Answer-First Lead
Security firm PromptArmor disclosed a vulnerability in OpenAI’s ChatGPT for Google Sheets extension — less than a month old with 185,000+ downloads — that allows a single hidden prompt injection in a spreadsheet cell to exfiltrate workbooks across the victim’s entire Google account, display phishing overlays, and overwrite the ChatGPT sidebar with an attacker-controlled chatbot. OpenAI has now removed the model’s ability to generate Apps Script code in response.
🔍 THE BOTTOM LINE
The same class of indirect prompt injection that hit Ramp’s Sheets AI and Microsoft Copilot Cowork has now hit the biggest AI company’s own spreadsheet product — and OpenAI’s “human approval required” setting didn’t actually stop it.
What Happened
PromptArmor published research on June 1, 2026, demonstrating that ChatGPT for Google Sheets is vulnerable to a cascading data exfiltration attack triggered by a single indirect prompt injection. The attack works like this:
- A user imports an external spreadsheet (say, market data from a vendor)
- That spreadsheet contains a prompt injection hidden in white text
- The user asks ChatGPT to help integrate the imported data
- The injection manipulates ChatGPT into generating and running an external Google Apps Script
- The script exfiltrates the current workbook — then follows links to other workbooks, exfiltrating up to 12 spreadsheets across the victim’s account
The critical detail: ChatGPT for Google Sheets has a setting called “Apply edits automatically” that ostensibly requires human approval before the AI takes agentic actions. PromptArmor found that the attack succeeds even when the user has explicitly disabled automatic edits. The “stop” button in the sidebar also doesn’t stop scripts that have already started.
The Phishing Angle
As if data exfiltration wasn’t enough, the same attack vector enables two phishing overlay variants:
- Sidebar takeover: The ChatGPT sidebar gets replaced with an attacker-controlled interface that can harvest user prompts, serve a misaligned chatbot, or prompt the user to “reconnect” connectors for additional app access
- Credential phishing pop-up: A modal renders an attacker-controlled website designed to steal OpenAI credentials
OpenAI’s Response
OpenAI security team member Max responded on the Hacker News thread:
“We appreciate the security research here, and it’s unfortunate this one slipped through a crack in our disclosure pipeline. As we’re now aware of this report, we’ve taken immediate steps to protect users against potential attacks in this area by removing the model’s ability to generate Apps Script code, which should eliminate the risk to users of ChatGPT for Google Sheets.”
The response acknowledges that PromptArmor’s responsible disclosure — which received only automated replies from OpenAI — “slipped through a crack.” OpenAI says it’s re-evaluating its sandboxing approach and doing a “re-review of similar functionality in other surfaces.”
The Pattern: This Keeps Happening
This isn’t an isolated incident. PromptArmor has now demonstrated the same class of indirect prompt injection attack against three major AI-spreadsheet integrations:
| Product | Date | Attack Vector |
|---|---|---|
| Ramp Sheets AI | April 2026 | External formula insertion without approval |
| Microsoft Copilot Cowork | May 2026 | Teams message → SharePoint/OneDrive exfiltration |
| ChatGPT for Google Sheets | June 2026 | Apps Script generation → cross-workbook exfiltration |
What is indirect prompt injection? Indirect prompt injection is an attack where untrusted data (like a spreadsheet cell, a PDF, or an email) contains hidden instructions that manipulate an AI model into performing actions the user didn’t intend. Unlike direct prompt injection (where the user themselves types malicious instructions), indirect injection comes from external data sources the AI reads.
The HN discussion hits the uncomfortable truth: several commenters argue that prompt injection may be fundamentally unsolvable for current LLM architectures, because the model has no reliable way to distinguish “data” from “instructions” — they’re all tokens in the same context window.
What This Means
For enterprises using ChatGPT for Google Sheets, the immediate action is clear: check your Google Workspace admin settings under Permissions & roles > ChatGPT for Excel and Google Sheets and restrict access if you haven’t already. OpenAI’s patch removes Apps Script generation, but the broader class of prompt injection attacks against agentic AI tools remains unpatched — because it may be unpatchable.
The deeper question is whether bolting AI agents onto productivity tools with privileged API access is architecturally sound at all. When “help me format this data” can cascade into “exfiltrate 12 workbooks,” the problem isn’t a bug — it’s a design assumption that AI can reliably distinguish between helpful work and malicious instructions embedded in the data it’s processing.
❓ Frequently Asked Questions
Q: Has OpenAI fixed the vulnerability? Partially. OpenAI has removed the model’s ability to generate Apps Script code, which eliminates this specific attack vector. However, the broader prompt injection risk remains, and OpenAI is still re-evaluating its sandboxing approach.
Q: Does the “require human approval” setting protect me? According to PromptArmor’s research, no — the attack bypasses this setting entirely. This is the most alarming finding: a security control that OpenAI’s documentation implies will protect you doesn’t actually stop the attack.
Q: What should NZ organisations do? Audit any Google Workspace installations of ChatGPT for Google Sheets immediately. Check Workspace admin settings and restrict the extension if sensitive data is involved. Consider whether AI spreadsheet integrations with broad API permissions are appropriate for your risk profile.
🔍 THE BOTTOM LINE
Three prompt injection attacks on AI spreadsheet tools in three months. The patch cycle is faster, but the vulnerability class might be permanent. If you’re giving an AI agent write access to your documents, you’re betting that prompt injection is solvable — and the smart money says it isn’t.
SOURCES
- PromptArmor: ChatGPT for Google Sheets Exfiltrates Workbooks
- Hacker News discussion (104 points)
- OpenAI security team response via HN
- Previous Singularity.Kiwi coverage: Ramp Sheets AI, Microsoft Copilot Cowork
