ChatGPT Google Sheets flaw exposes workbook data

A security researcher says OpenAI’s ChatGPT add-on for Google Sheets can be manipulated to leak spreadsheet data across a user’s account and place phishing prompts over a workbook, even when the user expects to approve sensitive actions first.

PromptArmor disclosed the finding on 27 May 2026, describing it as an indirect prompt-injection path inside the add-on. The company said a malicious instruction hidden in one sheet could influence later ChatGPT actions in Google Sheets. It also said the add-on had reached about 185,000 downloads since launch.

The disclosure is about OpenAI’s add-on running inside Sheets, not a reported compromise of Google Sheets itself. Even so, it lands in a familiar enterprise blind spot: spreadsheets often hold customer lists, finance models, sales pipelines and planning notes that sit outside the systems security teams watch most closely.

PromptArmor wrote: “This attack does not require human-in-the-loop approvals.”

Its proof-of-concept described a poisoned spreadsheet that could trigger workbook-wide data exfiltration after the victim used the add-on. In one example cited by the researcher, the chain exfiltrated data from 12 workbooks. The post said the same method could display phishing overlays in the spreadsheet interface, giving an attacker a route from data access to credential theft.

OpenAI’s help material presents the connector as a productivity tool for generating formulas, classifying rows, summarising data and working across spreadsheet content. The OpenAI Help Center page says the feature is available globally to paid business and education users.

The help page says: “This feature is available globally to Business, Enterprise, Edu, and K-12 users.”

That user base matters for Australian organisations because the exposure appears inside an ordinary office workflow. A staff member may see a routine spreadsheet tab, while the add-on can act on content the account is already allowed to reach. PromptArmor’s finding points to a gap between account-level permissions and the narrower trust users attach to a single task.

Why the approval model matters

PromptArmor’s central claim is that user approval is a weak boundary when the instruction is hidden in content. Approval prompts are meant to help people confirm consequential actions. In the reported chain, the malicious instruction is carried inside the spreadsheet, so the user may see normal spreadsheet work rather than a suspicious request.

The public ChatGPT spreadsheet app page describes the tool as a way to build and update spreadsheets with ChatGPT. The security question is how narrowly those connectors should be scoped once they are installed, especially when they can read across files a user can already access.

For security teams, the first check is inventory. Organisations should review who has installed the add-on, what Google Workspace permissions it can reach, whether sensitive sheets are shared with broad groups, and whether staff are using external AI connectors on finance, customer or employee data. If the tool is allowed, administrators should document a narrow use case and monitor unusual spreadsheet-access patterns.

PromptArmor described a proof-of-concept, not observed exploitation in the wild. OpenAI had published the help-centre article nine days before the researcher disclosure was fetched for the article bundle, putting the finding in its early public-review stage. The practical response is controlled rollout, permission review and user guidance, not panic over Google Sheets.

The old browser-extension problem is back in spreadsheet form: a trusted productivity layer can become a data path if it reads more than the user expects. ChatGPT’s spreadsheet connector adds AI automation to that risk, where one hidden instruction can change what the assistant does next.