The Absurdly Underestimated Dangers of CSV Injection


117 bookmarks. First posted by fileformat 11 days ago.


The Absurdly Underestimated Dangers of CSV Injection I’ve been doing the local usergroup circuit with this lately and have been asked to write it up. In some ways this is old news, but in other ways…well, I think…
IFTTT  Instapaper 
yesterday by ldodds
I’ve been doing the local usergroup circuit with this lately and have been asked to write it up. In some ways this is old news, but in other ways…well, I think few realize how absolutely devastating and omnipresent this vulnerability can be. via Pocket
Pocket 
yesterday by driptray
RT : The Absurdly Underestimated Dangers of CSV Injection
from twitter
3 days ago by brandizzi
The Absurdly Underestimated Dangers of CSV Injection
security  attackvector  csv  dataInjectionAttack  vector  attack 
4 days ago by psychemedia
In fact - in Excel at least - any of the symbols = , - , + , or @ will trigger this behavior causing lots of fun times for adminstrators whose data just doesn’t seem to format correctly (this is actually what brought my attention first to the issue). And just like that, the attacker has free reign to download a keylogger, install things, and overall remotely execute code not merely on any other person’s computer, but on that of someone guaranteed to have access to all user’s data; for example a manager or a company adminstrator. The attacker starts the cell with their trusty = symbol prefix and then points IMPORTXML to a server they control, appending as a querystring of spreadsheet data. That information isn’t usually considered secret; it appears in the spreadsheet urls, and will often be accidentally emailed, or posted in intra-company documentation, relying on Google’s security to ensure only authorized users access that data. That way, if a reseracher working on a secret warrant is to view their communication in a spreadsheet, a beacon goes out and the criminal has a canary effectively tipping them off that someone is snooping.
6 days ago by sechilds
Any cell that starts with an = is treated as a formula.
You can then execute any formula function.
security  excel  google  csv  injection 
7 days ago by drmeme
This isn't frightening at all because CSV exports from XLS don't run the world or anything.
from twitter
9 days ago by genehack
This isn't frightening at all because CSV exports from XLS don't run the world or anything.
from twitter_favs
9 days ago by nowthis
In some ways this is old news, but in other ways…well, I think few realize how absolutely devastating and omnipresent this vulnerability can be. It is an attack vector available in every application I’ve ever seen that takes user input and allows administrators to bulk export to CSV.
csv  excel  google  security 
9 days ago by ssorc
info leak and code exec
csv  injection  google  excel  command 
9 days ago by plaxx
I’ve been doing the local usergroup circuit with this lately and have been asked to write it up. In some ways this is old news, but in other ways…well, I think few realize how absolutely devastating and omnipresent this vulnerability can be. It is an attack vector available in every application I’ve ever seen that takes user input and allows administrators to bulk export to CSV.
excel  security  google 
9 days ago by danesparza
You can include an arbitrary formula, VBA script, or even shell command in a CSV file and MS Excel will execute it at load time with the current user's privileges. Oy.

You can't do this with Google Sheets, but you *can* send all the data in the spreadsheet, and any others that user can reach, to some x-random URI. This is not much nicer.
security  excel  csv  shellinjection 
9 days ago by yorksranter
The Absurdly Underestimated Dangers of CSV Injection
from twitter_favs
9 days ago by reinhard_codes
CSV can be really dangerous.
CSV  attack  hacking 
9 days ago by traggett
I thought by now I'd be too jaded to find anything about spreadsheets shocking, but then I read this.
from twitter_favs
9 days ago by cpsievert
Dang.
s 
10 days ago by jgordon
Man kann mit einer csv Datei den Taschenrechner und alles andere starten? Oh. Autsch.
from twitter
10 days ago by svensonsan
Interesting explanation of "an attack vector available in every application I’ve ever seen that takes user input and allows administrators to bulk export to CSV."
security 
10 days ago by shiflett
RT : Well this seems interesting in a bad way
h/t to and his 4 short links
from twitter_favs
10 days ago by gnat
I’ve been doing the local usergroup circuit with this lately and have been asked to write it up. In some ways this is old news ( Edit: Credit where due, I’ve…
from instapaper
10 days ago by nielsk
RT : The Absurdly Underestimated Dangers of CSV Injection
from twitter
10 days ago by kejadlen
Put formula in CSV, import into excel, ta da!

Or no one checks CSV data because it's just text so how could bad things happen when you open it in excel or google docs?
security  spreadsheets  excel 
10 days ago by mr_stru
CSV is safe, right? Wrong...
10 days ago by NeoNacho
…an attack vector available in every application I’ve ever seen that takes user input and allows administrators to bulk export to CSV.

That is just about every application.
csv  excel  google  security 
10 days ago by dagh
2017-10-07, by George Mauer,

"(...) Even though that cell was quoted it seems to have been interpreted as a formula just because the first character was an = symbol. In fact - in Excel at least - any of the symbols =, -, +, or @ will trigger this behavior (...)"

"(...) Well hold on, a formula is code that executes. So a user can cause code - even if its only formula code - to execute on an administrator’s machine in their user’s security context. (...)"

"(...) This formula is running in the administrator’s browser under their user account and security context. And this is Google Sheets - Sheets are not limited to just their own data, in fact they can pull in data from other spreadsheets that the user has access to. All that an attacker has to know is the other sheet’s id. That information isn’t usually considered secret; it appears in the spreadsheet urls, and will often be accidentally emailed, or posted in intra-company documentation, relying on Google’s security to ensure only authorized users access that data.

So hey, it’s not just your issue/time sheet/whatever data that’s getting exfiltrated. Keep client lists or wage info in a separate spreadsheet that your admin has access to? That info might be getting sucked up as well! All silently, and without anyone knowing anything about it. Yikes! (...)"

"(...) Well it’s not the CSV format’s. The format itself couldn’t be more clear that automatically executing anything that “looks like a formula” is not an intended usage. The bug therefore lies in popular Spreadsheet programs for doing the exact wrong thing. Of course Google Sheets must maintain feature parity with Excel, and Excel must support millions of complex spreadsheets already in existance. Also - I’m not going to research this but - even odds that Excel behavior came from something ancient like Lotus Notes. Getting all spreadsheet programs to change this behavior at this point is a pretty big mountain to counquer. I suppose that it’s everyone else that must change. (...)"
csv  security  google  excel  spreadsheets 
10 days ago by eric.brechemier