Uh, what?<p>Unless this reveals actual information about the valid account, this a sev:informational finding on any professional assessment. In other words: you probably wouldn't even list it as a vulnerability.<p>I'm not sure I've <i>ever</i> seen an application that didn't have an account ID distinguisher somewhere in it. All you need is a place that generates "Permission denied" instead of "Not found".<p>Publicly calling out Dropbox for something that has extremely minimal real-world impact is bad form. Dropbox might care that there's a method to count accounts (I doubt it, since most of those accounts are free, so you can't work them back to financials), but it's not a matter of Internet safety and hygiene.
believe it or not, this was intentional and an homage to slashdot (the concept of having low IDs that are publicly viewable), however obscure<p>the public link feature was actually a proof of concept and never intended to stick around :)<p>but anyway, having this information doesn't let you do anything but get a rough count of our users, so saying it's a security issue is a stretch. there are no public-facing forms or inputs that take these values as input