Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy Security

OpenAI's ChatGPT Mac App Was Storing Conversations in Plain Text (theverge.com) 15

OpenAI's ChatGPT app for macOS contained a security vulnerability until Friday, potentially exposing users' conversations to unauthorized access, according to a developer's findings. The flaw allowed stored chats to be easily located and read in plain text on users' computers. Pedro Jose Pereira Vieito demonstrated the issue on social media, showing how a separate application could access and display recent ChatGPT conversations.
This discussion has been archived. No new comments can be posted.

OpenAI's ChatGPT Mac App Was Storing Conversations in Plain Text

Comments Filter:
  • by internet-redstar ( 552612 ) on Wednesday July 03, 2024 @04:36PM (#64599147) Homepage
    Clearly not a security issue... all of my apps store my documents on my private computer so other programs can read them... Strange OpenAI decided to hash them now...
    • Yeah, I don't get it. It appears to see my chat transcripts, you would have to be logged in to my computer as me. OK.
    • by piojo ( 995934 )

      On MacOS, aren't applications supposed to store logs in a sandbox directory where other applications don't have permission to read them?

      • On MacOS, aren't applications supposed to store logs in a sandbox directory where other applications don't have permission to read them?

        It's only required to be in the Mac App Store, otherwise opt-in, and for whatever reason they make you download it direct from OpenAI.com instead of the store. IDK, but what the app does probably exceeds the level of sandboxing the App Store requires, like installing a system wide shortcut to trigger the microphone. Apparently since they didn't need any sandboxing they didn't use it at all until now, and the opt-in form isn't all-or-nothing, you create a policy and carve out exceptions.

        It's a good thing, bu

  • Not nice, but... (Score:4, Insightful)

    by joh ( 27088 ) on Wednesday July 03, 2024 @04:43PM (#64599161)

    All my email is readable as plain text on my computer too if someone has access to it. I mean, this is really low-hanging fruit.

  • So I landed on Fedora. Amazingly, despite all my disabilities, I've been able to use it as my daily driver for a month now. And all the apps I use as a developer are there, better even! Fortunately, I can't really game anymore, so no issue, but I hear even that's vastly better under Steam with the latest tooling.

    Accessibility in KDE Plasma 6.1.1 is unbelievably good, even better than Windows. I use Meta (Win key) +,-,0 for zooming, and Meta+I to invert colors when it's too bright. I do not recommend an

  • Pedro clearly doesn't understand security.  Don't be a customer of any company that hires that guy.
  • by afaiktoit ( 831835 ) on Wednesday July 03, 2024 @05:15PM (#64599209)
    at least something was Open.
  • Omg!! (Score:5, Insightful)

    by ironicsky ( 569792 ) on Wednesday July 03, 2024 @06:02PM (#64599323) Journal

    This is so horrible! How dare they store things in plain text on my own computer!!!

    At least my browser history, emails, office documents, code sources, and other documents are encrypted to provide against unauthorized local access!!

    Oh... wait.

    They aren't either

    • by Bert64 ( 520050 )

      And thanks to clueless scare mongering like this they soon will be, but then in order to be usable the key will stored somewhere too so it's obfuscation rather than real encryption.
      So the end result is inconvenience for the user, with zero actual benefit to the security model as anyone determined and capable could still extract and use the key from the same position.

  • by ctilsie242 ( 4841247 ) on Thursday July 04, 2024 @06:02AM (#64600213)

    I wonder if this is a tempest in a teapot. My web browser stores my history unencrypted. My zsh and bash shell history is in plaintext in my home directory. Against someone attacking the machine via remote, it is firewalled enough and has no incoming services running on it. Physically, I use the OS's default (Ubuntu does a cool way to allow for encrypting the / filesystem with ZFS in 24.04), that keeps my data protected.

    Maybe ChatGPT should offer a checkbox combined with an optional PIN or TouchID on macOS, then from there, use CryptoKit. Or, perhaps store chats in a SQLIte3 database protected by Zetetic's SQLCipher or SQLLite's SEE extensions, which ensure that encryption is done in an easy, transparant manner, and chat history is stored in an atomic format that is well secured. For validating PINs and such, use the LocalAuthentication framework and TouchID, or if one wants, TouchID plus a PIN if someone wants to ensure their ChatGPT history is secure.

    I'm not seeing why this is a big deal. Worst case, in Windows, enable EFS, and use "cipher" to protect the ChatGPT directory. Of course, it is wise to save one's EFS key somewhere secure, but EFS ensures that someone has to authenticate as that user's context in order to read files under it.

To communicate is the beginning of understanding. -- AT&T

Working...