How the Dropbox Offensive Testing Security Team Discovers Zero-Day Vulnerabilities


Fully [H]
Apr 10, 2003
Dropbox has multiple security teams to make sure that your data is secure and safe. They also conduct red team training exercises where the red team takes on the role of an attacker, and the other teams have to respond to the threat. During a recent offensive training exercise with Syndis; a third-party partner, multiple zero-day vulnerabilities in Apple macOS and Safari were discovered. Just visiting a web page with malware installed on it could trigger the exploit. Apple was able to issue a security update within a month to protect Dropbox and macOS users.

This engagement was a win for us, for Apple, and for internet users on various levels. Not only did we get to test our defensive posture, we also made the internet safer by identifying and reporting vulnerabilities in macOS. Syndis went above and beyond in finding this exploit chain during our engagement, and using it during our attack simulation exercise allowed us to test our readiness against attacks using zero-day vulnerabilities. This is an excellent example of the security community becoming stronger because of good actors doing the right thing.