undefined | Better HN

0 pointsalmost15y ago0 comments

Is it really shared between accounts? So for example if I knew someone with Dropbox had a file that could have one of several contents and I wanted to know which of those contents they had I could try uploading the different versions and see which one uploaded faster?

A little far fetched maybe, but I'm sure there's a way to exploit something somewhere using that....

0 comments

3 comments · 3 top-level

gst15y ago

Yes - this should work.

There are even other ways how you might be able to exploit this. I don't exactly know how Dropbox verifies if your file is already on the server. But if they only check a hash of the file it might be sufficient to know the hash of any file stored on Dropbox to gain access to the full file.

Of course, this is just a speculation and there might be more security precautions in place. Such as, e.g., sending the client various challenges about the hashes of particular byte ranges.

In addition, also the copyright implications of this are interesting. Consider that you've shared a directory with your friends and that you upload some copyrighted movie (that is already on their servers and not really uploaded). Are you then the one liable for the damages (if sued), or is the original (first) uploader of the file liable?

riobard15y ago

You can test this with relatively large files. If a 100mb file finishes syncing to Dropbox within seconds over a slow DSL, you can be pretty sure that someone has already uploaded a copy there before you do.

AdamTReineke15y ago

Yes. I threw a 20MB e-book PDF into my Dropbox and it was instantly marked as uploaded. The only exploit would be that you could determine if a specific file was uploaded, not how many people had copies of the file or who those people were.

j / k navigate · click thread line to collapse