Tech

ChatGPT for Google Sheets extract workbooks

- by saddam.asad27@gmail.com - Leave a Comment
ChatGPT for Google Sheets extract workbooks

This attack does not require human approvals, even when in the configuration the user has explicitly required human approval before ChatGPT edits the workbooks.

https://omg10.com/4/10736335

Overview

Recently, OpenAI released an AI extension to use ChatGPT in Google Sheets, which has amassed over 185,000 downloads since its launch less than a month ago. This allows users to operate on their spreadsheets by interacting with an AI chatbot located in a sidebar, with the added benefit of leveraging data from ChatGPT connectors.

A single indirect fast injection attack triggered by a single benign user query can trigger all of the following effects at once:

  • Exfiltration of many workbooks from the entire victim’s account

  • Viewing an Interactive Phishing Popup

  • Overwriting the entire GPT sidebar with an attacker-controlled chatbot interface

  • Attacker-controlled edits to your workbooks

This attack occurs when any untrusted data source (for example, from an imported sheet or ChatGPT connector) manipulates ChatGPT to execute an external script controlled by an attacker, which is executed by leveraging the permissions that the user has granted to the ChatGPT extension for Google Sheets.

This vulnerability was responsibly disclosed to OpenAI. Despite multiple follow-ups, we received no communication beyond an automated response to our initial disclosure. OpenAI Documentation does not describe sensitive capabilities granted to the model (e.g., running privileged scripts) or the risks of model manipulation via immediate indirect injection, instead focusing solely on functional limitations and data handling concerns. As such, we publish our findings to enable informed decision-making regarding the risk surface.

The attack chain

  1. A user is working on an internal financial model.

    GPT for Sheets user is working on a financial model

  2. The user imports an external data set to use in their model.

    ChatGPT for Sheets user imports external data to improve your model

  3. The outer sheet has a quick injection hidden in white text.

    The outer blade contains a hidden quick injection.

  4. The user asks ChatGPT Google Sheets to help them integrate the imported sheet data into their financial model.

    Request help from ChatGPT for Sheets to use external data set

  5. Injection manipulates ChatGPT so that Google Sheets executes an external script

    Note: ChatGPT for Google Sheets has a setting called “Automatically apply edits” that determines when human approvals are required before an agent action is completed. However, this attack is successful even when the user has explicitly disabled automatic edits.

    ChatGPT for Sheets executes a script controlled by an external attacker

  6. The external script extracts the financial model from the user’s workbook.

    The attacker’s server logs then show the user’s exfiltrated financial model.

    The victim's financial model is visible on the attacker's server.

  7. The external script identifies links to other books in the stolen data, extracts the discovered books, and continues on all the books it can find.

    In this case, the internal financial model sheet included a link to another spreadsheet relevant to budgeting. The malicious script identifies the spreadsheet URL in the stolen data and extracts the newly discovered workbook. It then continues processing the stolen data, identifying and extracting additional workbooks, eventually extracting 12 in total.

    Note: Clicking the ‘stop’ button in the ChatGPT sidebar does not stop the execution of scripts that have been started.

    Malicious script extracts many books from victim's account

Phishing overlay attacks

In addition to the data exfiltration described above, the same attacker-controlled scripts allow a malicious actor to target two variants of a phishing overlay attack.

Variant 1: A sidebar opens that overlays the ChatGPT extension for Google Sheets with a site controlled by the attacker, allowing the attacker to impersonate the extension. The malicious sidebar can run scripts that edit the sheet in the same way as ChatGPT, allowing it to act in most of the ways the extension normally does, while also performing malicious activities such as:

  • Collecting all user indications

  • Provide the user with a misaligned chatbot to interact with

  • Convince the user to “reconnect” the connectors to gain access to additional applications

  • Showing a phishing UI to steal credentials for OpenAI

Malicious script overlays ChatGPT sidebar with attacker-controlled ChatGPT clone

Variant 2: A pop-up modal opens showing a website controlled by an attacker to phish the user to obtain credentials.

Malicious script opens interactive phishing popup

Control access to ChatGPT for Google Sheets

Organizations can take advantage of the following settings to control access to ChatGPT for Google Sheets:

Workspace settings > Permissions and roles > ChatGPT for Excel and Google Sheets

Responsible disclosure

This vulnerability was responsibly disclosed to OpenAI. Despite multiple follow-ups, we received no communication beyond an automated response to our initial disclosure. OpenAI Documentation does not describe sensitive capabilities granted to the model (e.g., running privileged scripts) or the risks of model manipulation via immediate indirect injection, instead focusing solely on functional limitations and data handling concerns. As such, we publish our findings to enable informed decision-making regarding the risk surface.

Timeline

May 8, 2026 PromptArmor informs OpenAI via email
May 8, 2026 OpenAI sends an automatic response, confirming the intended reporting channel
May 8, 2026 PromptArmor confirms email preference
May 12, 2026 PromptArmor Tracking
May 18, 2026 PromptArmor Tracking
May 27, 2026 Public Disclosure

Related Posts

PSA: Microsoft will delete Google Account backups from SwiftKey tomorrow. Do this to save your data

PSA: Microsoft will delete Google Account backups from SwiftKey tomorrow. Do this to save your data

Fable dodges GTA VI with another delay

Fable dodges GTA VI with another delay

Extreme shine! Sony introduces Bravia 7 II and 9 II premium True RGB mini LED TVs

Extreme shine! Sony introduces Bravia 7 II and 9 II premium True RGB mini LED TVs

About saddam.asad27@gmail.com

View all posts by saddam.asad27@gmail.com →

Leave a Reply

Your email address will not be published. Required fields are marked *