When retrieving a file from the cloud, most people expect to get back what they put in. But that's apparently not the case for users of OneDrive for Business (formerly SkyDrive Pro), the cloud-based storage that comes bundled with many versions of Microsoft Office 365. The revelation came to light on April 17, and was documented on Myce.com, a techie site dedicated to discussions of digital storage. It has since been confirmed by Microsoft.
According to the post by blogger and Myce.com moderator Seán Byrne, synced files are injected with a universally unique identifier, or uuid, which remains consistent for every PHP and HTML file it modifies. "Even though this modification does not make the file traceable," Byrne wrote, "this is obviously going to be a nuisance for web developers who use OneDrive for Business to sync web files with each other." Of particular concern to developers and solution providers, he added, would be hand-crafted files that could be made to malfunction if extra code is inserted unexpectedly.
Office files also are affected. Byrne found that files ending in docx and pub (for Microsoft Word, Excel and Publisher) grew in size by about 8K and had code injected that was unlike that in the web files. "Microsoft Office files had what appears to be uniquely identifiable code added, potentially making it possible to match them to a company and possibly even to a specific user’s account," he wrote. Byrne is a support technician and IT hobbyist living in Ireland.
Perhaps the most serious implication is that despite clearly modifying the contents of files, OneDrive for Business's sync process doesn't touch the Date Modified tags of any of the files it modifies. "OneDrive for Business silently embeds meta data to the files it syncs between devices. So to an unsuspecting user who just checks when the files were modified, they appear untouched," wrote Byrne. "This is a potentially serious issue for those who sync files that must remain untouched."
Affected files include only those that are synced between a PC or mobile device and a OneDrive for Business account. In this scenario, the only files unaffected are those placed in the folder that was the first to be synced with the account; folders on subsequent machines or devices that are synced with the same account will have files with different contents. "So even if a user checks the files they place in a synced folder, they would not know anything is being modified unless they physically took those files to another computer with the matching synced folder to compare them."
"The problem does not appear to affect the consumer edition of OneDrive."
Microsoft did not immediately respond to requests for comment, but a spokesperson told CRN Australia that the metadata is added to "support advanced document management scenarios and preserve user experiences."
After this story posted, CRN asked Microsoft if the OneDrive for Business license agreement includes language indicating that the company inserts metadata into user files.
Here's the response: "The context of content is not modified. Limited metadata is added to content to support advanced document management scenarios and preserve user experiences. The functionality behind this has been in the product for several releases and is designed to synchronize important metadata between a document and a Document Library including OneDrive for Business."
A quick scan of the OneDrive for Business for Windows 8 license revealed no mention of it.
When asked to confirm that OneDrive modifies synced files but leaves their "Modified Date" tags alone, Microsoft's answer was to repeat that "[t]he context of content is not modified."
Our interpretation: "Yes, that's exactly what we're doing."
PUBLISHED APRIL 30, 2014