Security News > 2020 > February > Dropbox Passes $1M Milestone for Bug-Bounty Payouts

To mark the occasion, Dropbox also revealed details on a handful of older, resolved bugs for the first time.

The issue involved a feature for Dropbox Professional and Business users that allows them to password-protect their shared links via an option in Link Settings.

Cache-money created a user with the name First Name and shared a document with 0xacb to see what would happen; the response tipped them off that HTML injection was possible - but that cross-site scripting was prevented by Dropbox' use of DOMPurify, an XSS sanitizer for HTML. The Dropbox internal security team got involved in probing the issue, and soon uncovered that DOMPurify was however allowing tags in user names in the default configuration.

"Normally, an attacker can leverage CSS injection to exfiltrate sensitive tokens from the page using selectors; however, the payload needed to perform this kind of attack usually requires hundreds of characters, not 80," Dropbox explained.

"Thesebugs discussed are just a few examples that validated the diligent work and impact of the Dropbox Security team, revealed how different risks can manifest from multiple directions, and helped make Dropbox a safer and more secure platform."

News URL

https://threatpost.com/dropbox-1m-milestone-bug-bounty-payouts/152621/