The Absurdly Underestimated Dangers of CSV Injection


128 bookmarks. First posted by fileformat 9 weeks ago.


It's somewhat comforting to note this doesn't affect things like R or Python/Pandas.

https://t.co/i0EjLEyFth
via:packrati.us 
5 weeks ago by cdgrau
wow! didn't know this about csv - can execute formula, make external requests, etc.
injection  security  standards  vulnerability  hacking  design 
5 weeks ago by teffalump
RT : The Absurdly Underestimated Dangers of CSV Injection
from twitter
6 weeks ago by daisyk
CSV injection
csv  security  Excel 
7 weeks ago by lost_in_space
RT : the absurdly underestimated dangers of CSV injection (and how to mitigate them):
programming  security  webdev  from twitter
7 weeks ago by sarcas
The Absurdly Underestimated Dangers of CSV Injection I’ve been doing the local usergroup circuit with this lately and have been asked to write it up. In some ways this is old news, but in other ways…well, I think…
IFTTT  Instapaper 
8 weeks ago by ldodds
I’ve been doing the local usergroup circuit with this lately and have been asked to write it up. In some ways this is old news, but in other ways…well, I think few realize how absolutely devastating and omnipresent this vulnerability can be. via Pocket
Pocket 
8 weeks ago by driptray
RT : The Absurdly Underestimated Dangers of CSV Injection
from twitter
8 weeks ago by brandizzi
The Absurdly Underestimated Dangers of CSV Injection
security  attackvector  csv  dataInjectionAttack  vector  attack 
8 weeks ago by psychemedia
In fact - in Excel at least - any of the symbols = , - , + , or @ will trigger this behavior causing lots of fun times for adminstrators whose data just doesn’t seem to format correctly (this is actually what brought my attention first to the issue). And just like that, the attacker has free reign to download a keylogger, install things, and overall remotely execute code not merely on any other person’s computer, but on that of someone guaranteed to have access to all user’s data; for example a manager or a company adminstrator. The attacker starts the cell with their trusty = symbol prefix and then points IMPORTXML to a server they control, appending as a querystring of spreadsheet data. That information isn’t usually considered secret; it appears in the spreadsheet urls, and will often be accidentally emailed, or posted in intra-company documentation, relying on Google’s security to ensure only authorized users access that data. That way, if a reseracher working on a secret warrant is to view their communication in a spreadsheet, a beacon goes out and the criminal has a canary effectively tipping them off that someone is snooping.
8 weeks ago by sechilds
Any cell that starts with an = is treated as a formula.
You can then execute any formula function.
security  excel  google  csv  injection 
8 weeks ago by drmeme
This isn't frightening at all because CSV exports from XLS don't run the world or anything.
from twitter_favs
9 weeks ago by nowthis
This isn't frightening at all because CSV exports from XLS don't run the world or anything.
from twitter
9 weeks ago by genehack
In some ways this is old news, but in other ways…well, I think few realize how absolutely devastating and omnipresent this vulnerability can be. It is an attack vector available in every application I’ve ever seen that takes user input and allows administrators to bulk export to CSV.
csv  excel  google  security 
9 weeks ago by ssorc
info leak and code exec
csv  injection  google  excel  command 
9 weeks ago by plaxx
I’ve been doing the local usergroup circuit with this lately and have been asked to write it up. In some ways this is old news, but in other ways…well, I think few realize how absolutely devastating and omnipresent this vulnerability can be. It is an attack vector available in every application I’ve ever seen that takes user input and allows administrators to bulk export to CSV.
excel  security  google 
9 weeks ago by danesparza
You can include an arbitrary formula, VBA script, or even shell command in a CSV file and MS Excel will execute it at load time with the current user's privileges. Oy.

You can't do this with Google Sheets, but you *can* send all the data in the spreadsheet, and any others that user can reach, to some x-random URI. This is not much nicer.
security  excel  csv  shellinjection 
9 weeks ago by yorksranter
The Absurdly Underestimated Dangers of CSV Injection
from twitter_favs
9 weeks ago by reinhard_codes
CSV can be really dangerous.
CSV  attack  hacking 
9 weeks ago by traggett
I thought by now I'd be too jaded to find anything about spreadsheets shocking, but then I read this.
from twitter_favs
9 weeks ago by cpsievert
Dang.
s 
9 weeks ago by jgordon
Man kann mit einer csv Datei den Taschenrechner und alles andere starten? Oh. Autsch.
from twitter
9 weeks ago by svensonsan
Interesting explanation of “an attack vector available in every application I’ve ever seen that takes user input and allows administrators to bulk export to CSV.”
security 
9 weeks ago by shiflett
RT : Well this seems interesting in a bad way
h/t to and his 4 short links
from twitter_favs
9 weeks ago by gnat
I’ve been doing the local usergroup circuit with this lately and have been asked to write it up. In some ways this is old news ( Edit: Credit where due, I’ve…
from instapaper
9 weeks ago by nielsk
RT : The Absurdly Underestimated Dangers of CSV Injection
from twitter
9 weeks ago by kejadlen