Future of Dropship
Dropbox fixed the deduplication behavior serverside to prevent „injection” of files you don’t actually have. But I supposed it has sense only in API case, where Dropship was an easier way to bring theoretical quick exchanging files into effect. (Dropship avoids all of the complicated stuff with decompilation, reverse engineering, etc; its interface was prepared, thus, it was enough just to inject hash just into protocol). I presume that someone will do that again — will prepare some kind of a loader which will be working on Dropbox loaded into computer’s memory, not on API anymore.
This subject became very popular. I think that someone is trying to do that right now. Even if Dropbox API has been changed on the server-side, the same shouldn’t be done in the case of NORMAL protocol in order to protect bandwidth of users and Dropbox servers. I think that this issue is still open, but it’s just better obfuscated now. And here we come back to my old article about theoretical vulnerability.
Protection against Dropship functionality
- The already changed behaviour of server-side — doesn’t let people who use API to upload files which they just don’t have
- In the case of NORMAL Dropbox – the server may ask a Dropbox client about a few random bytes from an uploading file, in order to check if somebody really posseses the specified files (hash + random bytes of file). But… in future another kind of Dropship may have a managing server which could be used for exchanging these chunks between users.
- Using random key, generated by server-side, to cipher 4MB block of data on user’s device, and then counting hash and compare it with the one created on server-side. It is better than asking about random bytes, because a key can be longer, a ciphering method can be time-consuming, and the whole process of „authentication” will be more difficult to implement on some kind of ext-managing-servers
What wrong can Dropship do?
- Naturally, not intentionally – can be used to unauthorized files exchanging.
- It can be used for guesing content of files in Dropbox cloud — an example with oil prices sending in plain text in .txt file (comment on Dan’s blog)