Dropbox let me down

UPDATE: Dropbox answered, deny, and think it’s my error. See below.

Even if there were rumors that Dropbox could access files, I somehow felt safe having everything in there that I consider private documents. This changed this weekend.

A friend messaged me, telling me that I might have mistakenly moved a certain private document in a shared folder. Shocked (I thought no one ever saw this document), I looked at the shared folder, but the document couldn’t be found, neither in the iOS app, nor on the Mac. I asked my friend to send me screenshots, and he had the file there, and could also tell me the contents. (I don’t blame him, I’d have looked at it too)

Here are the screenshots. His is the Android screenshot with the critical file circled (“Eurowerte.doc”, which is in another folder called “Tim” in my Dropbox that I never ever shared):

2013-11-21

I added two screenshots, one from my web login, and one from my finder. My web login (not showing Eurowerte.doc):

mine

… and my Finder window, also not showing the file:

mine_mac

 

This means, I couldn’t delete that file, and I have no idea at all which of my other files appear in other peoples Dropboxes. I share a lot of folders via Dropbox, party at work, partly privately, but I’m 100% certain that I never shared that particular file. I have never experienced something like this before. But it clearly shows two things:

  1. Dropbox does in no way encrypt anything everything serverside, but they decrypt it for anyone else using their service, effectively making the encryption only protect the physical harddrives, in case they get stolen or accessed by non-dropbox software. In any way it’s no encryption that can only be decrypted by “your” dropbox-user, and also there’s no kind of sandbox in place, so in case of a bug those files can be accessed by other users.
  2. There are bugs that can let any of your files show up somewhere else. Still.

 

Technically, I guess this was a rare case of hash collision. Nevertheless, I have to move critical stuff from Dropbox, sadly. I wanted to trust you, but you’ve let me down.

UPDATE: I’ve contacted Dropbox about this, let’s see if they answer.

UPDATE 2: They answered this:

Hi Tim,Thanks for reaching out to us about this.

You shared the “RPG” folder via a shared link on the 2013-10-17 at 18:43:48 (UTC). A shared link is a semi-public, read-only link to any file or folder in your Dropbox folder via the Dropbox website or desktop application. You can read about it in our help center here:

https://www.dropbox.com/help/167

You can also review current links and delete them here:
https://www.dropbox.com/links

The first thing that stands out from your screenshots is that the “Teller” & “RPG Floorplans” folders are not shared folders. This indicates that the entire RPG folder was added to your friend’s account using a Shared Link and added to their Dropbox using the “Add to my Dropbox” feature. This feature makes a static copy of the files as they appear in the Web Link.

I think this explains the confusion. Please provide the email address of your friend if you would like me to look into the issue further.

We would really appreciate you would also take some time to correct some of the things you posted on your blog post:

>”1. Dropbox does in no way encrypt anything serverside”

This is false. Files are stored using 256-bit AES encryption. Data is split into individual discrete file blocks, each encrypted for storage using an AES-256 cipher. For more information on our security policy, please see our security overview:

http://www.dropbox.com/security

>”2. There are bugs that can let any of your files show up somewhere else.”

This also appears to be false, and not a case of a hash collision.

Let me know if you have any further questions.

Best,
Sean

This appears to be false? No it is proven to be true. If it’s a case of hash-collision was just an educated guess, of course it can be any other kind of bug. I also checked my links, but I have never shared or linked to that file. Also, I don’t hate Dropbox, in fact, I like the service a lot. But if there’s a bug, that came to my line of sight more accidentally and usually wouldn’t have been found, I expect Dropbox to find and fix it.

, Posted Monday, November 25th, 2013 under Business.

Leave a Reply