| Social Club Account Takeover Via RGL And Steam/Epic Linked Account |
Privilege Escalation |
sn0wd3n |
High |
2021-11-17 |
| Brute Force against VMware Horizon |
Brute Force |
ivanglinkin |
Low |
2021-08-16 |
| XSS STORED AT socialclub.rockstargames.com (add friend request from profile attacker) |
Cross-site Scripting (XSS) - Stored |
ak1t4 |
Medium |
2021-06-03 |
| SocialClub Account Take Over Through Import Friends feature |
Cross-Site Request Forgery (CSRF) |
netfuzzer |
High |
2021-04-01 |
| CSRF Vulnerability on post creation page /community/create-post.json |
Cross-Site Request Forgery (CSRF) |
netfuzzer |
Low |
2020-07-07 |
| csrf in https://www.rockstargames.com/reddeadonline/feedback/submit.json |
Cross-Site Request Forgery (CSRF) |
netfuzzer |
Low |
2020-07-07 |
| image injection /screenshot-viewer/responsive/image (ANOTHER FIX BYPASS) |
Information Disclosure |
netfuzzer |
Medium |
2020-06-24 |
| DOM based XSS on /GTAOnline/de/news/article via "returnUrl" parameter |
Cross-site Scripting (XSS) - DOM |
netfuzzer |
Medium |
2020-06-24 |
| Dom based xss on /reddeadredemption2/br/videos |
Cross-site Scripting (XSS) - DOM |
netfuzzer |
Medium |
2020-06-24 |
| Image injection on /screenshot-viewer/responsive/image ( FIX BYPASS) |
Information Disclosure |
netfuzzer |
Medium |
2020-06-24 |
| Flash injection vulnerability on /IV/imgPlayer/imageEmbed.swf |
Cross-site Scripting (XSS) - Generic |
netfuzzer |
Medium |
2020-06-24 |
| Image Injection vulnerability affecting www.rockstargames.com/careers may lead to Facebook OAuth Theft |
Information Disclosure |
netfuzzer |
Medium |
2020-06-24 |
| Dom based XSS on www.rockstargames.com/GTAOnline/features/freemode |
Cross-site Scripting (XSS) - DOM |
netfuzzer |
Medium |
2020-06-24 |
| DOM based XSS on /GTAOnline/tw/starterpack/ |
Cross-site Scripting (XSS) - DOM |
netfuzzer |
Medium |
2020-06-24 |
| Referer Leakage Vulnerability in socialclub.rockstargames.com/crew/ leads to FB'S OAuth token theft. |
Cross-Site Request Forgery (CSRF) |
netfuzzer |
Medium |
2020-06-24 |
| Image Injection/XSS vulnerability affecting https://www.rockstargames.com/newswire/article |
Cross-Site Request Forgery (CSRF) |
netfuzzer |
Medium |
2020-06-24 |
| Image Injection on /bully/anniversaryedition may lead to OAuth token theft. |
Information Disclosure |
netfuzzer |
Medium |
2020-06-24 |
| Referer Leakge in language changer may lead to FB token theft. |
Cross-Site Request Forgery (CSRF) |
netfuzzer |
Medium |
2020-06-24 |
| Image Injection on `/bully/anniversaryedition` may lead to FB's OAuth Token Theft. |
Information Disclosure |
netfuzzer |
Medium |
2020-06-24 |
| Image Injection vulnerability in www.rockstargames.com/IV/screens/1280x720Image.html |
Cross-Site Request Forgery (CSRF) |
netfuzzer |
Medium |
2020-06-24 |
| Image Injection vulnerability on screenshot-viewer/responsive/image may allow Facebook OAuth token theft. |
Information Disclosure |
netfuzzer |
Medium |
2020-06-24 |
| CSRF Vulnerability on https://signin.rockstargames.com/tpa/facebook/link/ |
Cross-Site Request Forgery (CSRF) |
netfuzzer |
Medium |
2020-06-12 |
| Dom based xss on https://www.rockstargames.com/ via `returnUrl` parameter |
Cross-site Scripting (XSS) - DOM |
netfuzzer |
Medium |
2020-06-12 |
| xss on https://www.rockstargames.com/GTAOnline/jp/screens/ |
Cross-site Scripting (XSS) - Generic |
netfuzzer |
Medium |
2020-06-12 |
| Image Injection on www.rockstargames.com/screenshot-viewer/responsive/image may allow facebook oauth token theft. |
Information Disclosure |
netfuzzer |
Medium |
2020-06-12 |
| Open redirect affecting m.rockstargames.com/ |
Open Redirect |
netfuzzer |
Medium |
2020-06-12 |
| insecure redirect in https://www.rockstargames.com |
Violation of Secure Design Principles |
netfuzzer |
Low |
2020-06-12 |
| DOM BASED XSS ON https://www.rockstargames.com/GTAOnline/features |
Cross-site Scripting (XSS) - DOM |
netfuzzer |
High |
2020-06-12 |
| DOM Based xss on https://www.rockstargames.com/ ( 1 ) |
Cross-site Scripting (XSS) - DOM |
netfuzzer |
High |
2020-06-12 |
| Race condition vulnerability on "This Rocks" button. |
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
netfuzzer |
Medium |
2020-06-12 |
| Open redirect in https://www.rockstargames.com/GTAOnline/restricted-content/agegate/form may lead to Facebook OAuth token theft |
Open Redirect |
netfuzzer |
Low |
2020-06-11 |
| DOM XSS on https://www.rockstargames.com/GTAOnline/feedback |
Cross-site Scripting (XSS) - DOM |
netfuzzer |
Medium |
2020-06-11 |
| Information Disclosure in https://www.rockstargames.com/search |
SQL Injection |
netfuzzer |
Low |
2020-06-11 |
| Warehouse dom based xss may lead to Social Club Account Taker Over. |
Cross-site Scripting (XSS) - DOM |
netfuzzer |
High |
2020-06-11 |
| Unquoted Service Path in "Rockstar Game Library Service" |
Privilege Escalation |
adr |
Medium |
2019-12-02 |
| The return of the < |
Cross-site Scripting (XSS) - Stored |
alexbirsan |
High |
2019-09-24 |
| Stealing Facebook OAuth Code Through Screenshot viewer |
Information Disclosure |
netfuzzer |
Medium |
2019-03-05 |
| Account Takeover using Linked Accounts due to lack of CSRF protection |
Cross-Site Request Forgery (CSRF) |
rafiem |
High |
2019-02-20 |
| stored XSS (angular injection) in support.rockstargames.com using zendesk register form via name parameter |
Cross-site Scripting (XSS) - Stored |
coldd |
High |
2018-11-06 |
| Smuggle SocialClub's Facebook OAuth Code via Referer Leakage |
Information Disclosure |
richardcao |
Medium |
2018-10-23 |
| Exploiting Misconfigured CORS to Steal User Information |
Information Disclosure |
richardcao |
High |
2018-10-17 |
| Found CSRF Vulnerability in https://support.rockstargames.com/ |
Cross-Site Request Forgery (CSRF) |
dhananjaygarg19 |
Low |
2018-10-16 |
| LFI and SSRF via XXE in emblem editor |
XML External Entities (XXE) |
alexbirsan |
Critical |
2018-08-01 |
| Table and Column Exposure |
Information Exposure Through an Error Message |
n00bsec |
Low |
2018-05-10 |
| Client-side Template Injection in Search, user email/token leak and maybe sandbox escape |
Code Injection |
europa |
Medium |
2018-05-01 |
| SocialClub's Facebook OAuth Theft through Warehouse XSS. |
Cross-Site Request Forgery (CSRF) |
netfuzzer |
Medium |
2018-04-23 |
| Bypass CAPTCHA protection |
Improper Authentication - Generic |
exception |
Medium |
2018-04-23 |
| Stored XSS in Snapmatic + R★Editor comments |
Cross-site Scripting (XSS) - Stored |
europa |
High |
2018-04-20 |
| Your support community suffers from angularjs injection and must be fixed immediately [CRITICAL] |
Code Injection |
tolo7010 |
Medium |
2018-04-10 |
| Leak IP internal |
Information Disclosure |
h1danilabs |
Low |
2018-02-05 |
| SMB SSRF in emblem editor exposes taketwo domain credentials, may lead to RCE |
Server-Side Request Forgery (SSRF) |
alexbirsan |
High |
2018-01-12 |
| Stored XSS via Send crew invite |
Cross-site Scripting (XSS) - Stored |
fa1rlight |
Medium |
2017-12-28 |
| Unserialize leading to arbitrary PHP function invoke |
Code Injection |
someguyfromthepast |
Critical |
2017-12-13 |
| Stored XSS on profile page via Steam display name |
Cross-site Scripting (XSS) - Stored |
alexbirsan |
High |
2017-11-10 |
| Stored XSS on support.rockstargames.com |
Cross-site Scripting (XSS) - Stored |
mr_r3boot |
Medium |
2017-10-30 |
| Blind SSRF in emblem editor (2) |
Server-Side Request Forgery (SSRF) |
alexbirsan |
Medium |
2017-10-29 |
| Stored XSS on support.rockstargames.com |
Cross-site Scripting (XSS) - Stored |
0x0luke |
Medium |
2017-10-10 |
| Reflected XSS in /Videos/ via calling a callback http://www.rockstargames.com/videos/#/?lb= |
Cross-site Scripting (XSS) - Generic |
nahamsec |
Medium |
2017-09-25 |
| Reflected XSS in reddeadredemption Site located at www.rockstargames.com/reddeadredemption |
Cross-site Scripting (XSS) - Generic |
nahamsec |
Medium |
2017-09-25 |
| Stored XSS with CRLF injection via post message to user feed |
Cross-site Scripting (XSS) - Stored |
fa1rlight |
Medium |
2017-09-18 |
| Stored XSS on member post feed |
Cross-site Scripting (XSS) - Stored |
0x0luke |
High |
2017-09-18 |
| Comments Denial of Service in socialclub.rockstargames.com |
Code Injection |
ramsexy |
Medium |
2017-09-11 |
| Stored XSS in snapmatic comments |
Cross-site Scripting (XSS) - Stored |
alexbirsan |
Medium |
2017-09-05 |
| Reflected XSS via Double Encoding |
Cross-site Scripting (XSS) - Reflected |
injexxsor |
Medium |
2017-09-01 |
| Stored XSS in profile activity feed messages |
Cross-site Scripting (XSS) - Stored |
alexbirsan |
Medium |
2017-08-28 |
| flash injection in http://www.rockstargames.com/IV/imgPlayer/imageEmbed.swf |
None supplied |
netfuzzer |
Medium |
2017-08-25 |
| dom based xss in http://www.rockstargames.com/GTAOnline/ (Fix bypass) |
Cross-site Scripting (XSS) - DOM |
netfuzzer |
Medium |
2017-08-24 |
| dom based xss in https://www.rockstargames.com/GTAOnline/ |
Cross-site Scripting (XSS) - Reflected |
netfuzzer |
Medium |
2017-08-21 |
| Ability to post comments to a crew even after getting kicked out |
Violation of Secure Design Principles |
anshuman_bh |
Medium |
2017-08-08 |
| CSRF Vulnerability allows attackers to steal SocialClub private token. |
None supplied |
netfuzzer |
High |
2017-08-03 |
| XSS in http://www.rockstargames.com/theballadofgaytony/js/jquery.base.js |
Cross-site Scripting (XSS) - Reflected |
netfuzzer |
Medium |
2017-07-17 |
| Control characters incorrectly handled on Crew Status Update |
Code Injection |
zuhnny1 |
Low |
2017-06-23 |
| <- Critical IDOR vulnerability in socialclub allow to insert and delete comments as another user and it discloses sensitive information -> |
Cross-Site Request Forgery (CSRF) |
rz01 |
Critical |
2017-05-24 |
| Profile bio at rockstar is accepting control characters |
None supplied |
exception |
No rating |
2017-05-23 |
| Control Character Injection In Messages |
Improper Authentication - Generic |
exception |
No rating |
2017-05-23 |
| use of unsafe host header leads to open redirect |
Violation of Secure Design Principles |
exception |
No rating |
2017-05-01 |
| Full path Disclosure in Rockstargames.com██████████ |
Information Disclosure |
pappan |
Low |
2017-04-28 |
| Login form on non-HTTPS page |
Cleartext Transmission of Sensitive Information |
scraps |
Medium |
2017-04-26 |
| SSLv3 POODLE Vulnerability |
Violation of Secure Design Principles |
rmtyronerf |
Low |
2017-04-09 |
| [IMP] - Blind XSS in the admin panel for reviewing comments |
Cross-site Scripting (XSS) - Generic |
anshuman_bh |
Medium |
2017-03-17 |
| Source Code Disclosure (CGI) |
Information Disclosure |
cyberunit |
Medium |
2017-03-17 |
| DOM based reflected XSS in rockstargames.com/newswire/tags through cross domain ajax request |
Cross-site Scripting (XSS) - Generic |
zombiehelp54 |
Medium |
2017-03-17 |
| Reflected XSS via #tags= while using a callback in newswire http://www.rockstargames.com/newswire |
Cross-site Scripting (XSS) - Generic |
nahamsec |
Medium |
2017-03-16 |
| CSRF in 'set.php' via age causes stored XSS on 'get.php' - http://www.rockstargames.com/php/videoplayer_cache/get.php' |
Cross-Site Request Forgery (CSRF) |
nahamsec |
Medium |
2017-03-11 |
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles