In this situation, I can set any cookie on dropbox.com domain (not www.dropbox.com). It means that it may be able to influence on www.dropbox.com. If main dropbox page do something using the cookie on dropbox.com, then maybe I can do something on www.dropbox.com
I found a some nice thing, Flash. After cookies, “flash” and “bang”, are given, dropbox page draws a pop-up box which is containing a text in “flash”. But, “bang” was a problem. It seems like a hmac of “flash”. So, I need to find “bang” value of my custom “flash”.
I also found a function which unlinks device in security setting page. If I unlink a some device, then it shows me a flash message, which is containing device name. So, I set the device name (iphone name) to a XSS text, and I unlinked it.
Now, I can set “flash” and “bang” value to any text.
Then, set the malicious cookie in a html. After that, make victim to move page to www.dropbox.com (trigger flash message).
There is a CSP. But, the script is executed on IE or Safari.
+) Currently, common XSS on dl-web.dropbox.com is out of scope for bounty.
+) Now, I think a flash depends on only one session.
2015/05/02 Fixed, A bounty of $1,331