Thursday 19 July 2018

[Dropbox] Cross domain data leakage for js files

Summary:


Before h1-3120 2018 event, Nathanial, a Security Engineer from Dropbox introduced some of their favourite bugs to invited hackers for that event.
One of them was Cross domain data leakage for js files reported by h1/dumeelvavvalu,this was my most favourite bug among them.
On 10th July 2k18, I found the exact same bug due to recent code factoring.

POC:




Details:


That shared link of Dropbox used in poc is protected by an ACL, so normally only users who is having access to that particular file will only be accessible by them. Since script tag has the super power to fetch the script files data from any origin, we can access the data of it by making the attacker to visit a malicious page.

Dropbox fixed it by changing the Content-Type to application/binary.