Spreadsheets are supposed to be boring. You import data, run formulas, build models. Boring is safe. But when you connect a large language model to that spreadsheet, the boring tool becomes an attack surface. ChatGPT for Google Sheets, the extension OpenAI shipped with 185,000 downloads in its first month, has a critical indirect prompt injection vulnerability that lets a single hidden cell drain your entire Google Drive.

A security researcher at PromptArmor demonstrated the chain on June 1. A user imports external data, say a competitor pricing sheet or a connector feed. Somewhere in that data, a cell contains what looks like normal text but is actually a hidden instruction. When the user asks ChatGPT to help process the import, the model follows the hidden instruction: run an external script using the full permissions granted to the extension. From there, the attacker can exfiltrate every workbook the victim has access to, display phishing overlays that steal credentials, and even replace the ChatGPT sidebar with a malicious clone.

The Technical Details

The vulnerability lives in the permissions gap. ChatGPT for Google Sheets gets broad access to read and modify spreadsheets across the user's Google account. The extension can generate and execute Google Apps Script code, which is essentially full access to Google's scripting environment. A hidden prompt injection exploits this by embedding instructions that the model reads from a cell and acts on.

Key factors that make this dangerous:

Factor Detail
Extension reach 185,000+ downloads in first month
Bypass Works even with "Apply edits automatically" disabled
Lateral movement Can identify linked workbooks and exfiltrate across the account
Phishing Can overlay fake login screens in the sidebar
Stop button Clicking "stop" does not halt the execution
Disclosure date June 1, 2026
OpenAI response Removed Apps Script generation, admitted the report "slipped through a crack"

The attack chain works like this. A cell in the imported sheet contains a prompt injection hidden in white text or a formula comment. The user asks ChatGPT to "update my model with data through F29" or a similar innocuous request. The model reads the hidden instruction and generates Apps Script code that sends workbook contents to an attacker-controlled server. Because the instruction came from within the data the user explicitly asked the model to process, the model sees it as legitimate context rather than an attack.

OpenAI's fix, deployed after PromptArmor went public, removes the model's ability to generate Apps Script code entirely. That stops this specific attack vector, but it does not solve the underlying architecture problem.

This Is a Pattern, Not an Incident

This is the third documented indirect prompt injection exploit against AI productivity tools in two months.

Product Month Attack Vector
Ramp Sheets AI April 2026 External formula injection
Microsoft Copilot Cowork May 2026 Teams message to SharePoint exfiltration
ChatGPT for Google Sheets June 2026 Apps Script generation via hidden cell

Each one follows the same shape. An AI agent gets broad permissions to be useful. A hidden instruction in external data manipulates the model into using those permissions against the user. The model cannot tell the difference between "the user asked me to update the model" and "the hidden instruction in cell F30 told me to ping an external server with the contents of my Google Drive."

Simon Willison, who has tracked prompt injection since the early ChatGPT plugin days, called this exact scenario years ago. Models lack instruction-data separation, which is a basic security boundary that normal software takes for granted. A database driver would never confuse a row of data with a SQL command. An LLM will happily follow instructions embedded in a CSV file.

Community Reaction

The HN thread is split between security practitioners who saw this coming and users who are discovering for the first time that their AI assistant has keys to the whole house.

One commenter noted that the attack still requires the user to ask the model to process the malicious data. That is technically true and technically irrelevant. The entire value proposition of ChatGPT for Google Sheets is that you import data and ask the model to work with it. The malicious cell is indistinguishable from legitimate data. Blaming the user for asking the model to process the imported spreadsheet is like blaming someone for opening a PDF that turned out to contain a macro virus.

What This Means

The underlying issue is architectural. LLMs process all input tokens in the same context window. They cannot distinguish between "this is a command from the user" and "this is data the user asked me to look at." Removing Apps Script generation from the Google Sheets extension patches one symptom. The next extension that ships with a scripting capability will have the same weakness.

For now, if you or your organization uses ChatGPT for Google Sheets, the practical fix is to restrict or disable the extension via Google Workspace admin settings under Permissions and roles. OpenAI's removal of Apps Script generation reduces the immediate risk, but the fundamental design problem remains. Any AI agent with write access to your documents and the ability to execute code is one prompt injection away from being an exfiltration pipeline.

I keep coming back to the same uncomfortable thought. We are handing these models keys to our data and expecting them to know when not to use them. They do not know. They cannot know. The architecture does not allow it. Until that changes, every AI agent with document access is a vulnerability waiting to be triggered. Not because the model is malicious, but because it cannot tell the difference between you and the hidden text in cell F30.

Sources