Dropbox…opening my docs?

 

I had the opportunity recently to beta-test HoneyDocs, a web app that generates documents that can ‘buzz home.’ This is done by a unique, embedded GET request that is initiated when the generated document has been opened.

Several use cases came to mind, but I was most interested in seeing if my cloud storage services were manipulating my files in a way that I may not have been aware of.

My experience:

Uploaded Documents to Dropbox Personal Account with Private Folders (not shared)

  • Uploaded “passwords” documents generated by HoneyDocs.
  • These were uploaded with both the client application as well as the web interface.

dbox1What’s this?  A ‘Buzz’ from the recently uploaded documents?

  • The first successful ‘buzz’ took approximately 10 minutes.
  • I attempted to re-create this by deleting the files in question and re-uploading the same HoneyDocs files, but was unable to get further ‘buzz backs’ with the same files.
  • The IP appears to be an Amazon EC-2 instance in Seattle

dbox2

So now I’m curious…are the files being accessed for de-duplication purposes or possibly malware scanning?  If so, then why are the other file types not being opened?  It appears that only .doc files are being opened…

I then uploaded more HoneyDocs files to my Dropbox folder, this time from a different computer and ISP to rule out any of those variables.

All .doc embedded HoneyDocs appear to have been accessed…from different Amazon EC-2 instance IPs.

dbox3

Further digging into the HoneyDocs data reveals a suspicious User Agent, LibreOffice.  Now I’m curious if this is still an automated process or one that involves human interaction? [Update: As better explained here, this is certainly automated and not as suspicious]

dbox4

 All in all, I made 3 attempts to upload embedded documents and all appeared to be opened from different Amazon instances.  This could have something to do with how Dropbox’s storage architecture is configured while utilizing Amazon S3 buckets.

Regardless, the .doc files seemed to have been opened for some reason.  I’d like to know why…

If you are curious, I encourage you to test it out on your own!  You can sign-up for a free HoneyDocs account here.

[Update:  Please check out the follow-up to this post here]

7 responses on “Dropbox…opening my docs?

  1. stoopid

    I understand that most recent versions of MS word are ‘net aware’ but older versions are not. Also, How does opening a MS word document in Libre office or notepad generate a notification?

    Also, if the user has a firewall with a notifier (e.g Windows Firewall Notifier or something similar), wont he/she be alerted to an outgoing connection when he opens up a word doc?

  2. Youarestoopid

    The point is they were accessed because they did successfully phone home. How they technically did it can be researched with google.

    Firewall or not the doc phoned home.

  3. Daniel

    Hi. So, how long after you uploaded the document it was opened?
    I’ve made the same test with Crashplan. It has been a couple of days and no one opened the document (at least it didn’t call home).

  4. Randy G

    One possibility is that that these files are being opened by DropBox in a background process in order to index them for search. They’re stored in S3, but temporarily handed over to a worker EC2 instance of a routine that uses LibreOffice to extract the text from the doc and build the search indexes. – just a guess.

    1. Randy G

      That said, assuming DropBox is building a search index, maybe they should also strictly block any & all outgoing requests from that process with a very thick firewall… and disable all active code, including ‘http-get…’

  5. Jansen Sena

    I just tested it with Dropbox but after more than one hour, I didn’t receive any register of files access (DOC, HTML and so on). Of course it is very easy to block in a firewall, for example. Dropbox could have created some protection against this just to avoid other big problem considering the security of its users files.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>