Dropbox sure has been in the news a lot lately. Two weeks ago Neowin reported that a major security flaw in the service can expose customer files to anyone on the Internet. Now it appears that the company has been trying to shutdown an open source project called Dropship, a tool that allows Dropbox users to share private files using only the hash of a file.
According to Dan DeFelippi, Dropbox has been sending out emails to anyone hosting a mirror of the Dropship product. In addition, the company put a freeze on his account claiming a DMCA violation due to hosting a copy of the project in his account. Although they claimed this was an “accident” and have since removed the freeze, it’s still curious that Dropbox would be so adamant in trying to shut down the open source project.
Apparently Dropbox is concerned about “their proprietary client-server protocol and that it could be used for piracy,” but it seems that this is simply another attempt to cover up a flaw in the way Dropbox handles their files. Similar to the report from two weeks ago where a user can “pretend” to be part of someone else’s mesh, in this case an attacker can potentially take an individual file from an unsuspecting customer if they were able to identify the hash.