Last month, OpenAI announced the general availability of ChatGPT desktop for macOS users. The app allowed users to chat about emails, screenshots, files, and anything on their screen. Users can invoke ChatGPT by pressing Option + Space from any screen on their Mac. It also allowed users to search their past conversations.
Recently, tech enthusiast Pedro José discovered that the OpenAI app for macOS was storing all user conversations in plain text inside an unprotected file location:
~/Library/Application\ Support/com.openai.chat/conve…{uuid}/
Because of this poor security design, any app, process, or malware running on a Mac could seemingly access and read all ChatGPT conversations without any permissions.
To prevent malware and apps from accessing personal data belonging to other apps, macOS Mojave 10.14 introduced a new security feature that blocked access to private user data. Apps needing access to private user data (Calendar, Contacts, Mail, Photos, and third-party app sandboxes) require explicit user permission. However, OpenAI”s ChatGPT app for macOS did not store user data in Apple”s recommended sandbox location. Instead, it stored conversations in plain text in an unprotected location, allowing any app to access private user data.
After this security issue was pointed out, OpenAI has now updated its ChatGPT app for macOS to encrypt the locally stored private data.
Recently, Microsoft came under fire for a similar poor security design for its Recall feature in Windows Copilot+ PCs. Following backlash, Microsoft decided to delay the release of this much-awaited feature. Microsoft later confirmed that it will use “just in time” decryption protected by Windows Hello Enhanced Sign-in Security (ESS), so Recall snapshots will only be decrypted and accessible when the user authenticates. After improving the security of the Recall feature, Microsoft is planning to release the Recall feature to Windows Insiders for further testing in the coming weeks.
Source: pvieito (Threads)
Source: OpenAI’s ChatGPT app on macOS was storing all conversations in plain text