LinkedIn – CSV Excel formula injection
We are proud to publish an undisclosed vulnerability affecting LinkedIn and in particular its “CSV Export” function.
Following our Vulnerability Disclosure Policy Agreement, LinkedIn Security Team has been informed about this specific issue and this vulnerability will be published without a working PoC.
LinkedIn’s users can exports all their connections into a CSV file, that due to some missing filters (escaping output), could allows an attacker to execute a command on the user machine.
An attacker can create a LinkedIn profile embedding a malicious payload in its details ex. “Company Name“, “Position“, etc.
as soon as the user who has accepted the attacker in his contacts will export and try to open the CSV file he will see a warning message.
Assuming that the content is coming from a trusted source, linkedin.com, the user will skip the warning message and the malicious payload gets executed.
Attack Scenario: An attacker creates a valid profile and add multiple connections, later he will change one of his profile’s field into a malicious payload. From now on, all the users that will export the connection into a CSV file and open it with Microsoft Excel will execute the malicious payload.
Now, imagine if I will embed a malware/trojan as a payload, how many recruiters and executives will give me the access to their company network?
LinkedIn Mitigations: The best and easiest solution is to surround with a double quote all CSV fields.
User Mitigation: do not enable macro or dynamic content coming from an excel file, even if the website is trusted.
by Nitin Goplani & VoidSec