Comment by maxburkhardt

14 hours ago

Hi, I’m Max from the OpenAI security team. We appreciate the security research here, and it’s unfortunate this one slipped through a crack in our disclosure pipeline. As we’re now aware of this report, we’ve taken immediate steps to protect users against potential attacks in this area by removing the model’s ability to generate Apps Script code, which should eliminate the risk to users of ChatGPT for Google Sheets. We’re taking a close look at how this feature interacts with Google Sheets APIs and re-evaluating our sandboxing approach to make sure this product is as resistant as possible against prompt injection attacks. More broadly, we’ll be doing a re-review of similar functionality in other surfaces to make sure that our defenses are consistent and effective across the board.

32 comments

maxburkhardt

Reply
lionkor  6 hours ago

Hi Max, thanks for replying here!

These "defenses", are they "just" long sentences in the prompt begging the AI to not follow through with stuff like this? Or is it more like sub-agents running in sandboxes?

bgro  19 minutes ago

How does this slip through the cracks? This is exactly the type of stuff I constantly find at work. Even when I’m trying to actively not find it. I don’t understand how other devs ship a high risk feature then don't test it or think about it in any capacity other than their one happy path.

I keep trying to explain this to devs but there’s nothing out there except screaming over me about how great leetcode is or more recently it’s how great various AI uses are. Just completely ignorant isolated screaming to dismiss people like me putting in the work fix slop that steals all attention praise and career advancement or even getting through the slop hiring process.

This is directly caused by slop leetcode style hiring.

I have no doubt this finding is just the tip of the iceberg.

da_grift_shift  10 hours ago

>We appreciate the security research here

>it’s unfortunate this one slipped through a crack in our disclosure pipeline

>As we’re now aware of this report

This isn't the first time. https://x.com/PhilipTsukerman/status/1988634162773778501 https://x.com/_xpn_/status/1986382527817564437

What very likely happened here is you received good faith security research by email and you forced the researcher to submit through HackerOne or Bugcrowd or whatever, which mandates their compliance with Platform Terms and Disclosure Terms and Codes of Conduct and whatnot.

The SECURITY.md files in your GitHub repos only mention the email address. Can researchers like this one report issues via email and get a response, or not?

    May 08, 2026    PromptArmor discloses to OpenAI via email
    May 08, 2026    OpenAI sends an automated reply, confirming the intended reporting channel
    May 08, 2026    PromptArmor confirms email preference
    May 12, 2026    PromptArmor follows up
    May 18, 2026    PromptArmor follows up

altmanaltman  8 hours ago

So if it wasn't for Hacker News and you randomly chancing upon it, your users would not have been protected against potential attacks? That's a pretty bad look, especially given that OpenAI ignored their initial disclosure via the channels the company provided.

That doesn't sound like a one-trillion-dollar company is supposed to operate, does it?

  • chrncirurp  4 hours ago

    > That doesn't sound like a one-trillion-dollar company is supposed to operate, does it?

    It’s not a one trillion dollar company anymore.

    Anthropic won enterprise and Gemini is taking ChatGPTs consumer subscriptions month over month.

    Morale at OAI is all time low right now.

    • perching_aix  4 hours ago

      How different are the big boy Gemini models to the one you unconsensually get to interact with when using Google? Cause I have a really hard time imagining using that for anything willingly, even if it was outright free. It's dumb as a rock, and it's been that way for several years now.

      1 reply →

    • sofixa  4 hours ago

      > Anthropic won enterprise

      Depends on the enterprise, Mistral are pretty big here in EMEA because they're more trustworthy and you can self-host. Self-hosting ensures you can control costs better, fine tune the models for your own funky whatever (e.g. Ericsson fine tuned models to understand and run in their their custom silicon) but most of all, that your data remains where it needs to be.

      My bet is that this kind of enterprise deployment with customisation is where the real big money in AI is (and not coding assistants), but it will mostly be spent by the big banks, industrial giants and SAPs of the world, who will want control.

bflesch  7 hours ago

When I reported to you, I received zero reaction. The security@ is a joke, you'll receive an AI word soup.

Enjoy your Ferrari though

user3939382  10 hours ago

> removing the model’s ability to generate Apps Script code

I use this feature with my agents on a daily basis so hopefully you develop a more surgical approach to security here and restore this

  • crisnoble  2 hours ago

    Not to mention how this does nothing about all the other ways an attacker could could exfiltrate data with default google sheets formulas like IMPORTHTML, IMPORTXML, or even HYPERLINK which will all generate http request.