Dangers of CSV injection

Posted to Data Sharing  |  Tags: ,  |  Nathan Yau

George Mauer highlights how a hacker might access other people’s data by putting an equal sign in a CSV file, so that an import to Microsoft or Google Sheets runs a value as a formula, even if it’s quoted as a string.

The attacker starts the cell with their trusty = symbol prefix and then points IMPORTXML to a server they control, appending as a querystring of spreadsheet data. Now they can open up their server log and bam! Data that isn’t theirs. Try it yourself with a Requestb.in.

The ultra sinister thing here? No warnings, no popups, no reason to think that anything is amiss. The attacker just enters a similarly formatted time/issue/whatever entry, eventually an administrator attempts to view a CSV export and all that limited-access data is immediately, and queitly sent away.

Oh goody.


How You Will Die

So far we’ve seen when you will die and how other people tend to die. Now let’s put the two together to see how and when you will die, given your sex, race, and age.

10 Best Data Visualization Projects of 2015

These are my picks for the best of 2015. As usual, they could easily appear in a different order on a different day, and there are projects not on the list that were also excellent.

Think Like a Statistician – Without the Math

I call myself a statistician, because, well, I’m a statistics graduate student. However, the most important things I’ve learned are less formal, but have proven extremely useful when working/playing with data.

Years You Have Left to Live, Probably

The individual data points of life are much less predictable than the average. Here’s a simulation that shows you how much time is left on the clock.