ChatGPT for Google Sheets Lets Attackers Steal Your Data

Key Takeaways

• A prompt injection hidden in imported data can exfiltrate workbooks across a user's entire Google account
• The attack bypasses human-approval settings users explicitly enabled for security
• OpenAI has removed the extension's ability to generate Apps Script code after public disclosure

OpenAI's ChatGPT extension for Google Sheets has a security flaw that lets attackers steal workbooks from across a user's entire account. The attack requires nothing more than a hidden prompt injection in an imported spreadsheet. Even when users explicitly require human approval before ChatGPT edits their workbooks, the attack bypasses that setting entirely.

Security firm PromptArmor discovered the vulnerability and disclosed it to OpenAI. After receiving only an automated reply despite multiple follow-ups, PromptArmor published their findings. OpenAI has since responded by removing the extension's ability to generate Apps Script code.

How the Attack Works

The ChatGPT for Google Sheets extension launched less than a month ago and has already accumulated over 185,000 downloads. It adds a sidebar chatbot that can operate on spreadsheets and pull data from ChatGPT connectors. That convenience creates the attack surface.

Here's the attack chain: A user works on an internal financial model. They import an external dataset to use in their analysis. That external sheet contains a prompt injection hidden in white text, invisible to the human eye but readable by ChatGPT. When the user asks ChatGPT for help integrating the imported data, the hidden instructions trigger.

The prompt injection manipulates ChatGPT to run an attacker-controlled external script. That script executes using the permissions the user granted to the extension. A single successful injection can trigger multiple effects simultaneously.

• Exfiltration of many workbooks from across the victim's account
• Display of an interactive phishing pop-up
• Overwriting the entire GPT sidebar with an attacker-controlled chatbot interface
• Attacker-controlled edits to victim workbooks

Zero Human Approval Required

The most alarming aspect: this attack requires zero human-in-the-loop approvals. Users who explicitly configured the extension to require approval before edits remain vulnerable. The security setting simply does not protect against this attack vector.

“The risk is not just the current document; it is the entire connected ecosystem of the user's data that becomes an attack vector once an LLM agent is given broad read/write permissions.”

— Security Researcher, PromptArmor

When a user grants an AI extension OAuth permissions to their Google Workspace, they grant access to 100% of their sensitive workbooks. That permission scope turns a single compromised cell into a gateway to the victim's entire cloud storage environment.

OpenAI's Response

OpenAI acknowledged the issue only after PromptArmor published their findings. The company called it "unfortunate this one slipped through a crack in our disclosure pipeline." That phrasing drew criticism from the security community, who noted the disclosure received only an automated reply despite multiple follow-ups.

OpenAI has taken immediate steps: removing the model's ability to generate Apps Script code, which should eliminate the specific risk. The company says it is re-evaluating its sandboxing approach and reviewing similar functionality in other products.

OpenAI's documentation for the extension failed to describe sensitive capabilities granted to the model, such as running privileged scripts. It also did not mention risks of model manipulation via indirect prompt injection. The documentation focused solely on functional limitations and data-handling concerns.

The Broader Problem: Indirect Prompt Injection

This vulnerability highlights a critical security flaw affecting AI-integrated tools broadly. Indirect prompt injection occurs when malicious data disguised as benign input hijacks an AI agent's behavior. The user never sees the hidden instructions. The AI simply follows them.

Hacker News discussions called this a "nightmare scenario" for AI extensions. Commenters argued that the convenience of integrating AI directly into office suites currently outweighs the security controls in place. The permission models that worked for traditional extensions fail to account for AI agents that interpret data as instructions.

What Users Should Do Now

If you installed ChatGPT for Google Sheets, the immediate risk should be mitigated by OpenAI's removal of Apps Script generation. But the broader lesson applies to any AI extension with broad permissions.

1. Review OAuth permissions granted to AI extensions in your Google account
2. Avoid importing untrusted external data sources into sheets connected to AI tools
3. Treat AI extensions as having full access to everything they can touch, regardless of security settings
4. Monitor extension activity and audit logs for unexpected script executions

Frequently Asked Questions

Is ChatGPT for Google Sheets still safe to use?

OpenAI has removed the vulnerable Apps Script functionality, which should eliminate this specific attack. However, the broader risk of indirect prompt injection remains for any AI tool processing untrusted data.

How can I tell if I was affected by this vulnerability?

Check your Google account activity for any unexpected script executions or file access. Review the OAuth permissions you granted to the ChatGPT for Google Sheets extension.

What is indirect prompt injection?

It's an attack where malicious instructions are hidden in data an AI processes. The user never sees these instructions, but the AI follows them, potentially exfiltrating data or performing unauthorized actions.

Do human approval settings protect against this attack?

No. PromptArmor's research showed the attack bypasses user-enabled approval requirements entirely.

Are other AI extensions vulnerable to similar attacks?

Any AI extension with broad permissions that processes untrusted data could potentially be vulnerable. OpenAI says it is reviewing similar functionality across other products.

Source: Hacker News: Best