ChatGPT for Google Sheets exfiltrates workbooks

a single indirect prompt injection attack triggered by a single benign user query can trigger exfiltration of many workbooks, display of an interactive phishing pop-up, overwriting the entire gpt sidebar with attacker-controlled interface, and attacker-controlled edits to workbooks.

solid security research on the ai-extension threat model. the attack chain is straightforward: untrusted data in imported sheets carries prompt injection payloads that manipulate the model into running apps script, which executes with the permissions granted to the extension. what’s particularly concerning is that explicit user settings (“apply edits automatically” disabled) don’t actually prevent execution—the “stop” button doesn’t halt already-running scripts either. openai’s initial response was slow and their docs failed to surface the sensitive capabilities being granted. the responsible disclosure timeline shows 3 weeks of silence before public release. organizations can restrict access via workspace settings, but the core issue remains: embedding agentic capabilities in untrusted data contexts without strong boundaries is inherently risky.