CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files.
When a spreadsheet program such as Microsoft Excel or LibreOffice Calc is used to open a CSV, any cells starting with '=' will be interpreted by the software as a formula. Maliciously crafted formulas can be used for three key attacks:
- Hijacking the user's computer by exploiting vulnerabilities in the spreadsheet software, such as CVE-2014-3524
- Hijacking the user's computer by exploiting the user's tendency to ignore security warnings in spreadsheets that they downloaded from their own website
- Exfiltrating contents from the spreadsheet, or other open spreadsheets.
This attack is difficult to mitigate, and explicitly disallowed from quite a few bug bounty programs. To remediate it, ensure that no cells begin with any of the following characters:
- Equals to ("=")
- Plus ("+")
- Minus ("-")
- At ("@")
For further information, please refer to the following articles: