privilege escalation allow the admin to takeover the org by invite the user as owner

Disclosed by
amitkh7888's avatar
amitkh7888
  • Engagement Dropbox
  • Disclosed date about 2 years ago
  • Reward $300
  • Priority P3 Bugcrowd's VRT priority rating
  • Status Resolved This vulnerability has been accepted and fixed
Summary by Dropbox

This report demonstrated a privilege escalation in which an attacker that already had the ability to invite users to join a team could replace the team owner. An attacker could exploit this vulnerability by modifying an invitation. A fix for the issue has been released and it was applied for existing users through an automatic update.

Summary by amitkh7888

Amit Khandebharad
《"Master Of Information Technology"》 《"Ceh-Master"》.... 《"Discovered 500+ bugs "》 《"BUGCROWD TOP 1000"》.... 《"ZOHO BugBounty 2nd Place Holder"》《"Bughunter"》....《"Internshala 2021 Hackathon Winner"》

Activity
  1. Kc_Zooropa’s avatar
    Kc_Zooropa Customer published the disclosure report

    ()

  2. JohnSmith’s avatar
    JohnSmith Customer rewarded amitkh7888 $50

    ()

  3. amitkh7888’s avatar
    amitkh7888 resolved a blocker for Dropbox by responding to comments

    ()

  4. amitkh7888’s avatar
    amitkh7888 sent a message

    ()

  5. JohnSmith’s avatar
    JohnSmith Customer created a blocker on the researcher to respond to comments

    ()

  6. JohnSmith’s avatar
    JohnSmith Customer sent a message

    ()

  7. amitkh7888’s avatar
    amitkh7888 requested disclosure

    ()

  8. JohnSmith’s avatar
    JohnSmith Customer changed the state to Resolved

    ()

  9. JohnSmith’s avatar
    JohnSmith Customer sent a message

    ()

  10. JohnSmith’s avatar
    JohnSmith Customer resolved a blocker for Bugcrowd Operations by verifying payment information

    ()

  11. JohnSmith’s avatar
    JohnSmith Customer rewarded amitkh7888 $250

    ()

  12. a Crowdcontrol user’s avatarbugcrowd logo
    a Crowdcontrol user created a blocker on Dropbox to verify payment information

    ()

  13. amitkh7888’s avatar
    amitkh7888 sent a message

    ()

  14. JohnSmith’s avatar
    JohnSmith Customer changed the state to Unresolved

    ()

  15. JohnSmith’s avatar
    JohnSmith Customer rewarded amitkh7888 10 points

    ()

  16. Tal_Bugcrowd’s avatarbugcrowd logo
    Tal_Bugcrowd sent a message

    ()

  17. Tal_Bugcrowd’s avatarbugcrowd logo
    Tal_Bugcrowd changed the state to Triaged

    ()

  18. Tal_Bugcrowd’s avatarbugcrowd logo
    Tal_Bugcrowd changed the severity to P3

    ()

  19. amitkh7888’s avatar
    amitkh7888 sent a message

    ()

  20. amitkh7888’s avatar
    amitkh7888 created the submission

    ()