QWE AI Academy You have two options after the news that ChatGPT for Google Sheets exfiltrates workbooks through a single poisoned cell. Option one: rip the add-on out, panic-revoke every permission, and go back to writing VLOOKUPs by hand. Option two: keep it, but treat every imported sheet like a USB stick you found in a parking lot. The second option is the right one – uninstalling alone doesn’t actually fix the underlying problem, and the add-on is still genuinely useful for the 90% of workflows that don’t touch untrusted data.
This is the hands-on version of that story. Not the news writeup – the part where you decide what to do Monday morning.
The vulnerability in one paragraph
On May 27, 2026, security firm PromptArmor published a working attack chain showing that ChatGPT for Google Sheets is vulnerable to indirect prompt injection. A single sheet containing hidden instructions could trigger data exfiltration and phishing overlay attacks across workbooks in the victim’s account – even when the user had explicitly required human approval before edits. In the proof-of-concept, the malicious script chained through linked spreadsheets and exfiltrated 12 workbooks in total.
The attack itself is almost embarrassingly simple. Place instructions in a cell. Format the text white on white. Import the sheet or connect it via a data source. When the AI reads the sheet to answer a query, the hidden text becomes system instructions. From there it can call Google Apps Script with the full permissions granted to the add-on.
Why the obvious fix isn’t enough
OpenAI’s response, after public disclosure forced the issue, was to patch the model layer. They removed the model’s ability to generate Apps Script code, which should eliminate the risk to users of ChatGPT for Google Sheets. Good. Necessary. Not sufficient.
Here’s why: the OAuth scopes you granted when installing the add-on are still sitting in your Google account. Turns out, even after uninstalling the add-on from Sheets, the underlying OAuth grant stays active in your Google account until you manually revoke it – something users in the Apple Support Community flagged and that the Hawkdive write-up confirmed. Patching the model is like changing the locks while leaving a copy of the key in the mailbox. The immediate exploit path is closed. The permission surface isn’t.
The lockdown walkthrough (do this once)
If you’ve ever used the add-on – even once, even months ago – run through these four steps in order. They take about five minutes.
- Revoke the OAuth grant first. Go to myaccount.google.com/permissions, find the ChatGPT entry, and click Remove access. This is the only step that actually severs the connection.
- Then uninstall from Sheets. Extensions → Add-ons → Manage add-ons → ChatGPT → Uninstall. Doing this without step 1 leaves the grant orphaned.
- Audit recent activity. Check your Google Account’s Recent security activity log for any third-party app access you don’t recognize. If you’re on Workspace, your admin can pull the audit log too.
- Reinstall clean, if you actually use it. Pull the add-on fresh from the Google Workspace Marketplace. Now the OAuth grant matches the current (patched) code.
Workspace admins have a fifth lever. According to PromptArmor’s disclosure, Google Workspace administrators can revoke the add-on’s permissions under Permissions & roles > ChatGPT for Excel and Google Sheets. If you run IT for a team that handles financial models, customer data, or anything regulated, do that org-wide.
How to keep using it without becoming the cautionary tale
The add-on is still useful. Per OpenAI’s Help Center, it’s available globally to Business, Enterprise, Edu, and K-12 users, and to ChatGPT Free, Go, Pro, and Plus users – so a lot of people will keep it installed. The rule is simple: never point it at data you didn’t author.
Pro tip: Treat imported sheets like email attachments from strangers. If a CSV came from a vendor, a scraping tool, a downloaded report, or any source you don’t fully control – copy only the cells you need into a fresh workbook before opening the ChatGPT sidebar. Hidden instructions can’t fire if you never load them.
Three more habits worth building:
- Compartmentalize accounts. Use a dedicated Google account for AI add-ons that has access to nothing sensitive. Share specific files in, share nothing out.
- Stop button isn’t a kill switch. Clicking the ‘stop’ button in the ChatGPT sidebar does not stop scripts that have started from finishing execution (confirmed in PromptArmor’s disclosure). Plan as if any action you trigger is irreversible.
- Don’t trust the approval toggle. The ‘Apply edits automatically’ setting – on or off – was bypassed in the original attack. Even with OpenAI’s patch, design your workflow as if approvals don’t exist.
Common pitfalls
Uninstalling the add-on and assuming you’re safe is the mistake most people are making this week. You’re not – the OAuth grant survives the uninstall. Second: re-enabling the add-on in a hurry without reading the permission prompt. The scope it requests is broad, and you’re effectively re-granting the same key.
One subtler trap is timing. Business, Enterprise, Edu, and K-12 customers have a free preview through June 2, 2026; after that, usage follows each plan’s credits and usage terms (per OpenAI’s Help Center). That preview is ending right as security teams are reassessing the add-on. If your org was going to renew or reconsider anyway, this is a natural checkpoint – not a reason to keep the install around out of inertia.
Compared to the alternatives
If you’re rethinking the add-on entirely, here’s the honest picture as of June 2026:
| Option | Trust boundary | Trade-off |
|---|---|---|
| ChatGPT for Google Sheets (patched) | OpenAI + Google | Most flexible, but the trust model just took a public hit |
| Gemini in Workspace | Google only | Data stays inside Google’s boundary; feature set differs from ChatGPT add-on |
| Paste-into-ChatGPT manually | Only what you paste | Tedious but you control every byte that leaves the sheet |
| Local LLM + CSV export | Your machine | Maximum privacy, real setup work, weaker reasoning on complex tasks |
This isn’t a one-off. Check Point Research documented a separate finding (March 30, 2026) where a hidden outbound communication path from ChatGPT’s isolated execution runtime reached the public internet – a single malicious prompt could turn an ordinary conversation into a covert channel leaking user messages, uploaded files, and other sensitive content. The same class of problem keeps surfacing across agentic AI products.
FAQ
Is ChatGPT for Google Sheets safe to use right now?
Probably yes, if you only point it at workbooks you authored and you’ve revoked-then-reinstalled the OAuth grant. The specific exploit was patched. The architecture that enabled it wasn’t fundamentally redesigned.
I never installed the add-on. Am I affected?
No – the vulnerability required the extension to be installed and authorized on your Google account. But if you’re a Workspace admin, check whether any users on your team installed it without going through IT. Shadow installs are common, and the OAuth grants those users approved are scoped to their entire Drive. Pull the third-party app report from your admin console before assuming the answer is no.
Why did this take three weeks of public pressure to fix?
Per PromptArmor’s published timeline: the initial report went in on May 8, 2026, follow-up attempts went unanswered, and the team published publicly on May 27. OpenAI’s substantive response came May 31. Responsible disclosure depends on the vendor actually reading their inbox – which is a process problem, not a technical one.
Your next step: open myaccount.google.com/permissions right now and check whether ChatGPT is in your third-party app list. If it is, revoke it. Decide afterward whether you want it back.