Occasionally, we receive reports describing formula injection into CSV files. Specifically, the reports mention that one of our products with an export to CSV feature can be abused by injecting formulas into a generated file downloaded by the user.

The attack scenario generally goes like this:

• Under certain circumstances, injected formulas could be executed by the application opening the CSV file (Microsoft Excel is commonly mentioned).
• The consequence could be not just running arithmetic operations on a victim's machine (though we all like =1338-1), but may even amount to running arbitrary commands.

In this context, it is important to remember that CSV files are simply text files (the format is defined in RFC 4180) and that only a subset of the applications which open CSV files actually evaluate formulas – it's more of a side effect of the CSV format and not a vulnerability in Google products which can export user-created CSVs. In consequence, this issue should be mitigated by applications which import/interpret data from external sources such as CSV files, as e.g. Microsoft Excel does by displaying a warning. In other words, the proper fix should be applied when opening CSV files, not when when creating them.

Conclusion

If you report a CSV injection issue of the type described above, we won't file a bug based on your report.

Why? We don't believe that the risk introduced by formula injection into CSV files generated by Google products seriously impacts the security of our users or products. For this reason, it does not warrant a change in our products.