[zdw]

Dedupe and cleartext metadata as stated in the article I referenced, would allow for the following possibilities:

If an attacker could figure out the hash method used by dropbox on the files and intercept a few hashes from a victim, it's plausible that an attacker could trick the service into thinking that he had uploaded the files on his own account, allowing access to the victim's files.

Could you explain what would need to be done to protect against this attack method?

Security is hard - I hope yours improves.

[arashf]

cryptographic signatures of files are never transmitted over plaintext. yes, the current incarnation of the mobile apps don't encrypt the names of the files but we are working on a fix for this as soon as we can adequately improve the SSL performance of our mobile apps.