Referer Leakage Vulnerability in socialclub.rockstargames.com/crew/ leads to FB'S OAuth token theft.

In this report, the researcher demonstrated a method to chain together separate vulnerabilities that, under certain conditions, could cause a user's Facebook Oauth tokens to leak via the Referer header. In this instance, an Open Redirect vulnerability was utilized to exploit the fact that the full URI is shared in the Referer header when going from Rockstar-owned domains to other Rockstar domains. The Open Redirect is the subject of a separate report; in this report, we addressed the problem by strengthening the Referer header policy with `<meta name="referrer" content="origin" />`. This fixed this issue, and it is no longer exploitable.