Rockstar Games Program Statistics

View program

95 total issues disclosed

$62,950 total paid publicly

Most disclosed (13 disclosures) — Cross-Site Request Forgery (CSRF)

Disclosed Reports

Report Title Vulnerability Type Disclosed By Severity Disclosed on
Access to the business emails of Rockstar Support agents through the support platform Improper Access Control - Generic gavinmartinwv Low 2025-10-02
Open Redirection effects autodiscover.rockstargames.com None supplied osama-hamad Low 2025-02-03
Exposed CDN access token allows modification of all newly uploaded Snapmatic photos Improper Access Control - Generic bugstar Medium 2024-01-26
Password and mail address stored unencrypted in memory - Rockstar Game Launcher Missing Encryption of Sensitive Data moltenbit Medium 2023-10-27
Insecure Direct Object Reference allows Crew Invite deletion Insecure Direct Object Reference (IDOR) floorball Medium 2023-08-17
XSS on rockstargames.com Cross-site Scripting (XSS) - Generic zuhnny1 High 2023-07-25
Improper Authentication inside the Rockstar Games Launcher which leads to Account takeover to some extend Improper Authentication - Generic j4ck_d4niels High 2023-07-05
Modifying Sprunk vs eCola crew data Insecure Direct Object Reference (IDOR) bugstar Low 2022-09-06
Uninstalling Rockstar Games Launcher for Windows (64-bit), then reinstalling keeps you logged in without authentication Privacy Violation toxiqcitee Low 2022-04-07
Cache Poisoning DoS on updates.rockstargames.com Violation of Secure Design Principles youstin Medium 2021-12-22
Social Club Account Takeover Via RGL And Steam/Epic Linked Account Privilege Escalation sn0wd3n High 2021-11-17
Brute Force against VMware Horizon Brute Force ivanglinkin Low 2021-08-16
XSS STORED AT socialclub.rockstargames.com (add friend request from profile attacker) Cross-site Scripting (XSS) - Stored ak1t4 Medium 2021-06-03
SocialClub Account Take Over Through Import Friends feature Cross-Site Request Forgery (CSRF) netfuzzer High 2021-04-01
Minor Account Privacy can Set to Everyone. Insecure Direct Object Reference (IDOR) gevakun Low 2021-03-02
CSRF Vulnerability on post creation page /community/create-post.json Cross-Site Request Forgery (CSRF) netfuzzer Low 2020-07-07
csrf in https://www.rockstargames.com/reddeadonline/feedback/submit.json Cross-Site Request Forgery (CSRF) netfuzzer Low 2020-07-07
image injection /screenshot-viewer/responsive/image (ANOTHER FIX BYPASS) Information Disclosure netfuzzer Medium 2020-06-24
DOM based XSS on /GTAOnline/de/news/article via "returnUrl" parameter Cross-site Scripting (XSS) - DOM netfuzzer Medium 2020-06-24
Dom based xss on /reddeadredemption2/br/videos Cross-site Scripting (XSS) - DOM netfuzzer Medium 2020-06-24
Image injection on /screenshot-viewer/responsive/image ( FIX BYPASS) Information Disclosure netfuzzer Medium 2020-06-24
Flash injection vulnerability on /IV/imgPlayer/imageEmbed.swf Cross-site Scripting (XSS) - Generic netfuzzer Medium 2020-06-24
Image Injection vulnerability affecting www.rockstargames.com/careers may lead to Facebook OAuth Theft Information Disclosure netfuzzer Medium 2020-06-24
Dom based XSS on www.rockstargames.com/GTAOnline/features/freemode Cross-site Scripting (XSS) - DOM netfuzzer Medium 2020-06-24
DOM based XSS on /GTAOnline/tw/starterpack/ Cross-site Scripting (XSS) - DOM netfuzzer Medium 2020-06-24
Referer Leakage Vulnerability in socialclub.rockstargames.com/crew/ leads to FB'S OAuth token theft. Cross-Site Request Forgery (CSRF) netfuzzer Medium 2020-06-24
Image Injection/XSS vulnerability affecting https://www.rockstargames.com/newswire/article Cross-Site Request Forgery (CSRF) netfuzzer Medium 2020-06-24
Image Injection on /bully/anniversaryedition may lead to OAuth token theft. Information Disclosure netfuzzer Medium 2020-06-24
Referer Leakge in language changer may lead to FB token theft. Cross-Site Request Forgery (CSRF) netfuzzer Medium 2020-06-24
Image Injection on `/bully/anniversaryedition` may lead to FB's OAuth Token Theft. Information Disclosure netfuzzer Medium 2020-06-24
Image Injection vulnerability in www.rockstargames.com/IV/screens/1280x720Image.html Cross-Site Request Forgery (CSRF) netfuzzer Medium 2020-06-24
Image Injection vulnerability on screenshot-viewer/responsive/image may allow Facebook OAuth token theft. Information Disclosure netfuzzer Medium 2020-06-24
CSRF Vulnerability on https://signin.rockstargames.com/tpa/facebook/link/ Cross-Site Request Forgery (CSRF) netfuzzer Medium 2020-06-12
Dom based xss on https://www.rockstargames.com/ via `returnUrl` parameter Cross-site Scripting (XSS) - DOM netfuzzer Medium 2020-06-12
xss on https://www.rockstargames.com/GTAOnline/jp/screens/ Cross-site Scripting (XSS) - Generic netfuzzer Medium 2020-06-12
Image Injection on www.rockstargames.com/screenshot-viewer/responsive/image may allow facebook oauth token theft. Information Disclosure netfuzzer Medium 2020-06-12
Open redirect affecting m.rockstargames.com/ Open Redirect netfuzzer Medium 2020-06-12
insecure redirect in https://www.rockstargames.com Violation of Secure Design Principles netfuzzer Low 2020-06-12
DOM BASED XSS ON https://www.rockstargames.com/GTAOnline/features Cross-site Scripting (XSS) - DOM netfuzzer High 2020-06-12
DOM Based xss on https://www.rockstargames.com/ ( 1 ) Cross-site Scripting (XSS) - DOM netfuzzer High 2020-06-12
Race condition vulnerability on "This Rocks" button. Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') netfuzzer Medium 2020-06-12
Open redirect in https://www.rockstargames.com/GTAOnline/restricted-content/agegate/form may lead to Facebook OAuth token theft Open Redirect netfuzzer Low 2020-06-11
DOM XSS on https://www.rockstargames.com/GTAOnline/feedback Cross-site Scripting (XSS) - DOM netfuzzer Medium 2020-06-11
Information Disclosure in https://www.rockstargames.com/search SQL Injection netfuzzer Low 2020-06-11
Warehouse dom based xss may lead to Social Club Account Taker Over. Cross-site Scripting (XSS) - DOM netfuzzer High 2020-06-11
Unquoted Service Path in "Rockstar Game Library Service" Privilege Escalation adr Medium 2019-12-02
The return of the < Cross-site Scripting (XSS) - Stored alexbirsan High 2019-09-24
Stealing Facebook OAuth Code Through Screenshot viewer Information Disclosure netfuzzer Medium 2019-03-05
Account Takeover using Linked Accounts due to lack of CSRF protection Cross-Site Request Forgery (CSRF) rafiem High 2019-02-20
stored XSS (angular injection) in support.rockstargames.com using zendesk register form via name parameter Cross-site Scripting (XSS) - Stored coldd High 2018-11-06
Smuggle SocialClub's Facebook OAuth Code via Referer Leakage Information Disclosure richardcao Medium 2018-10-23
Exploiting Misconfigured CORS to Steal User Information Information Disclosure richardcao High 2018-10-17
Found CSRF Vulnerability in https://support.rockstargames.com/ Cross-Site Request Forgery (CSRF) dhananjaygarg19 Low 2018-10-16
LFI and SSRF via XXE in emblem editor XML External Entities (XXE) alexbirsan Critical 2018-08-01
Table and Column Exposure Information Exposure Through an Error Message n00bsec Low 2018-05-10
Client-side Template Injection in Search, user email/token leak and maybe sandbox escape Code Injection europa Medium 2018-05-01
SocialClub's Facebook OAuth Theft through Warehouse XSS. Cross-Site Request Forgery (CSRF) netfuzzer Medium 2018-04-23
Bypass CAPTCHA protection Improper Authentication - Generic exception Medium 2018-04-23
Stored XSS in Snapmatic + R★Editor comments Cross-site Scripting (XSS) - Stored europa High 2018-04-20
Your support community suffers from angularjs injection and must be fixed immediately [CRITICAL] Code Injection tolo7010 Medium 2018-04-10
Leak IP internal Information Disclosure h1danilabs Low 2018-02-05
SMB SSRF in emblem editor exposes taketwo domain credentials, may lead to RCE Server-Side Request Forgery (SSRF) alexbirsan High 2018-01-12
Stored XSS via Send crew invite Cross-site Scripting (XSS) - Stored fa1rlight Medium 2017-12-28
Unserialize leading to arbitrary PHP function invoke Code Injection someguyfromthepast Critical 2017-12-13
Stored XSS on profile page via Steam display name Cross-site Scripting (XSS) - Stored alexbirsan High 2017-11-10
Stored XSS on support.rockstargames.com Cross-site Scripting (XSS) - Stored mr_r3boot Medium 2017-10-30
Blind SSRF in emblem editor (2) Server-Side Request Forgery (SSRF) alexbirsan Medium 2017-10-29
Stored XSS on support.rockstargames.com Cross-site Scripting (XSS) - Stored 0x0luke Medium 2017-10-10
Reflected XSS in /Videos/ via calling a callback http://www.rockstargames.com/videos/#/?lb= Cross-site Scripting (XSS) - Generic nahamsec Medium 2017-09-25
Reflected XSS in reddeadredemption Site located at www.rockstargames.com/reddeadredemption Cross-site Scripting (XSS) - Generic nahamsec Medium 2017-09-25
Stored XSS with CRLF injection via post message to user feed Cross-site Scripting (XSS) - Stored fa1rlight Medium 2017-09-18
Stored XSS on member post feed Cross-site Scripting (XSS) - Stored 0x0luke High 2017-09-18
Comments Denial of Service in socialclub.rockstargames.com Code Injection ramsexy Medium 2017-09-11
Stored XSS in snapmatic comments Cross-site Scripting (XSS) - Stored alexbirsan Medium 2017-09-05
Reflected XSS via Double Encoding Cross-site Scripting (XSS) - Reflected injexxsor Medium 2017-09-01
Stored XSS in profile activity feed messages Cross-site Scripting (XSS) - Stored alexbirsan Medium 2017-08-28
flash injection in http://www.rockstargames.com/IV/imgPlayer/imageEmbed.swf None supplied netfuzzer Medium 2017-08-25
dom based xss in http://www.rockstargames.com/GTAOnline/ (Fix bypass) Cross-site Scripting (XSS) - DOM netfuzzer Medium 2017-08-24
dom based xss in https://www.rockstargames.com/GTAOnline/ Cross-site Scripting (XSS) - Reflected netfuzzer Medium 2017-08-21
Ability to post comments to a crew even after getting kicked out Violation of Secure Design Principles anshuman_bh Medium 2017-08-08
CSRF Vulnerability allows attackers to steal SocialClub private token. None supplied netfuzzer High 2017-08-03
XSS in http://www.rockstargames.com/theballadofgaytony/js/jquery.base.js Cross-site Scripting (XSS) - Reflected netfuzzer Medium 2017-07-17
Control characters incorrectly handled on Crew Status Update Code Injection zuhnny1 Low 2017-06-23
<- Critical IDOR vulnerability in socialclub allow to insert and delete comments as another user and it discloses sensitive information -> Cross-Site Request Forgery (CSRF) rz01 Critical 2017-05-24
Profile bio at rockstar is accepting control characters None supplied exception No rating 2017-05-23
Control Character Injection In Messages Improper Authentication - Generic exception No rating 2017-05-23
use of unsafe host header leads to open redirect Violation of Secure Design Principles exception No rating 2017-05-01
Full path Disclosure in Rockstargames.com██████████ Information Disclosure pappan Low 2017-04-28
Login form on non-HTTPS page Cleartext Transmission of Sensitive Information scraps Medium 2017-04-26
SSLv3 POODLE Vulnerability Violation of Secure Design Principles rmtyronerf Low 2017-04-09
[IMP] - Blind XSS in the admin panel for reviewing comments Cross-site Scripting (XSS) - Generic anshuman_bh Medium 2017-03-17
Source Code Disclosure (CGI) Information Disclosure cyberunit Medium 2017-03-17
DOM based reflected XSS in rockstargames.com/newswire/tags through cross domain ajax request Cross-site Scripting (XSS) - Generic zombiehelp54 Medium 2017-03-17
Reflected XSS via #tags= while using a callback in newswire http://www.rockstargames.com/newswire Cross-site Scripting (XSS) - Generic nahamsec Medium 2017-03-16
CSRF in 'set.php' via age causes stored XSS on 'get.php' - http://www.rockstargames.com/php/videoplayer_cache/get.php' Cross-Site Request Forgery (CSRF) nahamsec Medium 2017-03-11