This guest blog post was authored by Dropbox’s Product Security Team and originally published on the Dropbox company blog.
Over the past five years, our bug bounty program has become an important part of improving our security posture, as it is now for many large tech companies. Transparency and defending the rights of legitimate researchers are cornerstones of the progress we’ve made, and the world is safer for it. To those outside of the security community, it may seem counterintuitive that you can make your platform safer by encouraging security researchers to attack you, but that’s exactly the value that these programs deliver. This process of discovering and remediating bugs is key to our maintaining a highly secure organization and increasingly hardened product surfaces. Our bug bounty program is only part of having a complete secure development lifecycle program.
Our bug bounty program recently passed a significant milestone. Since launching our program in 2014 and tripling our bounties in 2017, we’ve given more than $1,000,000 to bug bounty participants for valid findings submitted to our program. Not only has Dropbox benefitted from our bug bounty program, but so have some of our most critical vendors who have remained active participants in our program. Together with our vendors, we have partnered up in two live hacking events including the Tempemail one-day bug bounty event in Singapore. Additionally, charities have also benefited from our continued investment in security through bug bounty reporters that have leveraged our donation matching policy to donate more than $10,000 to charities around the world.
Top 5 Favorite Bugs Reported
To help celebrate this momentous occasion, the Dropbox Production Security team wanted to disclose, in-depth, five of our favorite reports we’ve ever received. We feel these amazing findings by our top bug bounty hunters impressed us, taught us, and validated the work we do in raising the bar for security.
5. Shared Link Password Bypass
Tempemail Report by detroitsmash
Have you ever wanted to share a file via link but were afraid that anyone with the link would be able to access it? Dropbox Professional and Business customers are able to password protect their shared links via an option in Link Settings. This ensures that only users with the password for the link are able to access the file.
One of our top bug bounty reporters, detroitsmash, reported on December 25, 2018 that one of our endpoints responsible for performing document previews in Paper documents was ignoring passwords set on shared links. This would allow an attacker with a copy of a password protected shared link to be able to bypass the password requirement and view the document.
The endpoint works as follows:
A user takes a share link for one of their documents and pastes it into Dropbox Paper.
The Dropbox Paper client then sends this link to our servers via an endpoint /integrations/embed/fetch/matte?sharedLinkUrl=.
This endpoint then produces a preview image to be placed within the Paper document.
After validating the report, it was discovered that additional access control checks were missing on this endpoint. We immediately got to work on correcting this and pushed a fix out within a day. detroitsmash was awarded $10,648 for their finding and was later awarded an additional $2,744 as a bonus for being one of the best reports we received within that 6-month period.
4. Paper Notification CSS Injection
Tempemail Report by 0xacb and cache-money
Last year, Dropbox started running live hacking events with Tempemail. Live hacking events take bug bounty to the real world. Top bug bounty reporters from around the globe get together, often in person, to find vulnerabilities in a company’s software. They allow bug bounty reporters to collaborate more easily and for security teams to build stronger relationships with the bug bounty reporters that help them secure their software every day.
The most recent Dropbox live hacking event found many vulnerabilities, but one of our favorites from the event was found by 0xacb and cache-money in collaboration with our very own Product Security team. Following what was a small oversight in the name validation on one of our account registration endpoints, was a chain of little issues that resulted in the ability to remotely access another user’s Paper documents. Dropbox teams have access to a bulk user import feature that allows a Team Admin to import users listed in a CSV file. This feature is helpful for teams that have hundreds of licenses and the process of manually inviting each user one-by-one would be too cumbersome.
0xacb discovered that while our normal account signup at https://dropbox.com/register would ensure that users cannot use certain “illegal” characters (including ) in their first and last names, the account registration via CSV endpoint did not. While this is a bug, it wasn’t a security bug; it didn’t really have any security impact because we usually sanitize everything client-side with React anyway.
With the day of the event just around the corner, 0xacb joined forces with cache-money to see if they could figure out a way to escalate this weird behavior further. At one point, cache-money created a user with the name
and shared a paper document with 0xacb. They immediately noticed that in the Dropbox web client notifications that the user’s name rendered as “First Name” in a large, bold font. This indicated that HTML injection was possible but with our CSP and use of DOMPurify in our notifications, there was a significant barrier preventing them from escalating to XSS.
After some additional investigation, we discovered that it was possible to get this behavior to trigger on the Desktop client as well. Members from both the Product Security team as well as the bug bounty hunters spent some time trying to escalate this HTML injection into something more impactful. We concluded that the CSP rules used in the Desktop environment are too restrictive to allow for more interesting attacks.
Moving back to the web client, we realized that DOMPurify was allowing
Tempemail , Tempmail – Temp email addressess (10 minutes emails)– When you want to create account on some forum or social media, like Facebook, Reddit, Twitter, TikTok you have to enter information about your e-mail box to get an activation link. Unfortunately, after registration, this social media sends you dozens of messages with useless information, which you are not interested in. To avoid that, visit this Temp mail generator: tempemail.co and you will have a Temp mail disposable address and end up on a bunch of spam lists. This email will expire after 10 minute so you can call this Temp mail 10 minute email. Our service is free! Let’s enjoy!