Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Dropbox security flaw revealed

According to Bryant, after becoming upset with Dropbox's claims over encryption, a security researcher filed an FTC complaint against the network and, as part of its response, the firm revealed that users' files are hash-tagged each time they are uploaded.

This means that, if user A uploads, for example, pictures with a given hash-tag and then user B uploads the same name/sized file - with the same hash-tag - their version is not actually uploaded.

Put simply, he claims, users A and B share access to user A's first file, without user A's permission.

Bryant says it may also be possible to upload an infected version of a popular file on other services and, when other users `upload' the legitimate file - which would generate the same hash-tag as the infected file - their Dropbox folder would be populated with the infected version.

This, he adds, has profound implications for the several million Dropbox people that currently use the service.

The Idappcom CEO claims that users can test out the issue by uploading a movie trailer file for one of the latest cinema releases, and watch how Dropbox analyses the file and then - without actually uploading the file from the user's machine - the service populates a cloned copy of the trailer into the test folder.

"Our researchers have suspected this was an issue before, but with Dropbox actually confirming the fact in its response to the FTC complaint, this really does put the icing on the cake", he said.

The Wired newswire, he explained, sums up the hash-tagging issue by noting that "Dropbox saves storage space by analysing users' files before they are uploaded, using what's known as a hash - which is basically a short signature of the file based on its contents. If another Dropbox user has already stored that file, Dropbox doesn't actually upload the file, and simply `adds' the file to the user's Dropbox."

This technical shortcut by Dropbox, says Bryant, is a potentially exploitable flaw on several levels, not the least of which means that, with a little subterfuge, a user could gain access to another user's Dropbox files if they are able to generate the correct hash-tags.

"The big question is how many variations of the hash-tags there are on the Dropbox system. In theory, at least, it should be able to generate a large number of free accounts and upload a suitable combination of files, share them with another user, then download them," he said.