2012 Dropbox Hack Spilled Emails, Hashed Passwords on 68 Million

When hackers infiltrated Dropbox in 2012 they made off with credentials for roughly 68 million users. The fact that the online storage site was hacked four years ago was no secret. But details around the sheer size of the stolen database, which contains users’ email addresses plus hashed and salt...

Dropbox Hacked — More Than 68 Million Account Details Leaked Online

Hackers have obtained credentials for more than 68 Million accounts for online cloud storage platform Dropbox from a known 2012 data breach. Dropbox has confirmed the breach and already notified its customers of a potential forced password resets, though the initial announcement failed to specify...

Dropbox Forces Password Reset for Older Users

Online storage service Dropbox began notifying users over the weekend that if they haven’t updated their password since 2012, they’ll be prompted to update it the next time they log into their account. The company claims the move is “purely a preventative measure” and stressed that there’s no pro...

Dropbox: XSS in OAuth Redirect Url

Hello guys, I found a XSS vulnerability in the OAuth Redirect Url parameter . So deep into the bug : Go to https://www.dropbox.com/developers/ Create an application In Redirect URIs , if you try to add javascript:alert1 it will tell you that javascript protocol is not accepted. But if you try to...

Dropbox: Subtile Code Injection Vulnerability in Dropbox for Windows

A mistake in our compilation meant that one of our Qt libraries was unintentionally loading a openssl.cnf from another user on Windows. The config file allowed the other user to specify a DLL to load, which meant that a user with this specific username could escalate privileges and execute code a...

Multiple vulnerabilities in Drupal Dropbox client module

Drupal is a free, open source content management system developed in PHP and maintained by the Drupal community.Dropbox client is one of the modules used by Drupal users to interact with the Dropbox API. Cross-site scripting vulnerabilities and security bypass vulnerabilities in versions 7.x-3.x ...

Dropbox Local Code Execution Vulnerability

Dropbox is a set of open source, cross-platform file online storage, synchronization, and sharing software from Dropbox, Inc. A local code execution vulnerability exists in Dropbox versions 6.4.14 and earlier. A local attacker can exploit this vulnerability to execute arbitrary code in the contex...

Dropbox 6.4.14 DLL Hijacking

Aloha, Summary Dropbox Installer for Windows contains a DLL hijacking vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system. The vulnerability exists due to some DLL file is loaded by 'DropboxInstaller.exe' improperly. And it allows an...

Post Exploitation Powershell Tool: mimikittenz

Post Exploitation Powershell Tool mimikittenz is a post-exploitation powershell tool that utilizes the Windows function ReadProcessMemory in order to extract plain-text passwords from various target processes. mimikittenz can also easily extract other kinds of juicy info from target processes usi...

Dropbox: XSS, Unvalidated redirects & phishing website hosting on dropbox servers

The report points out that Dropbox allows uploading and hosting HTML; this enables spam and phishing risks as well as XSS on dropboxusercontent.com. We continuously monitor our service for abusive use and take down such content; additionally, we are continuously improving our protections in this...

Dropbox client - Multiple Vulnerabilities - SA-CONTRIB-2016-027

This module enables you to view dropbox files in your Drupal site. The module doesn't sufficiently sanitize filenames when displaying them to users or administrators leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must be able to...

Dropbox: Lack of account link warning enables dropbox hijacking

When I install dropbox on linux via the CLI, I get given a URL containing a token: https://www.dropbox.com/clilinknonce?nonce=blah I can give this token to another user and pretend it's a link to a dropbox file. If they aren't logged in when they click it, they will land on the login page. If the...

Dropbox: Dropbox apps Server side request forgery

Hi, SSRF is a vulnerability that appears when an attacker has the ability to create requests from the vulnerable server. Usually, Server Side Request Forgery SSRF attacks target internal systems behind the firewall that are normally inaccessible from the outside world but using SSRF it’s possible...

Dropbox Acquisitions: Session hacking

I hereby want to report a vulnerability i.e. Session hacking. Summary ======== Attacker can still do activities in browser with user's account if user changed his/her password in another browser. Detail ===== If user logged in account in two or more browsers and he has changed password in one of...

Dropbox: No Rate Limiting while sending the feedback under Dropbox Help Centre

The original report allows repeatedly giving "not helpful" as feedback for a help article. Observation:- It was observed that there is no rate limiting in placed for all the endpoint which looks like as below:- Vulnerable URL:- https://www.dropbox.com/helpajax/articles/274/feedback/unhelpful...

GC Plugin for Dropbox - Suspicious files, Unsafe deleting vulnerabilities

HackApp vulnerability scanner discovered that application GC Plugin for Dropbox published at the 'play' market has multiple vulnerabilities...

Dropbox: Possible SQL injection can cause denial of service attack

Hi there, The https://www.dropbox.com// Double slash request returns Internal Server Error 500 Error and doesn't returns 404 so i believe it may be an injection. https://www.dropbox.com//shell.php any text added after the double slash will cause the same thing . It is a valid bug an should be...

China APT Gang Targets Hong Kong Media via Dropbox

An APT gang linked to China and alleged to be responsible for targeted attacks against foreign governments and ministries, has now pointed its focus inward at China’s autonomous territory Hong Kong. An August attack against several media companies in Hong Kong was carried out shortly after a...

China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets

FireEye Threat Intelligence analysts identified a spear phishing campaign carried out in August 2015 targeting Hong Kong-based media organizations. A China-based cyber threat group, which FireEye tracks as an uncategorized advanced persistent threat APT group and other researchers refer to as...

China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets

FireEye Threat Intelligence analysts identified a spear phishing campaign carried out in August 2015 targeting Hong Kong-based media organizations. A China-based cyber threat group, which FireEye tracks as an uncategorized advanced persistent threat APT group and other researchers refer to as...