What the ChatGPT for Sheets data-exfiltration bug teaches about AI security
A security firm called PromptArmor published a writeup on May 27, 2026 showing that ChatGPT for Google Sheets, an OpenAI extension with more than 185,000 downloads, could be made to steal a user's spreadsheets through a single ordinary-looking request. Four days later, on May 31, OpenAI shipped a fix. The short version is that one benign question, typed by a real user into a sheet that contained hidden instructions, was enough to drain twelve linked workbooks out of that user's account and replace the assistant with a fake phishing chatbot. I want to walk through how this worked, because the mechanism matters far more than the headline, and because the same shape of problem is going to keep showing up everywhere we bolt an AI assistant onto data we did not write ourselves. What happened The attack is a textbook indirect prompt injection. The user does nothing wrong. They import a sheet, or pull in data through a connector, and somewhere in that data sits a block of text the attacker controls. In the PromptArmor demonstration the malicious instructions were written in white text on a white background, invisible to a human skimming the sheet but fully readable to the model parsing the cells. When the user later asks the assistant a normal question, the model reads the whole context, including those hidden instructions, and treats them as if they came from the user. The injected text tells the assistant to fetch and run an external script. That script runs with the permissions the extension already holds, which means it can read the current workbook, find URLs to other workbooks linked inside it, and walk outward from there. PromptArmor reported it exfiltrating twelve workbooks in total from a single trigger, then dropping a fake chat interface on top to harvest whatever the user typed next. The detail that should bother you most is this line from their report: the attack succeeds even when the user has explicitly disabled automatic edits. The human-in-the-loop approva