ChatGPT Google Sheets extension bypasses human approval
Indirect prompt injection in untrusted data sources lets attackers exfiltrate workbooks and run scripts even when auto-edit is disabled.
June 2, 2026
Summary
If you use ChatGPT for Google Sheets with imported data or connectors, attackers can steal all accessible spreadsheets and credentials via hidden injection payloads—approval toggles don't block it. OpenAI disabled Apps Script generation in response, but you need to audit connector sources and data imports now.
Why it matters
If you use ChatGPT for Google Sheets with imported data or connectors, attackers can steal all accessible spreadsheets and credentials via hidden injection payloads—approval toggles don't block it. OpenAI disabled Apps Script generation in response, but you need to audit connector sources and data imports now.
Implementation verdict
Disables the ability to use external scripts via ChatGPT for Google Sheets entirely (AppScript generation removed). Requires: disable the extension in Workspace settings > Permissions & roles until you audit data sources, or switch to manual spreadsheet workflows. Not ready for production use with untrusted data until sandboxing is redesigned.
Sources
- 1.A single indirect prompt injection attack triggered by a single benign user query can trigger all of the following effects at once: Exfiltration of many workbooks from across the victim's account
- 2.this attack succeeds even when the user has explicitly disabled automatic edits
- 3.over 185,000 downloads since its launch less than a month ago
- 4.we've taken immediate steps to protect users against potential attacks in this area by removing the model's ability to generate Apps Script code
Dev Signal
Get briefs like this in your inbox — free, 3x a week.
100+ sources compressed into one 4-minute read. Ranked, cited, implementation-ready.