This article exposes another design flaw in the Dropbox architecture. I’m going to explain a hack that enables you to download content belonging to others on Dropbox. The article builds on a previous article that explains the main idea of the Dropbox upload protocol.
Consider a popular piece of data, like for example the disk image of the latest Ubuntu Linux. You can be sure that someone out there has it in their Dropbox folder. Imagine you could get your hands on the hashes of all the chunks of the Ubuntu disk image file. For example, you could imagine someone running a website that records the chunk hashes of popular files of this sort. What could you do with these hashes?
You have the hashes. You don’t have the file, nor do you have any friends who have the file. You could (relatively easily) hack the Dropbox client to do the following. It will tell the server that you are about to upload a new file. The server will ask about the hashes of this file. Your (hacked) client will return the hashes of the Ubuntu disk image. Since the disk image is already inside Dropbox, the server will say “You don’t need to do the upload. I’ve got the contents right here. I’m just going to make a note that you have this file in your directory.” At this point, you can log into Dropbox (with a non-hacked client) and download the Ubuntu disk image as “your own” file.
Make what you will of this. But this exploit is an undesirable side-effect of Dropbox’s upload protocol.