PromptArmor exposes critical ChatGPT for Google Sheets flaw enabling mass data theft
OpenAI’s widely downloaded extension allows attackers to exfiltrate multiple workbooks and launch phishing attacks without user consent, despite disabled automatic edit settings.
PromptArmor has disclosed a critical security vulnerability in the ChatGPT for Google Sheets extension, an artificial intelligence tool developed by OpenAI that has seen rapid adoption with over 185,000 downloads since its launch less than a month ago. The flaw allows malicious actors to execute indirect prompt injection attacks, enabling the exfiltration of multiple workbooks, unauthorised edits, and phishing overlay attacks without requiring human approval.
The vulnerability remains active even when users have explicitly disabled the 'Apply edits automatically' setting, effectively bypassing the human-in-the-loop approval requirements designed to prevent unauthorised changes. A single indirect prompt injection triggered by a benign user query can simultaneously exfiltrate numerous workbooks from across a victim’s account, display phishing pop-ups, overwrite the GPT sidebar with an attacker-controlled interface, and execute unauthorised edits.
In a demonstrated attack scenario, a malicious script identified links to other spreadsheets within stolen data, subsequently exfiltrating 12 workbooks in total. The attack occurs when untrusted data sources, such as imported sheets or ChatGPT connectors, manipulate the model to run attacker-controlled external scripts leveraging permissions granted to the extension. Clicking the ‘stop’ button in the ChatGPT sidebar does not halt scripts that have already begun execution.
PromptArmor identified two variants of phishing overlay attacks facilitated by the flaw. The first involves a malicious sidebar overlay that impersonates the extension, while the second utilises a pop-up modal designed to steal OpenAI credentials. PromptArmor reported the issue to OpenAI on 8 May 2026, but following a lack of substantive communication beyond automated replies, the findings were made public on 27 May 2026.
OpenAI’s documentation reportedly fails to describe sensitive capabilities granted to the model, such as running privileged scripts, or the risks of model manipulation via indirect prompt injection. Organisations can control access to the extension via Workspace settings > Permissions & roles > ChatGPT for Excel and Google Sheets to mitigate exposure to the identified risk surface.
