The collision attacks outlined above still work, with a regular dropbox account, no dropship needed. You can create 100,000 attack files, and then upload each one. The ones that don't actually transmit bytes show you that the file exists. (EG a highly regular file like some health or banking record...)
Its just watching if de-duplication happens or not.
They need to patch that hole, I think by requiring everything to upload, then deduplicate on the server...
Which is another way of saying what speleding points out.
They need to patch that hole, I think by requiring everything to upload, then deduplicate on the server...
Which is another way of saying what speleding points out.