ChatGPT for Google Sheets is an AI add-on for Google Sheets that OpenAI launched last month. Users can directly use ChatGPT in the sidebar to process spreadsheet data. Within less than a month of release, downloads exceeded 185k times.

However, security company PromptArmor discovered that this plugin has permissions to execute scripts, read, and edit your workbooks, and these permissions can be hijacked by attackers. An attacker only needs to hide a piece of white text in a shared spreadsheet to steal your entire Google account’s workbooks without your knowledge.
For example, a colleague shares a Google Sheet with you, or you import a publicly available dataset from the internet into your workbook. These are common operations, but an attacker can hide a segment of white text (white background, white font, invisible to the naked eye) in these sheets, which you won’t notice when opening the file.
When ChatGPT helps you process this data, the hidden command is read along and triggered, allowing ChatGPT to be manipulated into executing an external script. The script, leveraging the plugin’s permissions, sends the contents of your current workbook to the attacker’s server.
Then, the script searches the stolen data for links to other workbooks, continuing to steal and spreading like a worm. In PromptArmor’s demonstration, a single attack ultimately stole 12 workbooks.
ChatGPT for Sheets has a security setting called “Require manual confirmation before editing,” designed to prevent AI from executing actions without authorization. However, this attack remains effective even if the user explicitly enables this setting because it triggers script execution, not sheet editing, bypassing this safeguard. Clicking the “Stop” button in the sidebar also cannot stop a script that has already started running.
Besides stealing data, the same vulnerability can allow attackers to replace the genuine ChatGPT interface in the sidebar with a fake one. After replacement, you might think you’re still chatting with ChatGPT, but in reality, all your questions are being collected by the attacker. They can even pop up a phishing window to trick you into entering your OpenAI password.
PromptArmor reported the vulnerability to OpenAI on May 8. OpenAI responded with an automated reply. Subsequently, PromptArmor followed up on May 12 and May 18 but received no substantive response. On May 27, PromptArmor decided to disclose the issue publicly.
It wasn’t until May 31 that OpenAI officially responded, admitting “this report was overlooked in our disclosure process,” and stating that they have removed the ability for models to generate Apps Script code, “which should eliminate the risk faced by ChatGPT for Google Sheets users.”
From the report submission to the vulnerability fix, it took 23 days.
Google Workspace administrators can disable access to this plugin within the organization by navigating to “Workspace Settings > Permissions & Roles > ChatGPT for Excel and Google Sheets.”