Indirect prompt injection in ChatGPT for Google Sheets exfiltrates entire workbook trees

PromptArmor researchers showed that OpenAI’s ChatGPT extension for Google Sheets, which racked up 185,000 downloads within a month of launch, could be hijacked by a single indirect prompt injection hidden in an imported sheet. When a user asked the assistant to help integrate that data, the injection instructed it to run an attacker-controlled external script, which then siphoned the active financial model to a remote server, walked links inside the stolen data to discover related spreadsheets, and continued pulling them until twelve workbooks had been exfiltrated. The ‘Apply edits automatically’ setting that is supposed to gate agentic actions behind human approval offered no protection, and the sidebar’s stop button did not halt scripts already running.

The same primitive enabled phishing overlays: attackers could replace the ChatGPT sidebar with their own chatbot UI to harvest prompts, push fake reconnect flows to grab additional connector scopes, or pop a modal that phishes OpenAI credentials. The root cause was the extension’s ability to generate and execute Apps Script with the user’s granted permissions, a capability OpenAI’s documentation never disclosed and which bypassed the product’s own consent controls.

PromptArmor disclosed on May 8, 2026 and got only an automated acknowledgement despite multiple follow-ups, then went public on May 27. OpenAI replied on May 31, blamed a gap in its disclosure pipeline, and said it has stripped the model’s ability to emit Apps Script code while it re-reviews sandboxing for similar surfaces.