Dropbox Loophole to Close

Black Hole

May contain traces of nut
For some time, I have been using a little trick with Dropbox so that small personal web pages can be served on the Internet. By creating a .html file in your Dropbox-synced folder the sync process uploads the file to the Dropbox server, and then getting a share link for it produces a URL of the form www.dropbox.com/some-random-string/filename.html?dl=0. The exploit is that by changing the "www" to "dl" and ditching the "?dl=0" (as can be observed from the actual download link when going to the www page), the file becomes renderable in a normal web browser as a normal web page.

I use this to provide myself with a browser home page that links to all my regular web sites (instead of having to maintain multiple Favourites in all the browsers I might use), so the random (but fixed) URL doesn't matter as long as I can set my browsers' home URLs to it.

However, I also use the exploit to provide shared content to small groups of associates, such as a rota page for a club committee. In this case, I use tiny.cc to create a more meaningful URL and redirect it to the Dropbox content.

This all works great, as long as you don't exceed your traffic allowance and get your account frozen for a period!

The trouble is: Dropbox have now discovered the exploit (or knew about it and have now decided to act):

image.jpeg

Fair enough, it is an exploit and they could have pulled the plug without warning - at least they've told me. Presumably other people were abusing it far more than me.

I assume they can detect when a browser is trying to render a web page rather than simply download it (I'm not sure how), or they might change the method for downloading a file using the shared link so that substituting "dl" no longer works. Wait and see on that one.

Anybody got a good idea for (free) hosting of limited resources, preferably with an easy upload/update mechanism (the Dropbox syncing is great, FTP is going to be less convenient I think)? A few free web hosts that I have looked at seem to have problems with users complaining accounts get suspended for no apparent reason (and free accounts have no access to support).
 

af123

Administrator
Staff member
I suspect they are just going to change the content-type that their web server provides along with the .html file.
If the file is transmitted with content type text/html then your browser will render it. If they send text/plain then you'll see the source code in the window and if application/octet-stream, your browser will prompt to download it. There are other header changes they could make too.

I didn't get that email so either they are sending it in batches or it's targeted in some way.
 

dandnsmith

Forum Supporter
I didn't get that email (yet?).
As one who has a trial web-site to give me a quick test for the real thing, I will also be affected.
I haven't done anything like fiddling the dl= (or whatever) to get the stuff visible as a web set of pages.
 
OP
Black Hole

Black Hole

May contain traces of nut
As one who has a trial web-site to give me a quick test for the real thing, I will also be affected.
I haven't done anything like fiddling the dl= (or whatever) to get the stuff visible as a web set of pages.
How does that work? Unless you substitute "dl" for "www" in the share link, a browser just displays the Dropbox interface with a download link for the resource - doesn't it?
 
OP
Black Hole

Black Hole

May contain traces of nut
I suspect they are just going to change the content-type that their web server provides along with the .html file.
If the file is transmitted with content type text/html then your browser will render it. If they send text/plain then you'll see the source code in the window and if application/octet-stream, your browser will prompt to download it. There are other header changes they could make too.
I'm not au fait with this stuff, but I don't understand how this is possible. Suppose I had a plain text file, and wanted to provide someone a link to download a copy. If Dropbox fiddled with it in any way, the downloaded copy would be corrupt.

How I think it might be done is if the share link takes you to a Dropbox web page that contains a JavaScript downloader rather than a direct download link (which is what I hijacked).
 
OP
Black Hole

Black Hole

May contain traces of nut
As luck would have it, Dropbox sent me a survey link, so I've told them I value being able to host small web pages!
 
OP
Black Hole

Black Hole

May contain traces of nut
Buggers are now dropping support for public folders - on 15th March. Obviously they are trying to get people to upgrade to paid accounts.
 

Scrat

Definitely contains acorns
Those of us who haven't joined the Google ecosystem?
You only need to register an email, you barely even need to use said email! Given that the dropbox ecosystem is so inferior, I would not be so snobbish about that.

1. Register an email with google, you don't ever need to use it as your primary email, or even a secondary one as far as I know.

2. Use the web page or google drive app to access your free storage, 15Gb of it.

3. Load it up, share files or folders with other users, whatever.

It is not a tight ecosystem the way fruity cloud drive is.
 

af123

Administrator
Staff member
I use Google drive for distributing the custom firmware - always sign out when I'm finished though otherwise any Google site I visit knows who I'm logged in as and the ads are definitely more targetted. The same thing happens when browsing to any site that uses Google adsense or analytics. Recent example: I watched a video about drones on Youtube while still signed into Google Drive and began seeing ads for drones on this forum which uses Adsense.

The standalone app is probably a good replacement for Dropbox though.
 

Scrat

Definitely contains acorns
I use Google drive for distributing the custom firmware - always sign out when I'm finished though otherwise any Google site I visit knows who I'm logged in as and the ads are definitely more targetted. The same thing happens when browsing to any site that uses Google adsense or analytics. Recent example: I watched a video about drones on Youtube while still signed into Google Drive and began seeing ads for drones on this forum which uses Adsense.

The standalone app is probably a good replacement for Dropbox though.
 

Scrat

Definitely contains acorns
Google targeting is of course optional. Plus, on a laptop you can neuter the adverts anyway. Firefox can neuter them on a phone, too, as adblock plus is an extension, at least on Android it is.
 
Last edited:

cdmackay

Active Member
I use this to provide myself with a browser home page that links to all my regular web sites (instead of having to maintain multiple Favourites in all the browsers I might use)

You might want to consider Xmarks, to share bookmarks (and open tab links) across systems.. I've been using it for some years and am happy with it. Has backups, control over sync, etc.
 
Top