Dropbox: User has Sender permission can Get Team information

A security researcher was able to leverage a user with a sender role to view all team information by issuing a crafted POST request to portal.helloworks.com/editteam which provided information disclosure team's primary contact, whereas accessing the URL is forbidden based on the sender role. The...