Introduction:
survey.dropbox.com was pointing to mysurveylab.com and any mysurveylab.com's forms was accessible through survey.dropbox.com. This lead to stored xss at survey.dropbox.com because mysurveylab.com's forms were vulnerable to xss.
Impact: Nothing as far as I know. Except phishing!
POC:
Vulnerable section:
Timeline:
- Reported: Jan 14th 2017
- Closed as Informative: Jan 14th 2017
- MySurveyLab fixed the bug within week(not sure).
The Chooser is the fastest way to get files from Dropbox into your web app. It's a small JavaScript component that enables your app to get files from Dropbox without having to worry about the complexities of implementing a file browser, authentication, or managing uploads and storage. -Dropbox
- DBID :
DBID is a dropbox account id from which you can get the Account Owner Name and Email id attached to it through this endpoint.
How Chooser works:
- A third party website embeds the chooser.
- Then anyone visiting that website can share their files from Dropbox to that particular website.
- You can try this at https://www.dropbox.com/developers/chooser.
Bug:
As it can be seen, chooser was not only sharing the temporary download link to the third party but also DBID.
POC:
Timeline:
- Reported: Jan 7th 2018
- Triaged: Jan 9th 2018
- Closed as resolved: Jan 20th 2018