Excel formula injection in Google Docs
No doubt all of you know about Google reward program for information security researchers who provide information about weaknesses of Google resources. We had a chance to participate in this program, too. Here is a short story from @_chipik and @asintsov.
One day we needed to conduct a small survey, and we decided to use Google Docs as the platform.
There is an object in Google Docs called Google Forms, and, as you can tell by its name, it is aimed to create various surveys and tests forms.
After a form is created, its URL is published on the Internet or is sent to the potential particoipants the survey.
This is how the form looks for a participant:
And this is how the author sees the participant’s answers:
I wonder if any web researcher while seeing a form instinctively puts ‘,”,> or other interesting symbols there. Anyway, we tried it. However, everything was encoded and filtered exactly as planned. Still all the user input is inserted into an Excel table, so why not to try to inject some formula? Excel formulas start with an “=”. OK, let’s give it a try.
Fail. Google puts a space symbol before the “=” so that the formula is taken for a simple text cell. How can we get rid of the space? Simply by using the backspace. %08 is the Hex code of the backspace key.
Thus, we wrote in the entry field:
The formula got inserted into the table.
All we had to do now was to devise a practical vector for this particular injection.
With the help of Google functions it was possible to execute a request to any domain so that the request results got inserted into a specified cell.
That gave us the following attack vector:
- Put the sensitive user data into A1 cell (or probably they are already there).
- Put a formula which makes GET request to http://own_site.com/secret_data_in_base64 into Z666 cell.
- Read web server logs, get the data from cells.
Soon after describing the bug and the possible attack vector, we got the following letter:
Soon after that we saw our names in Google Hall of Fame.