The disclosure comes after a test of the service found that several “.doc” files were opened after being uploaded to Dropbox.
Dropbox’s behavior was detected using HoneyDocs, a new Web-based service that creates a log showing when and where a document was opened, according to a blog post at WNC InfoSec.
The experiment involved uploading to Dropbox “.zip” HoneyDocs folders with embedded “.doc” files. HoneyDocs lets users set up a “sting,” or a notification that is sent by SMS or email when a file has been viewed. Where the file has been viewed from is plotted on a map.
The callback, or as HoneyDocs calls it a “buzz,” is an HTTP Get request with a unique identifiers assigned to a sting. The data on when and where the file has been opened is sent over SSL port 443, according to HoneyDocs.
WNC InfoSec wrote the first buzz came back within 10 minutes after a file was uploaded with the IP address of an Amazon EC2 instance in Seattle. Dropbox uses Amazon’s cloud infrastructure.
Of the submitted files, only “.doc” files had been opened, WNC Infosec wrote. HoneyDocs also pulled information on the type of application which accessed the document, which in this case was the open-source productivity suite LibreOffice.
“Unlike Facebook, for example, uploading documents to Dropbox does not give the company the right to do what it wishes with them. You own your data, not Dropbox. And the company promises not to use your data for its own purposes.”
What if, as a protest against spying, thousands of people used something like the DummyFile Creator ( http://www.mynikko.com/dummy/ ) or BlankFileGenerator ( http://nookkin.com/download/info.php?file=BlankFileGenerator.exe) to create a bunch of fake files and uploaded them to free cloud space? You can name them anything, like “GovtSecrets.doc” or “WikiLeaks.pdf”. Actually I’d like one that generates random files that are random sized (within a certain range I specify) and randomly named with one or more extensions and starting data blocks I specify. Anyone have a toy like that?