Dropbox: A file sharer's dream tool?

Hackers have found a way to make Dropbox offer a BitTorrent-like file sharing service, but Dropbox management is not happy.

The folks behind Dropbox have not been having an easy time recently. First it was suggested their PC client might be insecure, then changes in their terms and conditions raised security concerns.

Now Dropbox's management is accused of trying to kill an intriguing open source project that turns the cloud storage service into a file sharing network.

Dropship makes use of an interesting feature of Dropbox uncovered by a hacker last month. Rather than waste storage space and bandwidth duplicating the same file uploaded by many users (for example, a popular PDF such as a tax form), the Dropbox server simply places a single copy in a public pool on the server and links to it from each Dropbox account -- even if the file has a different name. All this is done invisibly, and for each user it appears as if the file is contained in their own personal Dropbox (even if it's stored in a private rather than public folder).

The system uses checksum hashes -- a long series of hexadecimal characters -- to identify the duplicated file. Hackers discovered that, by supplying the hash at the right moment during a phony file upload, they can magically make the duplicated file in question appear in their Dropbox folder.

In other words, files can be instantly shared between Dropbox cloud storage without the need to either download and upload them first.

The official Dropbox client doesn't support a feature like this, and encourages users simply to use their "Public" Drobbox folder to make files available for others.

The hackers have not uncovered a security flaw. An individual would need to deliberately share the hash of a file for the technique to work. Instead, the hackers simply spotted that the way Dropbox works makes it amenable to file sharing.

It didn't take long for Dropbox to learn of the hack, as Web consultant Dan DeFelippi discovered, and wrote about on his blog. First, Dropbox's CTO and cofounder Arash Ferdowsi asked "in a really civil way" if the creator of Dropship -- Wladimir van der Laan -- would take down the source code for the project. He complied, but by then both DeFelippi and another interested party was also offering the code.

Dropbox managed to get the other party to take down the code, but DeFelippi received a Digital Millennium Copyright Act (DCMA) request that claimed the Dropship code was copyrighted material. It wasn't, and was released under an open source license. When DeFelippi pointed out the request was bogus, Ferdowsi got in touch -- again in a "really civil" way -- and pointed out that he wasn't happy with how the Dropship client exposed the workings of the Dropbox client-server protocol.

However, DeFelippi held fast and refused to take down Dropship. He says Ferdowsi is aiming for "security by obscurity" which "falls flat on its face in this case since their client can be analyzed by anyone with the proper skills". He also says that the piracy concerns raised by Ferdowsi are something for Dropbox to handle, and claims Dropship has a ton of legitimate uses, such as "sharing photos, videos, public datasets, git-like source control, or even as building block for wiki-like distributed databases".

And that's where the matter rests. The source code is still available although it's a command-line tool that requires some knowledge of Python to use properly. Nobody has yet created a graphical user interface for the code. That would propel Dropship into a new universe of users. No doubt Ferdowsi is praying this doesn't happen.

DeFelippi is keen to point out that Dropbox staff never threatened him or anybody else involved in the project, and he's happy to accept the explanation given by Dropbox that the DCMA notice he received was an error.

Somebody claiming to be "Drew from Dropbox" commented on the original Hacker News write-up of Dropship, saying that the company acted as it did because "when something pops up that encourages people to turn Dropbox into the next RapidShare or equivalent," it could "ruin the service for everyone."

But the fact is that Dropship is a genuinely useful extension of Dropbox. I can imagine coworkers using it to effortlessly share files, for example. Ultimately, I can't understand why DropBox doesn't already integrate the feature, via a "Send file to" menu option or similar. To limit piracy -- such as the sharing of ripped DVD movies -- Dropbox could limit it to paid-for accounts, rather than free.

It's starting to feel as if one of the appealing features of DropBox -- its overriding simplicity -- is also one of its hindrances. DropBox's popularity has arisen because it makes the cloud accessible to every PC; after installing the client, users just copy a file to a magical folder for it to be duplicated online. There are few other features within the client software and that's deliberate. However, this approach inspires others to find solutions for problems and be creative, which is what happened here.

In the technical implementation of Dropbox things are also kept very simple but this is also causing problems. It feels almost as if Dropbox is a technology designed for a more innocent age, when users could be trusted not to look too closely at how things work, or fiddle with software.

Dropbox is going to have to go back to the drawing board to figure out how best to continue offering its service, otherwise this kind of thing will keep on happening.

Join the CSO newsletter!

Error: Please check your email address.

Tags hackersdropboxstorageintellectual propertycopyrightnetwork attached storagelegalmusic & video sharing

More about Dropboxetwork

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Keir Thomas

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts