Files use plain SHA1 hashes in some cases, and an attack in this form may be possible in some situations now that a SHA1 collision is well-known:
- Construct evil.exe and good.exe, which have the same SHA1 checksum.
- Upload evil.exe first.
- Give another user good.exe and convince them to upload it. Then, convince them to download it and execute it.
- If the stars align, they may be served the file data for evil.exe instead of the data for good.exe.
I believe there are a lot of other intermediate issues and (3) is probably pretty suspicious in most situations, but we should move to a stronger hash in the next iteration on Files.