September 8, 2025

Can text files be trusted?

4.9 (55)

TXT files are usually seen as safe—but are they really?

Shared storage and data exchange environments can increase potential security risks for a company.

How to effectively scan files stored in public cloud platforms

To keep Azure Storage and Amazon S3 from becoming conduits for malware, it’s important to scan files as they are being uploaded.

Employees who get external e-mails usually receive warnings about which files might be risky. For instance, EXE files are typically treated as unsafe, and DOCX or XLSX files can also be dangerous due to potential malicious macros. Plain text files, by contrast, are generally considered safe because they only contain text. But this assumption isn't always accurate.

Researchers discovered a way to exploit a flaw (now fixed) in the format, and it's possible that more could be found. The issue isn’t the file type itself, but how applications interpret TXT files.

macOS’s CVE-2019-8761 vulnerability

Paulos Yibelo highlighted an unusual method of attacking macOS systems using text files. Like many security systems, macOS’s Gatekeeper considers text files completely trustworthy, allowing users to open them in TextEdit without additional warnings.

However, TextEdit is more advanced than Windows’ Notepad. It supports features like bold text, colored fonts, and other styling options. Since TXT files aren’t designed to store style information, TextEdit adds technical instructions to handle such tasks. For example, if a TXT file begins with <!DOCTYPE HTML><html><head></head><body>, TextEdit interprets HTML tags even though the file has a .txt extension.

Essentially, including HTML code in a text file that starts with that line forces TextEdit to process it, at least partially.

Potential attacks via text files

By analyzing the possibilities, Yibelo found this vulnerability could allow:

DoS attacks: Gatekeeper doesn’t block opening local TXT files. A malicious file could overload a system, for example, by using HTML code to access the /dev/zero file, which endlessly outputs null characters.
Discovering a user’s real IP address: Code in a text file can trigger AutoFS, a program that mounts file systems, giving access to external drives. This automatic process sends a TCP request, revealing the user’s IP even behind a proxy.
File theft: Text files containing <iframedoc> can access files on a victim’s computer and transfer their content using a dangling markup attack, simply by the user opening the file.

This vulnerability was reported to Apple in December 2019 and assigned CVE-2019-8761. More details are available in Paulos Yibelo’s post.