Dropbox


reports in last 90 days

18

disclosed resolved issues

13

disclosed informative issues

3

disclosed N/A issues

Listed on HackerOne — Updated on 2019/10/15

Bug Title Bug Type Found By Report Info Report Status

None Algorithmic complexity vulnerability in ZXCVBN leads to remote denial of service attack

Denial of Service davidrenardy Issue was not triaged


Time to close: 3 Days and 0 hours
Informative

Low Fedora installation instructions fetch repo and validation key from insecure source, allowing mitm attack

Missing Required Cryptographic Step hanno Time to triage: 0 Days and 8 hours


Time to close: 0 Days and 21 hours
Resolved

No rating XSS in OAuth Redirect Url

Cross-site Scripting (XSS) - Generic hussein98d Time to triage: 0 Days and 0 hours


Time to close: 2 Days and 21 hours
Resolved

Low Android - Access of some not exported content providers

Privilege Escalation bagipro Time to triage: 0 Days and 2 hours


Time to close: 52 Days and 6 hours
Resolved

High Significant Two step verification Authentication Bypass

Improper Authentication - Generic david993 Issue was not triaged


Time to close: 0 Days and 0 hours
Informative

Medium Forum posts and private messages are poorly sanitized, allowing execution of arbitrary JavaScript

Cross-site Scripting (XSS) - Stored pikamander2 Time to triage: 55 Days and 14 hours


Time to close: 384 Days and 20 hours
Resolved

Low URL modification changes server side behavior to allow access

Client-Side Enforcement of Server-Side Security itay658 Time to triage: 3 Days and 4 hours


Time to close: 48 Days and 20 hours
Resolved

High Disclose anonymous accessible link on embedded files in paper dropbox sessions

Insecure Direct Object Reference (IDOR) karlito Issue was not triaged


Time to close: 32 Days and 1 hours
Informative

No rating Dropbox Paper - Markdown XSS

Cross-site Scripting (XSS) - Stored paulos_ Time to triage: 2 Days and 23 hours


Time to close: 345 Days and 22 hours
Resolved

No rating Stored XSS in dropboxforum.com

Cross-site Scripting (XSS) - Stored dumeelvavvalu Issue was not triaged


Time to close: 10 Days and 7 hours
Resolved

Low Exposed Git Repo at http://fileserver.dropboxbusiness.com

Information Disclosure todayisnew Time to triage: 0 Days and 13 hours


Time to close: 5 Days and 18 hours
Resolved

No rating Dropbox employee benefits documents are available in a test Dropbox folder

None supplied phwd Time to triage: 0 Days and 2 hours


Time to close: 0 Days and 8 hours
Resolved

None Bypass Local Authentication (TouchID)

Improper Authentication - Generic zeq3ul Issue was not triaged


Time to close: 4 Days and 21 hours
Not-applicable

High User Impersonation - Create Support Ticket With Any Registered Account Email

None supplied oaidjoaisdjoaisjdioasfsdhfuios Issue was not triaged


Time to close: 0 Days and 20 hours
Informative

Low Android - Access of some not exported content providers

Privilege Escalation bagipro Time to triage: 0 Days and 2 hours


Time to close: 52 Days and 6 hours
Resolved

Medium Missing URL sanitization in comments can be leveraged for phishing

Phishing leovin Issue was not triaged


Time to close: 0 Days and 8 hours
Informative

None SSL Key Certificate expires

Improper Access Control - Generic honccbb Issue was not triaged


Time to close: 2 Days and 8 hours
Informative

High CSV Injection with the CVS export feature

None supplied sunil995 Issue was not triaged


Time to close: 0 Days and 3 hours
Informative

No rating Subtile Code Injection Vulnerability in Dropbox for Windows

Command Injection - Generic fbogner Time to triage: 0 Days and 9 hours


Time to close: 70 Days and 0 hours
Resolved

No rating [monitor.sjc.dropbox.com] CRLF Injection

None supplied bobrov Time to triage: 2 Days and 15 hours


Time to close: 21 Days and 20 hours
Resolved

No rating XSS in OAuth Redirect Url

Cross-site Scripting (XSS) - Generic hussein98d Time to triage: 0 Days and 0 hours


Time to close: 2 Days and 21 hours
Resolved

No rating Can make any number of dropbox accounts with one email

Violation of Secure Design Principles maxon_omar_saleh Issue was not triaged


Time to close: 0 Days and 5 hours
Not-applicable

No rating XSS, Unvalidated redirects & phishing website hosting on dropbox servers

None supplied coder13 Issue was not triaged


Time to close: 0 Days and 0 hours
Not-applicable

No rating SSRF allows access to internal services like Ganglia

Information Disclosure agarri_fr Time to triage: 0 Days and 5 hours


Time to close: 15 Days and 6 hours
Resolved

No rating Lack of account link warning enables dropbox hijacking

Violation of Secure Design Principles albinowax Time to triage: 0 Days and 18 hours


Time to close: 4 Days and 12 hours
Resolved