First, I think many people know that a HTML file uploaded on dropbox shows us a rendered page without any filtering or escaping. It means that, if we write down a JavaScript code to the HTML file, we can easily execute any JavaScript code on the html page. But, the script is executed on a sandbox domain, dl-web.dropbox.com. The important session is a httponly cookie, so we can’t easily steal the user session.

However, although it cannot directly access to cookies on a main subdomain (www.dropbox.com), instead I can set any cookie on the global domain (.dropbox.com). It may be able to influence something on www.dropbox.com, using a cookie on dl-web.dropbox.com.

Vulnerability

I found a some nice feature, Flash. It is a pop message appeared for 1-2 seconds, which is triggered by cookies. After cookies, “flash” and “bang”, are given, it draws a small message box containing a text written in cookie “flash”, and check the correctness of the ‘flash’ with cookie ‘bang’. The ‘bang’ seems like a hmac of “flash”. So, I need to find a correct “bang” value for my custom “flash”.

I also found a another function which unlinks a device in security setting page. If I unlink a some device, then it shows me a flash message, which is containing device name. So, If I set the device name (iphone name) to any JavaScript code and unlink it, then it will make us correct ‘flash’ and ‘bang’ values of the injected script.

Exploit

Now, I can make any flash messages with any text.

After upload a HTML file that assigns the malicious cookies given from the device unlink function, make victim to click your page. The flash meesage will appear and attack the victim when the victim opens a dropbox web page.

1
2
3
4
5
6
7
<script>
document.cookie="bang=QUFEZGthYS1CaTNfWUpYcDUwdjNxemVHSHlhSHJkU3BEdnhKRUxOZVZ3b2ZoUQ%3D%3D;
Domain=dropbox.com; Path=/;";
document.cookie="flash=b2s6PGltZyBzcmM9eCBvbmVycm9yPWFsZXJ0KGRvY3VtZW50LmRvbWFpbik%2BIHVubGlua
2VkIHN1Y2Nlc3NmdWxseS4%3D; Domain=dropbox.com; Path=/";
location.href="https://dropbox.com/forgot";
</script>

There is a CSP. But, the script can be executed on IE or Safari.

2015/05/02 Fixed, a bounty of $1,331