A partner account manager can help. Contact us today.

 Subscribe me to your mailing list

Excel formula injection in Google Docs

Surely all of you know about Google reward program for information security researchers who provide information about weak spots of Google resources. We had the chance to participate in this program, too. Here is a short story from @_chipik and @asintsov.

One day we needed to conduct a small survey, and we decided to use Google Docs as platform for the survey.

There is an object in Google Docs called Google Forms, and, as obvious from the name, it is used to create various surveys and tests forms.

After a form is created, its URL is published on the Internet or sent to people who are to participate in the survey.

This is how the form looks for a participant:

And this is how the author sees the participant's answers:

I suppose that any web researcher upon seeing a form instinctively puts ‘,",> and other interesting symbols here? We tried it, too. However, everything was encoded and filtered exactly as planned. Well… But all of user input is inserted into an Excel table, so why don't we try to inject some formula? Excel formulas start with an "=". OK, let's give it a try.

Fail. Cunning Google puts a space symbol before the "=" so that the formula is taken for a simple text cell. So how do we get rid of the space? Easy as pie: use backspace :) %08 is the Hex code of the backspace key.

Thus, we wrote in the entry field:



The formula got inserted into the table just fine.

All we had to do now was devise an interesting and practical vector for this particular injection. Google Functions helped us here.

With the help of Google Functions it was possible to execute a request to any domain so that the request results got inserted into a specified cell.

That gave us the following attack vector:

  • Put sensitive user data into A1 cell (or probably they are already there)
  • Put a formula which makes GET request to into Z666 cell.
  • Read web server logs, get data from cells.
  • Profit!

Soon after describing the bug and the possible attack vector we got the following letter:

And a bit later we saw our names in Google Hall of Fame.