Dropbox, a free cloud based service which has over 25 million subscribers, has found itself in a bit of a pickle after a user found out that they could access files uploaded by a user and could do so without the password or user consent.
According to Christopher Soghoian, a PhD student at the School of Informatics and Computing at Indiana University, “Dropbox de-duplicates the files that its users have stored online. This means that if two different users store the same file in their respective accounts, Dropbox will only actually store a single copy of the file on its servers.
The service tells users that it uses the same secure methods as banks and the military to send and store your data and that all files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password. However, the company does in fact have access to the unencrypted data (if it didn't, it wouldn't be able to detect duplicate data across different accounts).”
The de-duplication was tested by uploading new randomly generated 6.8MB file to dropbox which lead to 7.4MB of network traffic, while a 6.4MB file that had been previously uploaded to a different dropbox account lead to just 16KB in network traffic. That means that Dropbox was able to detect the contents of the uploaded files and make changes to the one which had similar content by adding the bits that it had missing. Soghoian also states that the AES-256 used by Dropbox is useless against attacks if the encryption key isn't kept private.
The US Federal Trade Commission (FTC) has received a complaint about the deceptive trade practices by Dropbox and is currently looking into the matter.