Dropbox: A file sharer's dream tool?

Hackers have found a way to make Dropbox offer a BitTorrent-like file sharing service, but Dropbox management is not happy.

The folks behind Dropbox have not been having an easy time recently. First it was suggested their PC client might be insecure, then changes in their terms and conditions raised security concerns.

Now Dropbox's management is accused of trying to kill an intriguing open source project that turns the cloud storage service into a file sharing network.

Dropship makes use of an interesting feature of Dropbox uncovered by a hacker last month. Rather than waste storage space and bandwidth duplicating the same file uploaded by many users (for example, a popular PDF such as a tax form), the Dropbox server simply places a single copy in a public pool on the server and links to it from each Dropbox account -- even if the file has a different name. All this is done invisibly, and for each user it appears as if the file is contained in their own personal Dropbox (even if it's stored in a private rather than public folder).

The system uses checksum hashes -- a long series of hexadecimal characters -- to identify the duplicated file. Hackers discovered that, by supplying the hash at the right moment during a phony file upload, they can magically make the duplicated file in question appear in their Dropbox folder.

In other words, files can be instantly shared between Dropbox cloud storage without the need to either download and upload them first.

The official Dropbox client doesn't support a feature like this, and encourages users simply to use their "Public" Drobbox folder to make files available for others.

The hackers have not uncovered a security flaw. An individual would need to deliberately share the hash of a file for the technique to work. Instead, the hackers simply spotted that the way Dropbox works makes it amenable to file sharing.

It didn't take long for Dropbox to learn of the hack, as Web consultant Dan DeFelippi discovered, and wrote about on his blog. First, Dropbox's CTO and cofounder Arash Ferdowsi asked "in a really civil way" if the creator of Dropship -- Wladimir van der Laan -- would take down the source code for the project. He complied, but by then both DeFelippi and another interested party was also offering the code.

Dropbox managed to get the other party to take down the code, but DeFelippi received a Digital Millennium Copyright Act (DCMA) request that claimed the Dropship code was copyrighted material. It wasn't, and was released under an open source license. When DeFelippi pointed out the request was bogus, Ferdowsi got in touch -- again in a "really civil" way -- and pointed out that he wasn't happy with how the Dropship client exposed the workings of the Dropbox client-server protocol.

However, DeFelippi held fast and refused to take down Dropship. He says Ferdowsi is aiming for "security by obscurity" which "falls flat on its face in this case since their client can be analyzed by anyone with the proper skills". He also says that the piracy concerns raised by Ferdowsi are something for Dropbox to handle, and claims Dropship has a ton of legitimate uses, such as "sharing photos, videos, public datasets, git-like source control, or even as building block for wiki-like distributed databases".

And that's where the matter rests. The source code is still available although it's a command-line tool that requires some knowledge of Python to use properly. Nobody has yet created a graphical user interface for the code. That would propel Dropship into a new universe of users. No doubt Ferdowsi is praying this doesn't happen.

DeFelippi is keen to point out that Dropbox staff never threatened him or anybody else involved in the project, and he's happy to accept the explanation given by Dropbox that the DCMA notice he received was an error.

Somebody claiming to be "Drew from Dropbox" commented on the original Hacker News write-up of Dropship, saying that the company acted as it did because "when something pops up that encourages people to turn Dropbox into the next RapidShare or equivalent," it could "ruin the service for everyone."

But the fact is that Dropship is a genuinely useful extension of Dropbox. I can imagine coworkers using it to effortlessly share files, for example. Ultimately, I can't understand why DropBox doesn't already integrate the feature, via a "Send file to" menu option or similar. To limit piracy -- such as the sharing of ripped DVD movies -- Dropbox could limit it to paid-for accounts, rather than free.

It's starting to feel as if one of the appealing features of DropBox -- its overriding simplicity -- is also one of its hindrances. DropBox's popularity has arisen because it makes the cloud accessible to every PC; after installing the client, users just copy a file to a magical folder for it to be duplicated online. There are few other features within the client software and that's deliberate. However, this approach inspires others to find solutions for problems and be creative, which is what happened here.

In the technical implementation of Dropbox things are also kept very simple but this is also causing problems. It feels almost as if Dropbox is a technology designed for a more innocent age, when users could be trusted not to look too closely at how things work, or fiddle with software.

Dropbox is going to have to go back to the drawing board to figure out how best to continue offering its service, otherwise this kind of thing will keep on happening.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags copyrighthackerslegalstoragedropboxintellectual propertymusic & video sharingnetwork attached storage

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Keir Thomas

PC World (US online)
Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?