Rockstar Games: Race condition vulnerability on "This Rocks" button.

ID H1:474021
Type hackerone
Reporter netfuzzer
Modified 2020-06-12T16:13:46


In this report, the researcher brought to our attention a misbehavior in the "This Rocks" button that we use on the Social Club site. Using curl and a proxy tool such as Burp Suite, an attacker could invoke the "This Rocks" API call multiple times rapidly, and the system would accept multiple invocations of the call. This could allow a user to spam the function and "rock" a post or other item multiple times, despite only being allowed to do so once. Ordinarily issues in this category do not qualify for bounties in our program, but this had a significant adverse impact on User Experience due to being able to fill up a targeted victim's notifications inbox with this technique. This issue has since been resolved.