Dropbox for Business Mailing List Unsubscribe Users (Permission Issue)
I want to share my finding on a recent security issue I discovered on Dropbox for Business mailing list.
So, this bug allows me to unsubscribe any user account that is subscribed to Dropbox for Business mailing list.
I discovered a page (https://lp.dropboxteam.com/UnsubscribePage.html) that allows you to unsubscribe your own account, from the mailing list by specifying YOUR OWN email address into the page.
For normal flow, once the user submits his email address on that page a check should be performed based on his logged-in account, whether he's permissible to unsubscribe the email address submitted.If this check fails then action should be denied, right ?. The case in Dropbox was like if you submit any valid email address in the unsubscribe page, it will get unsubscribed without any permission check.See the below:
Video PoC:
I reported this issue to Dropbox Security, they said :
The attacker would require knowledge of the users email address, and even then the non-deliver of the emails in question would not impact emails like password rest emails, shared folder emails etc. To be specific, its not a security threat to Dropbox users.
So this issue remains unfixed (at least as of 22th May 2013)