ChatGPT for Google Sheets exfiltrates workbooks
ChatGPT for Google Sheets vulnerability allows attackers to exfiltrate workbooks via indirect prompt injection, bypassing user approval settings.
A security vulnerability in ChatGPT for Google Sheets (185,000+ downloads) allows attackers to exfiltrate multiple workbooks through indirect prompt injection attacks. When a user imports an external dataset containing hidden malicious prompts in white text and asks ChatGPT to integrate it, the injection manipulates the extension into running attacker-controlled external scripts. These scripts execute with the extension's permissions, stealing the workbook and discovering linked workbooks to exfiltrate as well (12 stolen in one example). The attack succeeds even when users explicitly disable automatic edits.
Attackers can also deploy phishing overlays impersonating the ChatGPT extension or pop-ups to harvest credentials. The vulnerability was responsibly disclosed to OpenAI on May 8 with multiple follow-ups but received only an automated reply. OpenAI responded after public disclosure on May 31, stating it has removed the model's ability to generate Apps Script code and is re-evaluating sandboxing approaches.
What HN community is saying
Commenters widely agree that LLM-powered tools lack adequate security architecture. The dominant concern is that prompt injection is fundamentally unsolvable given LLMs' design: context and data are indistinguishable from instructions, making enumeration-based defenses (like regex filters) hopeless. One commenter notes similar vulnerabilities were found in malicious fonts in Word documents. Others argue this reflects prioritization of speed over security, with trillion-dollar companies accepting known risks to avoid falling behind competitors. A counterargument appears that separate data and instruction inputs are architecturally possible and that structured defenses (like separate input heads or tokenization restrictions) might reduce—though not eliminate—injection attacks.