Security Firm Says ChatGPT for Google Sheets Add-on Could Exfiltrate User Data
ChatGPT add-on exposed to spreadsheet-wide abuse
A security firm says it found a way to make the ChatGPT for Google Sheets add-on exfiltrate data from a victim’s account, raising fresh concerns about third-party AI tools that can act on sensitive business documents.
The issue centers on an indirect prompt injection attack that can begin with a single seemingly harmless query in one spreadsheet. According to the researchers, that one interaction can be enough to trigger broader effects across the user’s account, including stealing data from multiple workbooks and replacing the ChatGPT sidebar with an attacker-controlled interface.
The attack does not depend on a person approving each step. The researchers said it succeeds even when the user has turned on settings meant to require human approval before ChatGPT edits workbooks, including the “Apply edits automatically” control. In their testing, untrusted content inside a sheet — or content pulled in through a ChatGPT connector — could manipulate the model into running an attacker-controlled external script that used permissions already granted to the extension.
OpenAI recently launched the Google Sheets extension, which has gathered more than 185,000 downloads in less than a month. The add-on lets users interact with spreadsheets through a ChatGPT sidebar and also tap data from ChatGPT connectors.
In an update provided after the research was shared, OpenAI said it had taken immediate steps to protect users by removing the model’s ability to generate Apps Script code, which it said should eliminate the risk to users of ChatGPT for Google Sheets. The company said it is also re-evaluating how the feature interacts with Google Sheets APIs and its sandboxing approach.
The researchers said they had responsibly disclosed the vulnerability, but after follow-ups received only an automated reply. They also argued that OpenAI’s documentation does not clearly spell out the sensitive capabilities granted to the model, including the ability to run privileged scripts, or the risks posed by indirect prompt injection.
The findings add to a growing list of security worries around AI tools embedded in productivity software, where convenience can quickly turn into account-wide exposure when a model is allowed to act on untrusted data.
Sources: