CSV File Security Risks

TL;DR

Yes, CSV files can contain malicious code, usually in the form of formulas or scripts that are executed when opened in spreadsheet software like Microsoft Excel or Google Sheets. This is a serious cyber security risk. We’ll show you how to identify and mitigate these risks.

How CSVs Can Be Dangerous

CSV (Comma Separated Values) files themselves are just plain text. However, when opened in spreadsheet programs, they can be interpreted as more than simple data. Here’s how problems arise:

• Formulas: Spreadsheet software automatically evaluates formulas within cells. A malicious CSV might contain a formula that downloads and runs harmful code from the internet.
• Macros: While less common directly in CSV files, if you open a CSV as an Excel workbook (.xls or .xlsx), it can trigger macros (small programs) embedded within the file.
• DDE (Dynamic Data Exchange): Older versions of Excel are vulnerable to attacks via DDE links in CSVs that execute commands on your system.

Identifying Potentially Malicious CSV Files

1. Source: Be extremely cautious about opening CSV files from unknown or untrusted sources. This is the most important step!
2. File Extension: Double-check the file extension. A file named report.csv.exe is definitely not a simple CSV and should never be opened.
3. Open in Text Editor First: Before opening in a spreadsheet program, open the CSV file in a plain text editor (like Notepad on Windows or TextEdit on macOS). Look for suspicious patterns:
   • Formulas starting with =: Any cell value beginning with an equals sign (=) is likely a formula. Examine it carefully.

     =cmd|' /C calc'!A1

     This example attempts to run the calculator application.

   • Unusual Characters: Look for strange or unexpected characters that don’t seem like data.
   • Embedded Scripts: While rare in plain CSV, check for any script-like code (e.g., JavaScript).
4. Preview with Online Tools: Use an online CSV viewer to preview the file’s contents without opening it in your spreadsheet software. This can help identify formulas or other potentially dangerous elements.

Mitigating Risks

1. Disable Automatic Formula Calculation: In Excel, disable automatic calculation of formulas:
   • Go to File > Options > Formulas.
   • Under Calculation options, select Manual.

   This forces you to explicitly approve any formula calculations.

2. Disable Macros: Disable macros in Excel:
   • Go to File > Options > Trust Center > Trust Center Settings....
   • Under Macro Settings, select Disable all macros with notification or Disable all macros without notification (the latter is more secure).
3. Block DDE: In newer versions of Excel, DDE is disabled by default. However, if you’re using an older version:
   • Go to File > Options > Advanced.
   • Under General, uncheck Allow DDE connections.
4. Use a Dedicated CSV Parser: For programmatic processing of CSV files, use a dedicated CSV parsing library in your programming language (e.g., Python’s csv module) instead of directly opening the file in a spreadsheet program.

   import csv
   with open('my_file.csv', 'r') as file:
       reader = csv.reader(file)
       for row in reader:
           print(row)

5. Keep Software Updated: Regularly update your spreadsheet software to benefit from the latest security patches.
6. Cyber Security Awareness Training: Educate yourself and others about the risks of opening files from untrusted sources.