Dropbox: A file sharer's dream tool?

Hackers have found a way to make Dropbox offer a BitTorrent-like file sharing service, but Dropbox management is not happy.

The folks behind Dropbox have not been having an easy time recently. First it was suggested their PC client might be insecure, then changes in their terms and conditions raised security concerns.

Now Dropbox's management is accused of trying to kill an intriguing open source project that turns the cloud storage service into a file sharing network.

Dropship makes use of an interesting feature of Dropbox uncovered by a hacker last month. Rather than waste storage space and bandwidth duplicating the same file uploaded by many users (for example, a popular PDF such as a tax form), the Dropbox server simply places a single copy in a public pool on the server and links to it from each Dropbox account -- even if the file has a different name. All this is done invisibly, and for each user it appears as if the file is contained in their own personal Dropbox (even if it's stored in a private rather than public folder).

The system uses checksum hashes -- a long series of hexadecimal characters -- to identify the duplicated file. Hackers discovered that, by supplying the hash at the right moment during a phony file upload, they can magically make the duplicated file in question appear in their Dropbox folder.

In other words, files can be instantly shared between Dropbox cloud storage without the need to either download and upload them first.

The official Dropbox client doesn't support a feature like this, and encourages users simply to use their "Public" Drobbox folder to make files available for others.

The hackers have not uncovered a security flaw. An individual would need to deliberately share the hash of a file for the technique to work. Instead, the hackers simply spotted that the way Dropbox works makes it amenable to file sharing.

It didn't take long for Dropbox to learn of the hack, as Web consultant Dan DeFelippi discovered, and wrote about on his blog. First, Dropbox's CTO and cofounder Arash Ferdowsi asked "in a really civil way" if the creator of Dropship -- Wladimir van der Laan -- would take down the source code for the project. He complied, but by then both DeFelippi and another interested party was also offering the code.

Dropbox managed to get the other party to take down the code, but DeFelippi received a Digital Millennium Copyright Act (DCMA) request that claimed the Dropship code was copyrighted material. It wasn't, and was released under an open source license. When DeFelippi pointed out the request was bogus, Ferdowsi got in touch -- again in a "really civil" way -- and pointed out that he wasn't happy with how the Dropship client exposed the workings of the Dropbox client-server protocol.

However, DeFelippi held fast and refused to take down Dropship. He says Ferdowsi is aiming for "security by obscurity" which "falls flat on its face in this case since their client can be analyzed by anyone with the proper skills". He also says that the piracy concerns raised by Ferdowsi are something for Dropbox to handle, and claims Dropship has a ton of legitimate uses, such as "sharing photos, videos, public datasets, git-like source control, or even as building block for wiki-like distributed databases".

And that's where the matter rests. The source code is still available although it's a command-line tool that requires some knowledge of Python to use properly. Nobody has yet created a graphical user interface for the code. That would propel Dropship into a new universe of users. No doubt Ferdowsi is praying this doesn't happen.

DeFelippi is keen to point out that Dropbox staff never threatened him or anybody else involved in the project, and he's happy to accept the explanation given by Dropbox that the DCMA notice he received was an error.

Somebody claiming to be "Drew from Dropbox" commented on the original Hacker News write-up of Dropship, saying that the company acted as it did because "when something pops up that encourages people to turn Dropbox into the next RapidShare or equivalent," it could "ruin the service for everyone."

But the fact is that Dropship is a genuinely useful extension of Dropbox. I can imagine coworkers using it to effortlessly share files, for example. Ultimately, I can't understand why DropBox doesn't already integrate the feature, via a "Send file to" menu option or similar. To limit piracy -- such as the sharing of ripped DVD movies -- Dropbox could limit it to paid-for accounts, rather than free.

It's starting to feel as if one of the appealing features of DropBox -- its overriding simplicity -- is also one of its hindrances. DropBox's popularity has arisen because it makes the cloud accessible to every PC; after installing the client, users just copy a file to a magical folder for it to be duplicated online. There are few other features within the client software and that's deliberate. However, this approach inspires others to find solutions for problems and be creative, which is what happened here.

In the technical implementation of Dropbox things are also kept very simple but this is also causing problems. It feels almost as if Dropbox is a technology designed for a more innocent age, when users could be trusted not to look too closely at how things work, or fiddle with software.

Dropbox is going to have to go back to the drawing board to figure out how best to continue offering its service, otherwise this kind of thing will keep on happening.

Join the PC World newsletter!

Error: Please check your email address.

Tags hackersdropboxstorageintellectual propertycopyrightnetwork attached storagelegalmusic & video sharing

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Keir Thomas

PC World (US online)
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?