Microsoft OneDrive for Business can Alter Your Files as It Syncs

According to a blog on the Myce forum, Microsoft OneDrive for Business, which used to go by the name of SkyDrive Pro, modifies files as it syncs.


22 April 2014

Microsoft OneDrive for Business can Alter Your Files as It Syncs

Microsoft OneDrive for Business, which until recently used to go by the name of SkyDrive Pro, is making headlines today for all the wrong reasons.

The problem?  Microsoft seems to have forgotten the meaning of "CIA."

No, not the Central Intelligence Agency.  I'm talking about "Confidentiality, Integrity and Availability" - the three core principles of information security.

If your company is entrusting its most sensitive data to a third-party service, you should expect three things:

  1. Confidentiality - That your data will be kept private and would not be leaked.
  2. Integrity - That your data won't be altered, and that it can be trusted.
  3. Availability - That you will be able to get a hold of your data when you need it.

You should really expect nothing less for your money, and Microsoft's own promotions for OneDrive for Business underline that it is "compliant with world-class industry standards" and that you can "rest assured that your data is protected".

However, there is an enormous fly in the ointment.  Because one Microsoft OneDrive for Business customer believes he has found that the service falls short when it comes to the "I" in "CIA", i.e. it  fails to deliver integrity.

According to a blog post on the Myce forum by Seán Byrne, a storage technology researcher, Microsoft OneDrive for Business modifies files as it syncs.

True integrity, of course, would mean that every file served up by the enterprise file-sharing and syncing service should be byte-for-byte identical to the file which was uploaded to it.

Byrne says he stumbled across the problem by accident, when he happened to run an MD5 checksummer against files he had been syncing.

When OneDrive got stuck in an endless loop of trying to sync a few files and the issue returned when I tried clearing its cache as instructed on Microsoft’s discussion forum, I decided to stop syncing the OneDrive folder and backed it up. I then deleted the original synced folder and got OneDrive to start syncing it again, so it would get a fresh copy from the cloud.  In an aim to check if any files got damaged due to the earlier syncing issue, I used a utility called MD5summer to create MD5 hashes for its content and repeated this process for the freshly synced folder.  To my surprise, the vast majority of the files showed ‘Checksum did not match’.  Surely most of my files haven’t gone corrupt?

I then started opening various files that failed the MD5 check, but could not find any obvious damage to any file. That was until I noticed several PHP files from a website theme that also failed the MD5 check.  When I compared them side by side in Notepad++, I noticed straight away a few pieces of code injected into the header that clearly could not have been caused by any form of data corruption.  I knew for sure that neither I nor anyone else would have made these changes as the theme files were from a former website CMS package, so I then tried finding out what was modifying these files.

Surprised by his findings, Byrne created some simple PHP and HTML files in a text editor and placed them in a folder for OneDrive for Business to sync. Sure enough, the files were altered upon syncing with extra information injected into them.

File Modified - Myce.com  

Further investigations revealed that other files were altered as well.

As for Word, Excel and Publisher files (‘docx’, ‘xlsx’ and ‘pub’ file extensions), these grew by about 8KB.  Unlike the web files, these Microsoft Office files had what appears to be uniquely identifiable code added, potentially making it possible to match them to a company and possibly even to a specific user’s account.

Of course, in many situations it may not cause a problem for Microsoft to meddle with the contents of the files that it stores and syncs with users, but that's not the point.  In some scenarios it might cause a great deal of problems, especially when an organization needs to give assurances that sensitive information has not been tampered with in any way.

If Byrne's claims are true, Microsoft has scored a massive own goal here and many enterprises will take a dim view of how well it is maintaining the integrity of the data of those who trust their OneDrive for Business service.

It's important to note that Byrne says that, in his testing, the same file-modification problem was not found with the consumer version of OneDrive (formerly known as SkyDrive).  Once again, consumers get less than businesses - less messing around with their private files in this particular case!



Graham Cluley

Graham Cluley

Graham Cluley is an award-winning veteran of the anti-virus industry, fighting cybercrime and raising awareness of computer security and privacy issues since the early 1990s. Find out more on his computer security blog or follow him on Twitter.