Mac users of OpenAI’s ChatGPT application were left vulnerable after a security flaw exposed their conversations in an unencrypted format.
The issue stemmed from the app’s lack of sandboxing, a security measure that restricts an application’s access to the system and other programs. This oversight allowed any program running on the user’s machine, including malware, to access the ChatGPT conversation history.
The sensitive information resided in plain text within an unprotected folder on the user’s device. This folder, located at “~/Library/Application Support/com. openai. chat/conversations-{uuid}/”, contained transcripts of all interactions with the AI chatbot.
The vulnerability was brought to light by security researcher Pedro José Pereira Vieito, who discovered the exposed conversations during a routine analysis of the application. Vieito’s findings raised concerns about the potential for unauthorized access to private conversations, particularly those containing sensitive information.
Following the disclosure, OpenAI issued a prompt update that addressed the security lapse. The update introduced encryption for conversation history, safeguarding user data from unauthorized access by other applications.
While the update rectified the immediate issue, the incident highlights the importance of robust security practices for applications handling sensitive user data. The lack of sandboxing in the initial version of ChatGPT for macOS represents a significant oversight that could have exposed user privacy.
The episode serves as a reminder for users to exercise caution when installing software, particularly applications downloaded from outside the official Mac App Store. Scrutinizing app permissions and staying informed about potential security vulnerabilities are crucial steps in protecting user data.