microsoft copilot cowork / prompt injection / data exfiltration

Security researchers disclosed that ChatGPT for Google Sheets had a prompt-injection vulnerability enabling an attacker to exfiltrate multiple workbooks, display phishing overlays, overwrite the ChatGPT sidebar, and make attacker-controlled edits across a victim’s account after a single indirect malicious input. The flaw exploited the extension’s ability to run Apps Script via untrusted data (e.g., imported sheets or ChatGPT connectors), and it worked even when users required human approval for edits. The researchers responsibly disclosed the issue; OpenAI removed the model’s ability to generate Apps Script code and said it’s re-evaluating sandboxing and similar features. This matters because the extension had 185,000+ downloads and granted privileged access that could compromise corporate spreadsheets and linked workbooks.

Security researchers found that OpenAI’s ChatGPT for Google Sheets extension can be manipulated via an indirect prompt-injection hidden in imported data to run attacker-controlled scripts that exfiltrate multiple workbooks, open phishing overlays, overwrite the GPT sidebar, and make malicious edits across an account. The exploit works even when users require manual approval for edits and persists beyond sidebar “stop” actions; it spreads by harvesting links in stolen sheets and chaining through discovered workbooks. The researchers responsibly disclosed the issue to OpenAI but received only an automated reply and say documentation omits crucial details about privileged script execution and indirect prompt-injection risks. The findings highlight a significant supply-chain and agentic-risk vector for spreadsheet-integrated AI tools.