ChatGPT for Google Sheets Found Exfiltrating Workbooks via Single Prompt Injection

 

ChatGPT for Google Sheets Found Exfiltrating Workbooks via Single Prompt Injection

Security research firm PromptArmor has publicly disclosed a critical data exfiltration vulnerability in OpenAI's ChatGPT for Google Sheets extension. The disclosure has driven search interest across multiple countries, with Kiolix Pulse recording over 333,700 combined Google Trends searches across 9 of the 27 countries it tracks. On Hacker News, the story reached rank #16 with 319 points.

Search Interest by Region

According to Kiolix Pulse data, "chatgpt"-related searches spiked in the following regions:

Country Google Trends Interest
🇮🇳 India 200,000+
🇬🇧 United Kingdom 100,000+
🇹🇷 Turkey 25,000+
🇵🇰 Pakistan 5,000+
🇺🇸 United States 2,000+
🇸🇦 Saudi Arabia 1,000+
🇪🇬 Egypt 500+
🇷🇺 Russia 200+

India and the UK account for the overwhelming majority of search volume, with Turkey rounding out the top three.

The Vulnerability: One Injected Cell, Multiple Workbooks Stolen

PromptArmor's research shows that the ChatGPT for Google Sheets extension is vulnerable to indirect prompt injection attacks. A single malicious prompt embedded in any untrusted data source — such as an imported sheet or a ChatGPT connector — can simultaneously trigger all of the following:

  • Exfiltration of multiple workbooks across the victim's entire Google account
  • Display of an interactive phishing pop-up
  • Replacement of the GPT sidebar with an attacker-controlled chatbot interface
  • Unauthorized edits to workbook contents

What makes the finding particularly notable is that the attack bypasses human-in-the-loop approval controls even when users have explicitly enabled the setting requiring manual approval before ChatGPT edits workbooks. The extension had accumulated over 185,000 downloads in less than a month since launch.

Attack Chain: Privileged Script Execution via Injected Data

The attack exploits permissions that users grant to the extension during installation. When ChatGPT processes a sheet containing attacker-controlled instructions — delivered through an external data import or connector — it can be manipulated into running a privileged Google Apps Script. That script then operates with the full scope of permissions the user previously granted, pulling data from workbooks across the account without further user interaction.

OpenAI's Response: Three Weeks of Silence, Action After Public Disclosure

PromptArmor followed responsible disclosure practices, reporting the vulnerability to OpenAI on May 8, 2026. OpenAI responded the same day with an automated acknowledgement. Follow-up messages sent on May 12 and May 18 received no substantive reply. After nearly three weeks without a response, PromptArmor published its findings publicly on May 27.

Only after public disclosure did OpenAI engage directly. In a statement issued May 31, the company acknowledged the lapse: the report had "slipped through a crack" in its disclosure pipeline. OpenAI said it had "taken immediate steps to protect users against potential attacks in this area by removing the model's ability to generate Apps Script code, which should eliminate the risk to users of ChatGPT for Google Sheets."

Context: A Pattern of ChatGPT Data Exfiltration Disclosures in 2026

This is not an isolated case. In early 2026, Check Point Research disclosed a vulnerability allowing sensitive ChatGPT conversation data to be silently siphoned via a hidden DNS-based side channel, bypassing OpenAI's guardrails entirely. OpenAI patched that issue on February 20, 2026. In January 2026, separate research revealed that ChatGPT's Connectors and Memory features could be exploited in zero-click attacks to exfiltrate data from connected services including Gmail, Outlook, and GitHub.

Security researchers note that as AI agents integrate more deeply into productivity tools, the blast radius of a single vulnerability grows substantially — a single injected cell in a spreadsheet can now cascade into account-wide data exposure.

Hacker News Community Signals

On Hacker News, the story "ChatGPT for Google Sheets exfiltrates workbooks" reached rank #16 in the Top 50 with 319 points, reflecting strong interest from the developer and technical community. Discussion in the thread focused on the extension's OAuth permission scopes, the mechanics of the human-approval bypass, and broader questions around supply-chain security for AI-powered productivity add-ons.

What Users Should Do

Based on PromptArmor's disclosure and security community guidance:

  • Review and revoke OAuth permissions granted to the ChatGPT for Google Sheets extension if you do not actively need it
  • OpenAI has confirmed a server-side mitigation blocking Apps Script code generation; verify your extension is up to date
  • Exercise additional caution when running AI extensions against sheets that pull in data from external sources or connectors

Kiolix Pulse Trend Data

Track related search trends via Kiolix Pulse:

  • chatgpt trend detail (200,000+): https://pulse.kiolix.com/ko/trend/chatgpt
  • google trend detail (50,000+): https://pulse.kiolix.com/ko/trend/google
  • Hacker News trends overview: https://pulse.kiolix.com/ko/trends/hacker-news
  • Kiolix Pulse: https://pulse.kiolix.com

Sources

  • PromptArmor original report: https://www.promptarmor.com/resources/gpt-for-google-sheets-data-exfiltration
  • Hacker News thread (rank #16, 319 pts): https://news.ycombinator.com/item?id=48349487
  • The Hacker News — OpenAI patches Feb 2026 DNS exfiltration flaw: https://thehackernews.com/2026/03/openai-patches-chatgpt-data.html
  • Cyber Security News — ChatGPT connectors data exfiltration (Jan 2026): https://cybersecuritynews.com/chatgpt-vulnerabilities-expose-sensitive-data/

Comments

Post a Comment

Popular posts from this blog

2026 Super El Niño Alert: A Historic Climate Shift Is Approaching — Compared to the Great Famine of 1877

Image
  2026 Super El Niño Alert: A Historic Climate Shift Is Approaching — Compared to the Great Famine of 1877 Meteorologists around the world are warning that a record-breaking El Niño event is highly likely to develop in the second half of 2026. Forecast models from multiple major institutions — including the European Centre for Medium-Range Weather Forecasts (ECMWF), the U.S. National Oceanic and Atmospheric Administration (NOAA), Japan's Meteorological Agency, and the Australian Bureau of Meteorology — are all pointing in the same direction. Some model runs suggest this El Niño could reach "Super El Niño" status, making it one of the most powerful events ever recorded. Global Search Interest According to trend data from Kiolix Pulse (https://trend-now.org), searches for "el niño weather" have been surging simultaneously across multiple countries. Country Search Interest 🇺🇸 United States 50,000+ searches 🇨🇦 Canada 5,000+ searches 🇦🇺 Au...
Read more

Meteor Explodes Near Boston, Sending Sonic Boom Across New England

Image
  Meteor Explodes Near Boston, Sending Sonic Boom Across New England A meteor entered the atmosphere and exploded near the Massachusetts coast on Saturday, May 30, 2026, triggering a powerful sonic boom felt across New England and sparking a surge in Google searches. According to Kiolix Pulse data, related keywords — including "meteor boston," "boston meteor," and "meteor massachusetts" — are currently trending in 🇺🇸 the United States, with combined search interest exceeding 200,000 searches. What Happened At approximately 2:11 p.m. Eastern Time, residents across Greater Boston reported a sudden, jarring explosion. Hundreds of 911 calls flooded in from eastern Massachusetts, southern New Hampshire, and northern Connecticut. Witnesses described windows rattling, pets startling, and entire homes shaking. Some residents initially assumed a nearby power plant had exploded. The U.S. Geological Survey confirmed no earthquake had occurred at the time. Weath...
Read more

UAE Hit by Iranian Missiles and Drones — Ceasefire Under Severe Strain

Image
  UAE Hit by Iranian Missiles and Drones — Ceasefire Under Severe Strain According to Kiolix Pulse trend data, search interest in "uae iran war" and related keywords has surged across major countries including India, the United Kingdom, and Pakistan as of May 5, 2026. The spike follows Iran's first direct attack on the UAE since the ceasefire agreement with the United States on April 8. What Happened: Iran Launches Missiles and Drones at UAE On May 4, 2026 (local time), Iran fired a barrage of ballistic missiles, cruise missiles, and drones at the United Arab Emirates. The UAE Ministry of Defence confirmed that its air defense systems intercepted 12 ballistic missiles, 3 cruise missiles, and 4 drones. CNN reported that an Israeli Iron Dome air defense system deployed in the UAE also participated in the interceptions. In the eastern emirate of Fujairah, an Iranian drone sparked a large fire at the Fujairah Petroleum Industries Zone, moderately injuring three Indian na...
Read more