.rockstargames.com to Rockstar Games - 19 upvotes, $0
  55. Stored XSS with CRLF injection via post message to user feed to Rockstar Games - 19 upvotes, $0
  56. Open redirect in https://www.rockstargames.com/GTAOnline/restricted-content/agegate/form may lead to Facebook OAuth token theft to Rockstar Games - 19 upvotes, $0
  57. Race condition vulnerability on "This Rocks" button. to Rockstar Games - 19 upvotes, $0
  58. Table and Column Exposure to Rockstar Games - 18 upvotes, $150
  59. phpinfo() on graph.rockstargames.com exposes sensitive information to Rockstar Games - 18 upvotes, $0
  60. [IMP] - Blind XSS in the admin panel for reviewing comments to Rockstar Games - 17 upvotes, $650
  61. Reflected XSS in reddeadredemption Site located at www.rockstargames.com/reddeadredemption to Rockstar Games - 17 upvotes, $0
  62. Stored XSS via Send crew invite to Rockstar Games - 17 upvotes, $0
  63. Minor Account Privacy can Set to Everyone. to Rockstar Games - 17 upvotes, $0
  64. Dom based xss on https://www.rockstargames.com/ via returnUrl parameter to Rockstar Games - 16 upvotes, $0
  65. Open redirect affecting m.rockstargames.com/ to Rockstar Games - 15 upvotes, $0
  66. Dom based xss on /reddeadredemption2/br/videos to Rockstar Games - 15 upvotes, $0
  67. Control Character Injection In Messages to Rockstar Games - 13 upvotes, $350
  68. Full path Disclosure in Rockstargames.com██████████ to Rockstar Games - 13 upvotes, $0
  69. SocialClub's Facebook OAuth Theft through Warehouse XSS. to Rockstar Games - 13 upvotes, $0
  70. Client-side Template Injection in Search, user email/token leak and maybe sandbox escape to Rockstar Games - 13 upvotes, $0
  71. Source Code Disclosure (CGI) to Rockstar Games - 12 upvotes, $150
  72. dom based xss in http://www.rockstargames.com/GTAOnline/ (Fix bypass) to Rockstar Games - 12 upvotes, $0
  73. Warehouse dom based xss may lead to Social Club Account Taker Over. to Rockstar Games - 12 upvotes, $0
  74. DOM BASED XSS ON https://www.rockstargames.com/GTAOnline/features to Rockstar Games - 12 upvotes, $0
  75. Image Injection vulnerability in www.rockstargames.com/IV/screens/1280x720Image.html to Rockstar Games - 12 upvotes, $0
  76. Stored XSS on support.rockstargames.com to Rockstar Games - 11 upvotes, $1000
  77. Leak IP internal to Rockstar Games - 11 upvotes, $0
  78. Image Injection on www.rockstargames.com/screenshot-viewer/responsive/image may allow facebook oauth token theft. to Rockstar Games - 11 upvotes, $0
  79. Found CSRF Vulnerability in https://support.rockstargames.com/ to Rockstar Games - 10 upvotes, $150
  80. Your support community suffers from angularjs injection and must be fixed immediately [CRITICAL] to Rockstar Games - 10 upvotes, $0
  81. Flash injection vulnerability on /IV/imgPlayer/imageEmbed.swf to Rockstar Games - 10 upvotes, $0
  82. dom based xss in https://www.rockstargames.com/GTAOnline/ to Rockstar Games - 9 upvotes, $0
  83. csrf in https://www.rockstargames.com/reddeadonline/feedback/submit.json to Rockstar Games - 9 upvotes, $0
  84. RDR2 game service method allows adding any player to a new Posse without consent to Rockstar Games - 9 upvotes, $0
  85. flash injection in http://www.rockstargames.com/IV/imgPlayer/imageEmbed.swf to Rockstar Games - 8 upvotes, $0
  86. Image Injection on /bully/anniversaryedition may lead to FB's OAuth Token Theft. to Rockstar Games - 8 upvotes, $0
  87. Profile bio at rockstar is accepting control characters to Rockstar Games - 7 upvotes, $350
  88. Control characters incorrectly handled on Crew Status Update to Rockstar Games - 7 upvotes, $250
  89. Ability to post comments to a crew even after getting kicked out to Rockstar Games - 6 upvotes, $500
  90. SSLv3 POODLE Vulnerability to Rockstar Games - 6 upvotes, $0
  91. insecure redirect in https://www.rockstargames.com to Rockstar Games - 6 upvotes, $0
  92. DOM based XSS on /GTAOnline/de/news/article via "returnUrl" parameter to Rockstar Games - 6 upvotes, $0
  93. image injection /screenshot-viewer/responsive/image (ANOTHER FIX BYPASS) to Rockstar Games - 6 upvotes, $0
  94. Modifying Sprunk vs eCola crew data to Rockstar Games - 6 upvotes, $0
  95. Image Injection vulnerability affecting www.rockstargames.com/careers may lead to Facebook OAuth Theft to Rockstar Games - 5 upvotes, $0
  96. Dom based XSS on www.rockstargames.com/GTAOnline/features/freemode to Rockstar Games - 5 upvotes, $0
  97. Referer Leakge in language changer may lead to FB token theft. to Rockstar Games - 5 upvotes, $0
  98. Image injection on /screenshot-viewer/responsive/image ( FIX BYPASS) to Rockstar Games - 5 upvotes, $0
  99. Image Injection on /bully/anniversaryedition may lead to OAuth token theft. to Rockstar Games - 4 upvotes, $0
  100. Referer Referer Header Leakage in language changer may lead to FB token theft to Rockstar Games - 3 upvotes, $0
  101. Image injection /br/games/info may lead to phishing attacks or FB OAuth theft. to Rockstar Games - 3 upvotes, $0
  102. CSRF Vulnerabiliy on Facebook Linkage Page Allows Full Account takerover of Socialclub Accounts. to Rockstar Games - 3 upvotes, $0
  103. Image Injection Vulnerability on /bully/screens to Rockstar Games - 3 upvotes, $0