Rockstar Games


84 total issues disclosed

$60,450 total paid publicly


Most disclosed (13 disclosures) — Cross-Site Request Forgery (CSRF)

View disclosed reports



Disclosed Reports


Report Title Vulnerability Type Disclosed By Severity Disclosed on
Social Club Account Takeover Via RGL And Steam/Epic Linked Account Privilege Escalation sn0wd3n High 2021-11-17
Brute Force against VMware Horizon Brute Force ivanglinkin Low 2021-08-16
XSS STORED AT socialclub.rockstargames.com (add friend request from profile attacker) Cross-site Scripting (XSS) - Stored ak1t4 Medium 2021-06-03
SocialClub Account Take Over Through Import Friends feature Cross-Site Request Forgery (CSRF) netfuzzer High 2021-04-01
CSRF Vulnerability on post creation page /community/create-post.json Cross-Site Request Forgery (CSRF) netfuzzer Low 2020-07-07
csrf in https://www.rockstargames.com/reddeadonline/feedback/submit.json Cross-Site Request Forgery (CSRF) netfuzzer Low 2020-07-07
image injection /screenshot-viewer/responsive/image (ANOTHER FIX BYPASS) Information Disclosure netfuzzer Medium 2020-06-24
DOM based XSS on /GTAOnline/de/news/article via "returnUrl" parameter Cross-site Scripting (XSS) - DOM netfuzzer Medium 2020-06-24
Dom based xss on /reddeadredemption2/br/videos Cross-site Scripting (XSS) - DOM netfuzzer Medium 2020-06-24
Image injection on /screenshot-viewer/responsive/image ( FIX BYPASS) Information Disclosure netfuzzer Medium 2020-06-24
Flash injection vulnerability on /IV/imgPlayer/imageEmbed.swf Cross-site Scripting (XSS) - Generic netfuzzer Medium 2020-06-24
Image Injection vulnerability affecting www.rockstargames.com/careers may lead to Facebook OAuth Theft Information Disclosure netfuzzer Medium 2020-06-24
Dom based XSS on www.rockstargames.com/GTAOnline/features/freemode Cross-site Scripting (XSS) - DOM netfuzzer Medium 2020-06-24
DOM based XSS on /GTAOnline/tw/starterpack/ Cross-site Scripting (XSS) - DOM netfuzzer Medium 2020-06-24
Referer Leakage Vulnerability in socialclub.rockstargames.com/crew/ leads to FB'S OAuth token theft. Cross-Site Request Forgery (CSRF) netfuzzer Medium 2020-06-24
Image Injection/XSS vulnerability affecting https://www.rockstargames.com/newswire/article Cross-Site Request Forgery (CSRF) netfuzzer Medium 2020-06-24
Image Injection on /bully/anniversaryedition may lead to OAuth token theft. Information Disclosure netfuzzer Medium 2020-06-24
Referer Leakge in language changer may lead to FB token theft. Cross-Site Request Forgery (CSRF) netfuzzer Medium 2020-06-24
Image Injection on `/bully/anniversaryedition` may lead to FB's OAuth Token Theft. Information Disclosure netfuzzer Medium 2020-06-24
Image Injection vulnerability in www.rockstargames.com/IV/screens/1280x720Image.html Cross-Site Request Forgery (CSRF) netfuzzer Medium 2020-06-24
Image Injection vulnerability on screenshot-viewer/responsive/image may allow Facebook OAuth token theft. Information Disclosure netfuzzer Medium 2020-06-24
CSRF Vulnerability on https://signin.rockstargames.com/tpa/facebook/link/ Cross-Site Request Forgery (CSRF) netfuzzer Medium 2020-06-12
Dom based xss on https://www.rockstargames.com/ via `returnUrl` parameter Cross-site Scripting (XSS) - DOM netfuzzer Medium 2020-06-12
xss on https://www.rockstargames.com/GTAOnline/jp/screens/ Cross-site Scripting (XSS) - Generic netfuzzer Medium 2020-06-12
Image Injection on www.rockstargames.com/screenshot-viewer/responsive/image may allow facebook oauth token theft. Information Disclosure netfuzzer Medium 2020-06-12
Open redirect affecting m.rockstargames.com/ Open Redirect netfuzzer Medium 2020-06-12
insecure redirect in https://www.rockstargames.com Violation of Secure Design Principles netfuzzer Low 2020-06-12
DOM BASED XSS ON https://www.rockstargames.com/GTAOnline/features Cross-site Scripting (XSS) - DOM netfuzzer High 2020-06-12
DOM Based xss on https://www.rockstargames.com/ ( 1 ) Cross-site Scripting (XSS) - DOM netfuzzer High 2020-06-12
Race condition vulnerability on "This Rocks" button. Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') netfuzzer Medium 2020-06-12
Open redirect in https://www.rockstargames.com/GTAOnline/restricted-content/agegate/form may lead to Facebook OAuth token theft Open Redirect netfuzzer Low 2020-06-11
DOM XSS on https://www.rockstargames.com/GTAOnline/feedback Cross-site Scripting (XSS) - DOM netfuzzer Medium 2020-06-11
Information Disclosure in https://www.rockstargames.com/search SQL Injection netfuzzer Low 2020-06-11
Warehouse dom based xss may lead to Social Club Account Taker Over. Cross-site Scripting (XSS) - DOM netfuzzer High 2020-06-11
Unquoted Service Path in "Rockstar Game Library Service" Privilege Escalation adr Medium 2019-12-02
The return of the < Cross-site Scripting (XSS) - Stored alexbirsan High 2019-09-24
Stealing Facebook OAuth Code Through Screenshot viewer Information Disclosure netfuzzer Medium 2019-03-05
Account Takeover using Linked Accounts due to lack of CSRF protection Cross-Site Request Forgery (CSRF) rafiem High 2019-02-20
stored XSS (angular injection) in support.rockstargames.com using zendesk register form via name parameter Cross-site Scripting (XSS) - Stored coldd High 2018-11-06
Smuggle SocialClub's Facebook OAuth Code via Referer Leakage Information Disclosure richardcao Medium 2018-10-23
Exploiting Misconfigured CORS to Steal User Information Information Disclosure richardcao High 2018-10-17
Found CSRF Vulnerability in https://support.rockstargames.com/ Cross-Site Request Forgery (CSRF) dhananjaygarg19 Low 2018-10-16
LFI and SSRF via XXE in emblem editor XML External Entities (XXE) alexbirsan Critical 2018-08-01
Table and Column Exposure Information Exposure Through an Error Message n00bsec Low 2018-05-10
Client-side Template Injection in Search, user email/token leak and maybe sandbox escape Code Injection europa Medium 2018-05-01
SocialClub's Facebook OAuth Theft through Warehouse XSS. Cross-Site Request Forgery (CSRF) netfuzzer Medium 2018-04-23
Bypass CAPTCHA protection Improper Authentication - Generic exception Medium 2018-04-23
Stored XSS in Snapmatic + R★Editor comments Cross-site Scripting (XSS) - Stored europa High 2018-04-20
Your support community suffers from angularjs injection and must be fixed immediately [CRITICAL] Code Injection tolo7010 Medium 2018-04-10
Leak IP internal Information Disclosure h1danilabs Low 2018-02-05
SMB SSRF in emblem editor exposes taketwo domain credentials, may lead to RCE Server-Side Request Forgery (SSRF) alexbirsan High 2018-01-12
Stored XSS via Send crew invite Cross-site Scripting (XSS) - Stored fa1rlight Medium 2017-12-28
Unserialize leading to arbitrary PHP function invoke Code Injection someguyfromthepast Critical 2017-12-13
Stored XSS on profile page via Steam display name Cross-site Scripting (XSS) - Stored alexbirsan High 2017-11-10
Stored XSS on support.rockstargames.com Cross-site Scripting (XSS) - Stored mr_r3boot Medium 2017-10-30
Blind SSRF in emblem editor (2) Server-Side Request Forgery (SSRF) alexbirsan Medium 2017-10-29
Stored XSS on support.rockstargames.com Cross-site Scripting (XSS) - Stored 0x0luke Medium 2017-10-10
Reflected XSS in /Videos/ via calling a callback http://www.rockstargames.com/videos/#/?lb= Cross-site Scripting (XSS) - Generic nahamsec Medium 2017-09-25
Reflected XSS in reddeadredemption Site located at www.rockstargames.com/reddeadredemption Cross-site Scripting (XSS) - Generic nahamsec Medium 2017-09-25
Stored XSS with CRLF injection via post message to user feed Cross-site Scripting (XSS) - Stored fa1rlight Medium 2017-09-18
Stored XSS on member post feed Cross-site Scripting (XSS) - Stored 0x0luke High 2017-09-18
Comments Denial of Service in socialclub.rockstargames.com Code Injection ramsexy Medium 2017-09-11
Stored XSS in snapmatic comments Cross-site Scripting (XSS) - Stored alexbirsan Medium 2017-09-05
Reflected XSS via Double Encoding Cross-site Scripting (XSS) - Reflected injexxsor Medium 2017-09-01
Stored XSS in profile activity feed messages Cross-site Scripting (XSS) - Stored alexbirsan Medium 2017-08-28
flash injection in http://www.rockstargames.com/IV/imgPlayer/imageEmbed.swf None supplied netfuzzer Medium 2017-08-25
dom based xss in http://www.rockstargames.com/GTAOnline/ (Fix bypass) Cross-site Scripting (XSS) - DOM netfuzzer Medium 2017-08-24
dom based xss in https://www.rockstargames.com/GTAOnline/ Cross-site Scripting (XSS) - Reflected netfuzzer Medium 2017-08-21
Ability to post comments to a crew even after getting kicked out Violation of Secure Design Principles anshuman_bh Medium 2017-08-08
CSRF Vulnerability allows attackers to steal SocialClub private token. None supplied netfuzzer High 2017-08-03
XSS in http://www.rockstargames.com/theballadofgaytony/js/jquery.base.js Cross-site Scripting (XSS) - Reflected netfuzzer Medium 2017-07-17
Control characters incorrectly handled on Crew Status Update Code Injection zuhnny1 Low 2017-06-23
<- Critical IDOR vulnerability in socialclub allow to insert and delete comments as another user and it discloses sensitive information -> Cross-Site Request Forgery (CSRF) rz01 Critical 2017-05-24
Profile bio at rockstar is accepting control characters None supplied exception No rating 2017-05-23
Control Character Injection In Messages Improper Authentication - Generic exception No rating 2017-05-23
use of unsafe host header leads to open redirect Violation of Secure Design Principles exception No rating 2017-05-01
Full path Disclosure in Rockstargames.com██████████ Information Disclosure pappan Low 2017-04-28
Login form on non-HTTPS page Cleartext Transmission of Sensitive Information scraps Medium 2017-04-26
SSLv3 POODLE Vulnerability Violation of Secure Design Principles rmtyronerf Low 2017-04-09
[IMP] - Blind XSS in the admin panel for reviewing comments Cross-site Scripting (XSS) - Generic anshuman_bh Medium 2017-03-17
Source Code Disclosure (CGI) Information Disclosure cyberunit Medium 2017-03-17
DOM based reflected XSS in rockstargames.com/newswire/tags through cross domain ajax request Cross-site Scripting (XSS) - Generic zombiehelp54 Medium 2017-03-17
Reflected XSS via #tags= while using a callback in newswire http://www.rockstargames.com/newswire Cross-site Scripting (XSS) - Generic nahamsec Medium 2017-03-16
CSRF in 'set.php' via age causes stored XSS on 'get.php' - http://www.rockstargames.com/php/videoplayer_cache/get.php' Cross-Site Request Forgery (CSRF) nahamsec Medium 2017-03-11