Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Tuesday, August 23, 2011

dropship - Dropbox API utilities

An open source software project that take advantage of security flaws in their API.[73] The software, known as Dropship, has since been mirrored widely.[74]
 "Dropbox Attempts to Kill Open Source Project"   DeFelippi, Dan (2011-04-25).
These utilities make use of the deduplication scheme of Dropbox to allow for "teleporting" files into your Dropbox account given only a list of hashes, provided of course that the files already exist on their servers. This enables arbitrary, anonymous transfers of files between Dropbox accounts.
This package includes:
  • dropship: Inject a file into your account using a JSON description.
  • hash_blocks: Produce a description from a file that can be used with dropship.
How does it work?The deduplication scheme used by Dropbox works by breaking files into blocks. Each of these blocks is hashed with the SHA256 algorithm and represented by the digest. Only blocks that are not yet known are uploaded to the server when syncing.
By using the same API as the native client, Dropship pretends to sync a file to the dropbox folder without actually having the contents. This bluff succeeds because the only proof needed server-side is the hash of each 4MB block of the file, which is known. The server then adds the file metadata to the folder, which is, as usual, propagated to all clients. These will then start downloading the file.

No comments: