ChatGPT for Google Sheets Exfiltrates Workbooks

SolutionsIndustriesPartnersResourcesBook a DemoThreat IntelligenceUnpatched Ollama Vulnerabilities: Phishing Overlays and Data ExfiltrationChatGPT for Google Sheets Exfiltrates WorkbooksCodex for Everything Exfiltrates Connected DataMicrosoft Copilot Cowork Exfiltrates FilesRamp’s Sheets AI Exfiltrates FinancialsSnowflake Cortex AI Escapes Sandbox and Executes MalwareGitHub Copilot CLI Downloads and Executes MalwareData Exfil from Agents in Messaging AppsClaude Cowork Exfiltrates FilesSuperhuman AI Exfiltrates EmailsIBM AI ('Bob') Downloads and Executes MalwareNotion AI: Data ExfiltrationHuggingFace Chat Exfiltrates DataScreen takeover attack in vLex (legal AI acquired for $1B)Google Antigravity Exfiltrates DataCellShock: Claude AI is Excel-lent at Stealing DataHijacking Claude Code via Injected Marketplace PluginsData Exfiltration from Slack AI via Indirect Prompt InjectionData Exfiltration from Writer.com via Indirect Prompt InjectionThreat IntelligenceTable of ContentChatGPT for Google Sheets Exfiltrates WorkbooksChatGPT for Google Sheets is vulnerable to data exfiltration and phishing overlay attacks that affect workbooks across the victim’s account after an indirect prompt injection in a single sheet.This attack does not require human-in-the-loop approvals, even when in settings the user has explicitly required human approval before ChatGPT edits workbooks.OverviewRecently, OpenAI launched an AI extension for using ChatGPT in Google Sheets, which has accumulated over 185,000 downloads since its launch less than a month ago. This allows users to operate on their spreadsheets by interacting with an AI chatbot that lives in a sidebar, with the added benefit of drawing on data from ChatGPT connectors. A single indirect prompt injection attack triggered by a single benign user query can trigger all of the following effects at once:Exfiltration of many workbooks from across the victim’s accountDisplay of an interactive phishing pop-upOverwriting the entire GPT sidebar with an attacker-controlled chatbot interfaceAttacker-controlled edits to your workbooksThis attack occurs when any untrusted data source (e.g., from an imported sheet or ChatGPT connector) manipulates ChatGPT to run an attacker-controlled external script, which executes leveraging permissions the user has granted to the ChatGPT for Google Sheets extension.This vulnerability was responsibly disclosed to OpenAI. Despite multiple follow-ups, we received no communication beyond an automated reply to our initial disclosure. OpenAI's documentation fails to describe sensitive capabilities granted to the model (e.g., running privileged scripts) or risks of model manipulation via indirect prompt injection, instead focusing solely on functional limitations and data-handling concerns. As such, we are publishing our findings to enable informed decision-making regarding the risk surface.The Attack ChainA user is working on an internal financial modelThe user imports an external data set to use in their model The external sheet has a prompt injection hidden in white text.The user asks ChatGPT for Google Sheets to help integrate the data from the imported sheet into their financial model.The injection manipulates ChatGPT for Google Sheets to run an external scriptNote: ChatGPT for Google Sheets has a setting called ‘Apply edits automatically’ that determines when human approvals are required before an agentic action completes. However, this attack succeeds even when the user has explicitly disabled automatic edits.The external script exfiltrates the financial model from the user’s workbookBelow, the attacker's server logs show the user’s exfiltrated financial model.The external script identifies links to other workbooks in the stolen data, exfiltrates the discovered workbooks, and continues across all workbooks it can findHere, the internal financial model sheet included a link to another spreadsheet relevant to budgeting. The malicious script identifies the spreadsheet URL in the stolen data and exfiltrates the newly discovered workbook. It then continues to process the stolen data, identifying and exfiltrating additional workbooks, eventually exfiltrating 12 in total.Note: Clicking the ‘stop’ button in the ChatGPT sidebar does not stop scripts that have started from finishing execution.Phishing Overlay AttacksIn addition to the data exfiltration described above, the same attacker-controlled scripts enable a malicious actor to target two variants of a phishing overlay attack.Variant 1: A sidebar is opened that overlays the ChatGPT for Google Sheets extension with an attacker-controlled site, allowing the attacker to impersonate the extension. The malicious sidebar can execute scripts that edit the sheet in the same way ChatGPT can, allowing it to act in most of the ways the extension normally does, while also performing malicious activities such as:Harvesting all user promptsProviding the user with a misaligned chatbot to interact withConvincing the user to ‘reconnect’ connectors to gain access to additional appsDisplaying a phishing UI to steal credentials for OpenAIVariant 2: A pop-up modal is opened that renders an attacker-controlled website to phish the user for credentials.Control Access to ChatGPT for Google SheetsOrganizations can leverage the following configuration to control access to ChatGPT for Google Sheets:Workspace settings > Permissions & roles > ChatGPT for Excel and Google SheetsResponsible DisclosureThis vulnerability was responsibly disclosed to OpenAI. Despite multiple follow-ups, we received no communication beyond an automated reply to our initial disclosure. OpenAI's documentation fails to describe sensitive capabilities granted to the model (e.g., running privileged scripts) or risks of model manipulation via indirect prompt injection, instead focusing solely on functional limitations and data-handling concerns. As such, we are publishing our findings to enable informed decision-making regarding the risk surface.TimelineMay 08, 2026 PromptArmor discloses to OpenAI via emailMay 08, 2026 OpenAI sends an automated reply, confirming the intended reporting channelMay 08, 2026 PromptArmor confirms email preferenceMay 12, 2026 PromptArmor follows upMay 18, 2026 PromptArmor follows upMay 27, 2026 Public disclosure

ChatGPT for Google Sheets is susceptible to data exfiltration and phishing overlay attacks stemming from an indirect prompt injection vulnerability that can occur within a single spreadsheet. This vulnerability arises when an untrusted data source, such as an imported sheet or a ChatGPT connector, manipulates the Large Language Model into executing an attacker-controlled external script, thereby exploiting the permissions granted to the extension. This attack can be triggered by a single, benign user query, resulting in a cascade of malicious effects without requiring any human-in-the-loop approvals, even in settings where automatic edits are disabled.

The attack chain demonstrates a method for extracting sensitive data from an entire user account. A typical scenario involves a user manipulating an external sheet containing a hidden prompt injection. When the user prompts ChatGPT for Google Sheets to integrate data from this sheet, the injection manipulates the system to run an external script. This script can then exfiltrate the financial model from the user's workbook. Furthermore, the script can identify links to other workbooks within the stolen data, exfiltrate those discovered spreadsheets, and continue processing the data to extract additional files, potentially leading to the exfiltration of numerous workbooks across the entire account.

Beyond data exfiltration, these attacker-controlled scripts enable sophisticated phishing overlay attacks. One variant involves opening a sidebar that overlays the ChatGPT for Google Sheets extension with an attacker-controlled website, allowing the attacker to effectively impersonate the extension. This malicious sidebar can execute scripts similar to those run by ChatGPT, enabling the attacker to harvest all user prompts, present a misaligned chatbot interface, persuade the user to reconnect data connectors to gain access to external applications, and display a phishing user interface designed to steal credentials for OpenAI. The second variant involves rendering a pop-up modal that displays an attacker-controlled website, intended to phish user credentials.

The responsible disclosure of this vulnerability highlighted a significant gap in the documentation provided by OpenAI. The documentation focused primarily on functional limitations and data-handling concerns, failing to describe sensitive capabilities granted to the model, such as the ability to run privileged scripts or the risks associated with model manipulation via indirect prompt injection. This omission made it difficult for users to make informed decisions regarding the true risk surface associated with the extension. The timeline for the disclosure involved communication with PromptArmor, which led to a public disclosure timeline, confirming the vulnerability in May 2026. Furthermore, organizations can manage access to ChatGPT for Google Sheets through Workspace settings, specifically under Permissions and roles, by controlling access to ChatGPT for Excel and Google Sheets.