ChatGPT for Mac Stores User Conversations in Plain Text, Exposing Sensitive Data to Malware
Brook.X
Last month, OpenAI announced that ChatGPT for Mac was available to all users. Through the official ChatGPT client, users can rapidly engage in text conversations, generate images, read screenshots or files, search conversations, and more.
However, even a company of OpenAI's scale has vulnerabilities in security. ChatGPT for Mac saves all user conversations on the local disk in plain text format.
This means any applications, processes, or malicious software running on Mac can directly access the full content of user chats without any authorization, potentially leading to the exposure of private data.
Since the release of macOS Mojave 10.14 in 2018, Apple has introduced new security features to prevent other applications from accessing private data. When access to private data is needed, the system prompts a request that must be approved by the user before proceeding.
When developing ChatGPT for Mac, OpenAI did not use Apple's recommended settings to store user data in a sandbox. Instead, OpenAI stored it in a vulnerable path at ~/Library/Application Support/com.openai.chat/conve…{uuid}/
Not only was the data stored in an unprotected path, but OpenAI also failed to encrypt user data, making it easy for anyone to steal complete chat contents.
Tech enthusiast Pedro Jose discovered this issue and posted a demonstration video on Meta Threads. Following user feedback, OpenAI promptly released a new version to address this issue.
In the latest version of ChatGPT for Mac, OpenAI has now encrypted the data stored locally. Although it's still not placed in a sandbox, the encrypted files increase security.
Users of ChatGPT for Mac are advised to immediately upgrade to the latest version to ensure their safety. The latest version can be downloaded from OpenAI's official website: https://openai.com/chatgpt/mac/
