A software engineer has discovered that OpenAI's ChatGPT app for Mac was saving chats in plain text. Here is what happened.
In case you missed it, the ChatGPT Mac app was released a week ago for all users. Pedro José Pereira Vieito published his findings on Threads, to reveal that the popular chatbot's desktop app was storing conversations that a user had with the chatbot, in plain text format on the local storage.
ChatGPT for Mac was storing conversations in plain text
The security enthusiast noted that macOS has been blocking other apps from snooping into user data, since macOS Mojave 10.4, which was released 6 years ago. Vieito pointed out that macOS should not be allowing other apps to access the chats, if the app in question was sandboxed. More specifically, ChatGPT's Mac app was saving the data in the following non-protected location: ~/Library/Application\ Support/com.openai.chat/conve…{uuid}/
The researcher had created a special tool to obtain the data, and says that he was successful in extracting the chats without any special permissions from the app or the operating system. So in theory, any app, including malware or an attacker, could access ChatGPT chats without permission from the user. OpenAI acknowledged the fact that its app did not encrypt the data. That might seem alarming, but The Verge reports that the issue has already been patched in an update for the ChatGPT macOS app.
As for why the app didn't use a sandbox, well that is because OpenAI distributes the ChatGPT app for Mac via its own website, instead of distributing it via Apple's Mac App Store. This means that OpenAI does not have to follow the rules set for apps, in this case, it did not need to meet the requirement to sandbox the app and its data.
Is this a big issue? Probably not
That said, I'm not sure that this is a high security risk. Why? Well, this "vulnerability" if you can call it that, is only applicable in 2 scenarios: if a hacker has physical access to your Mac, or if your device is already infected by malware. Those are very rare scenarios, and if your device is already compromised, I think you may have bigger things to worry about than some random conversations with ChatGPT. Think about it, most apps store the user data on your device's local storage, and they do this by saving the information in an unencrypted database, i.e. your browser, document editor, and other apps save your data in plain text, so the fact that the ChatGPT app was also doing this is not really that big a deal. Many outlets have omitted this piece of information, and the result has been a bit of a fearmongering thing.
Don't get me wrong, I'm not defending OpenAI or any company here. I'd actually be more concerned about the privacy risks surrounding the usage of chatbots, as these services can, and will, use your data to train their language models. Rumor has it that Apple is working to bring Google Gemini to iPhones, iPads and Macs, in addition to OpenAI as part of iOS 18, iPadOS 18, and macOS 18.
Thank you for being a Ghacks reader. The post ChatGPT's macOS app was storing chats in plain text, but it has been patched appeared first on gHacks Technology News.
0 Commentaires