CSV Excel formula injection

Occasionally, we get reports describing Excel formula injection into CSV files. Specifically, the reports mention that one of our products with an 'export to CSV' feature can be abused to inject Excel formulas into a generated file downloaded by the user. The attack scenario mentions that, under certain circumstances, those formulas could be executed by the application opening the CSV file (Microsoft Excel is commonly mentioned). The consequence is not just running arithmetic operations on a victim's machine (though we all like =1338-1), but may amount even to running arbitrary commands.

Our product security team here in Google thinks this isn't something we are in the best position to fix or that would have sufficient impact on our users or products security. We are aware that other bug bounty program vendors might interpret this issue differently, but still stand by our decision.

CSV files are just text files (the format is defined in RFC 4180) and evaluating formulas is a behavior of only a subset of the applications opening them - it's rather a side effect of the CSV format and not a vulnerability in our products which can export user-created CSVs. This issue should mitigated by the application which would be importing/interpreting data from an external source, as Microsoft Excel does (for example) by showing a warning. In other words, the proper fix should be applied when opening the CSV files, rather then when creating them.

In conclusion, we don't think the risk introduced by this behavior is significant enough to warrant a change in our products. Reports describing the Excel formula injection into CSV files generated by Google products will not qualify for a reward nor credit.