UiPath Excel Workbook Activities ---> Bypasses Password Protection (Possible Bug)

All great products go through a life cycle where they are constantly being tried, tested and retried. However, security bypasses can lead to disastrous results. With ever increasing data leaks, and hacking, securing data is as important as data itself.

I recently came across a case, where UiPath Excel workbook activities, could open password protected excel workbooks without having to enter the password.

Not sure, if this has already been pointed out, but this can lead to unintended access to confidential data.

UiPath version : v2019.1.0

Excel Activity package version : v2.5.3

System Activity package version : v2019.4.0

I have uploaded a video for the activity i performed. Pl view the link.

Regards,
Madhuri Shenoy

Sample Sales Data (Very Confidential).xlsx (9.8 KB)

The password to modify is 1234

@Madhuri_Shenoy You are mistaken. The excel file is password protected for write access. You need to provide password in case you want to edit it. Excel read activity just fetches information from the excel file.

In the video you are clicking the Read Only button and UiPath is able to fetch data from excel.

See the screenshot from your video below.

See the caution message show by excel when you try to restrict modification with password.

Caution: Password to modify is not a security feature. This document is protected from unintentional editing. However, the document is not encrypted. Malicious users can edit the file and remove the password.

Please see an article on how to restrict modification with password.

Refer the below link to see how to encrypt your excel file properly.

@Madhuri_Shenoy Don’t worry, all is well with UiPath. :+1:

Also, xlsx is just an archive. You can open it with 7z, modify the xml files inside and save. There is nothing to stop you from this and I think that UiPath is also working this way.

Hello @KannanSuresh, thank you for your reply and thank you for the links. However, I think you have not understood the topic.

That is just one part of the video.
However, if you see the entire video, you can see that in the later part while the bot is using excel workbook write cell, without providing any password, the activity also writes to the excel file.

Pl see the screenshots.

Regards.
MS

@c.ciprian Encryption of Excel files are strong from Office 2017 and later. Even if you extract the archive, the files would be encrypted. But everything has workarounds. :grinning:

I am talking about password protect, as @Madhuri_Shenoy has done it. There is nothing encrypted in it.

Details


1 Like

Did you try to save the file? You can edit an excel file opened in read only mode. However, you won’t be able to save it. You can use save as to create a different copy of the original excel file.

Also, the protection is only a check to prevent accidental edits.

UiPath must be using Microsoft’s Interoperability features / document format xml to do modifications to excel. These are standard features provided by Microsoft.

Exactly.

Oh i get what you mean.

When you try to Encrypt the file with a password, using write cell without password throws an error. This is intended behavior.

However, when you try to put in a read only password to the file and then use write cell activity without password as I did, it actually writes to the excel and also saves the data in the same file.
Excel_Workbook_Write.xaml (5.8 KB)
Sample Sales Data (Very Confidential).xlsx (9.8 KB)

I don’t see anything wrong… You can do the same, manually

It seems read only password protection works only from front end, i.e. when you use Excel application to open the file. Read only protection does not encrypt anything and it is just an informative notification to the user, recommending them to open the file in read only mode. Programmatic access of the excel file is not restricted. This is not just with UiPath. You can write a C# program and modify contents of the excel file.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.