In this report, the researcher demonstrated a method to chain together separate vulnerabilities that, under certain conditions, could cause a user's Facebook Oauth tokens to leak via the Referer header. The specific vulnerability that was addressed in this report was the image injection component of the attack chain. Specifically, the researcher found an image injection vulnerability impacting
https://www.rockstargames.com/careers#/offices/ that when combined with other vulnerabilities would cause the behavior described above. We have since fixed multiple components of this attack chain, including an open redirect and the image injection vulnerability initially described in this report.