Tuesday 25 September 2018

[XSS] survey.dropbox.com


Introduction: 

survey.dropbox.com was pointing to mysurveylab.com and any mysurveylab.com's forms was accessible through survey.dropbox.com. This lead to stored xss at survey.dropbox.com because mysurveylab.com's forms were vulnerable to xss.

Impact: Nothing as far as I know. Except phishing!


POC:




Vulnerable section:




Timeline:
  • Reported: Jan 14th 2017
  • Closed as Informative: Jan 14th 2017
  • MySurveyLab fixed the bug within week(not sure).




Thursday 20 September 2018

DBID leakage through Dropbox Chooser

Introduction:


  • Chooser:
The Chooser is the fastest way to get files from Dropbox into your web app. It's a small JavaScript component that enables your app to get files from Dropbox without having to worry about the complexities of implementing a file browser, authentication, or managing uploads and storage. -Dropbox

  • DBID :

    DBID is a dropbox account id from which you can get the Account Owner Name and Email id attached to it through this endpoint.


How Chooser works:


  • A third party website embeds the chooser.
  • Then anyone visiting that website can share their files from Dropbox to that particular website.
  • You can try this at https://www.dropbox.com/developers/chooser.

Bug:



As it can be seen, chooser was not only sharing the temporary download link to the third party but also DBID.

POC:




Timeline:
  • Reported: Jan 7th 2018
  • Triaged: Jan 9th 2018
  • Closed as resolved: Jan 20th 2018

Thursday 19 July 2018

[Dropbox] Cross domain data leakage for js files

Summary:


Before h1-3120 2018 event, Nathanial, a Security Engineer from Dropbox introduced some of their favourite bugs to invited hackers for that event.
One of them was Cross domain data leakage for js files reported by h1/dumeelvavvalu,this was my most favourite bug among them.
On 10th July 2k18, I found the exact same bug due to recent code factoring.

POC:




Details:


That shared link of Dropbox used in poc is protected by an ACL, so normally only users who is having access to that particular file will only be accessible by them. Since script tag has the super power to fetch the script files data from any origin, we can access the data of it by making the attacker to visit a malicious page.

Dropbox fixed it by changing the Content-Type to application/binary.