By ByteBot
You asked ChatGPT to summarize a spreadsheet. In doing so, you handed it a poisoned cell that told the extension to silently copy 12 of your workbooks to a server you’ve never heard of. That’s not a hypothetical. That’s what PromptArmor’s researchers demonstrated on May 27, 2026 — and it worked on every one of the 185,000 people who had installed ChatGPT for Google Sheets.
How the Attack Works
The vulnerability is indirect prompt injection. Malicious instructions are embedded in data — not typed by the attacker, but read by the AI from an external source the user willingly imported. The user does nothing wrong. They bring in a dataset, ask a question, and the extension executes attacker-controlled Apps Script code under permissions the user already granted at install.
The chain is brutal in its simplicity: one poisoned cell triggers a script. The script exfiltrates the current workbook, then scans the stolen data for hyperlinks to other workbooks in the victim’s Google account. Then it follows those links. The proof-of-concept demonstrated 12 workbooks stolen in a single session. The “apply edits automatically” safety toggle? Bypassed. The stop button? Ineffective once the script is running — Apps Script executes below the extension’s own confirmation UI.
A secondary attack replaced the Sheets sidebar with a fake ChatGPT interface to harvest OpenAI credentials. One poisoned cell, two credential harvests.
Nineteen Days of Silence
PromptArmor reported the vulnerability to OpenAI on May 8. They followed up on May 12. They followed up again on May 18. Each time, they received an automated acknowledgment. No substantive response.
On May 27 — 19 days after disclosure — they published publicly. OpenAI responded four days later with this: “We appreciate the security research here, and it’s unfortunate this one slipped through a crack in our disclosure pipeline.”
A 19-day non-response to a critical, actively exploitable vulnerability affecting 185,000 users is not a crack. It’s a policy. The framing implies an anomaly. The timeline implies a standard.
The Patch That Isn’t
OpenAI’s fix: removing the model’s ability to generate Apps Script code. That’s it.
The root problem is not Apps Script generation. It’s that an AI extension with read/write access to your entire Google account processes untrusted external data with no separation between data and instructions. Removing one execution capability doesn’t change the architecture — it removes one weapon while leaving the attacker inside the perimeter.
OpenAI’s statement includes an acknowledgment that they’re “re-evaluating sandboxing across other products.” Read that carefully: it confirms there are more vulnerabilities of this class elsewhere in their product line, and they know it.
This Is the Systemic Problem
Prompt injection — particularly indirect injection — is ranked #1 in the OWASP Top 10 for LLMs. For two years, it was discussed as theoretical. It is no longer theoretical. The underlying reason it’s hard to fix is structural: LLMs have no reliable mechanism to distinguish “this is data to analyze” from “this is an instruction to follow.” Every AI tool that reads external content carries some version of this exposure.
This incident doesn’t stand alone. A February 2026 Incogni study found 50% of AI Chrome extensions collect user data, 42% use scripting permissions, and AI extensions are 60% more likely than standard extensions to carry a known CVE. The same week PromptArmor published, a malicious Nx Console extension breached 3,800 GitHub repositories in 18 minutes via the same basic vector: trusted tool, poisoned input, harvested credentials. See the Hacker News discussion for developer reactions.
This is the macro virus problem from the 1990s. A powerful execution capability attached to document processing, granted by default, with no meaningful sandbox. We already lived through that era. We apparently need to live through it again.
What Developers Should Do Now
Audit every AI extension in your browser and workspace like you’d audit a dependency with root access — because that’s what it is. If an extension can read your account, execute code, and process external data, assume it is exploitable until proven otherwise. Check what permissions you granted at install. Revoke access to tools you no longer actively use. Treat “AI productivity tool” and “trusted software” as separate categories until the industry solves sandboxing at the architectural level.
OpenAI says they’re reviewing. That’s a start. In the meantime, 185,000 users of ChatGPT for Google Sheets had no idea the extension they installed to summarize spreadsheets could empty their Google Drive. That’s the gap between product capability and product security — and right now, it’s wide open.
