OpenAI's Mac App Stored Private Chats in Plain Sight

A significant security lapse in OpenAI's ChatGPT desktop app for macOS went undetected for months, exposing private user conversations. The application, released in May 2024, stored chat logs as plain text files on a user's computer. This meant any other program or script on the machine could potentially read them, from benign utilities to malware.

Developer Pedro José Pereira Vieito uncovered the flaw in July. He demonstrated it by creating a simple program that could read a ChatGPT user's conversation history in real time. The vulnerability presented a direct risk: anyone with access to the Mac, whether through a compromised account or malicious software, could silently collect every query and response. For professionals using ChatGPT to debug code, draft documents, or discuss confidential projects, the exposure was substantial.

OpenAI has since released an update that encrypts these local conversations. The company urged users to install the patch immediately. However, the incident was not formally tracked with a standard security advisory, a decision that drew scrutiny from industry experts.

The oversight is striking given OpenAI's intense focus on long-term AI safety and its active pursuit of corporate clients. The company markets its enterprise products as secure and compliant, yet this consumer-grade app, used by many on work devices, neglected a fundamental tenet of local data protection. This wasn't a complex exploit; it was the avoidance of a basic practice.

For businesses, the episode serves as a reminder to audit unsanctioned software on corporate devices. Employees who installed the Mac app may have inadvertently created a plain-text archive of sensitive discussions. The fix is now available, but the error highlights a persistent tension in the AI sector: the race to deploy powerful new tools can sometimes outpace the essential, unglamorous work of securing them.

Source: Webpronews