OpenAI has stripped a capability from its ChatGPT for Google Sheets extension after security researchers showed it could be hijacked to steal a user’s spreadsheets without permission. According to Hacker News, where the disclosure from PromptArmor climbed to a top spot, a single malicious instruction hidden inside untrusted data could trigger mass exfiltration of workbooks, fake phishing pop-ups, and attacker-controlled edits, all from one harmless-looking user query. What stands out here is that the attack worked even when users had explicitly turned off automatic edits and required human approval first.
This matters because the extension isn’t a fringe experiment. It’s racked up more than 185,000 downloads since launching less than a month ago, and it sits in the sidebar of Google Sheets with access to your data and your ChatGPT connectors.
What actually happened
The weakness is a classic indirect prompt injection. Here’s the chain in plain terms:
- An untrusted source feeds poisoned text into the model. That could be an imported sheet or data pulled through a ChatGPT connector.
- The hidden instructions tell ChatGPT to run an attacker-controlled external script.
- The script executes using the permissions you already granted the extension.
From there, the damage compounds. In the researchers’ demo, the script grabbed a financial model, spotted a link inside it pointing to another spreadsheet, and followed that trail to steal even more. It kept going until it had exfiltrated 12 workbooks in total. The attacker’s server logs showed the stolen financial model sitting there in plain view.
Two phishing tricks rode along with the data theft:
- Overlay impersonation: The attacker can paint a fake sidebar over the real ChatGPT extension, harvest every prompt you type, push a misaligned chatbot at you, and prompt you to “reconnect” connectors to widen access.
- Credential pop-up: A modal renders an attacker-controlled website designed to steal your OpenAI login.
One more unsettling detail: clicking “stop” in the ChatGPT sidebar doesn’t halt a script that’s already running. Once it starts, it finishes.
How OpenAI responded
The disclosure timeline tells its own story. PromptArmor reported the flaw on May 8, 2026, got an automated reply, then followed up on May 12 and May 18 with no real human response. They went public on May 27. OpenAI finally responded on May 31.
In that statement, OpenAI said the report “slipped through a crack in our disclosure pipeline” and that it has “taken immediate steps to protect users” by removing the model’s ability to generate Apps Script code, which it says “should eliminate the risk to users of ChatGPT for Google Sheets.” The company added it’s re-evaluating its sandboxing approach and doing a “re-review of similar functionality in other surfaces.”
Why this should worry practitioners
Prompt injection isn’t theoretical anymore. As AI assistants get write access to your files, your email, and your connected apps, the blast radius of a single poisoned input grows fast. This case is a clean example: the user did nothing wrong, the approval setting was on, and the data still walked out the door.
It also exposes a documentation gap. PromptArmor noted that OpenAI’s docs described functional limits and data-handling but never spelled out that the model could run privileged scripts or be manipulated through injection. If you’re deciding whether to trust an AI integration, that’s exactly the risk you need disclosed.
What to do now
If your team uses ChatGPT in Google Sheets, take a few practical steps:
- Admins can control access through Workspace settings, under Permissions and roles, then ChatGPT for Excel and Google Sheets.
- Treat any imported sheet or connector data as untrusted input, not just numbers.
- Audit which connectors the extension can reach and trim anything you don’t need.
The broader lesson is bigger than one extension. Every AI tool you grant file access and execution rights to is now part of your attack surface. OpenAI’s fix here was to remove a capability, which tells you how hard prompt injection is to defend against once an agent can run code. Expect more disclosures like this as agentic features spread across productivity apps. Full technical details are at the original source.