ChatGPT's macOS app was storing chats in plain text, but it has been patched

Jul 8, 2024

A software engineer has discovered that OpenAI's ChatGPT app for Mac was saving chats in plain text. Here is what happened.

In case you missed it, the ChatGPT Mac app was released a week ago for all users. Pedro José Pereira Vieito published his findings on Threads, to reveal that the popular chatbot's desktop app was storing conversations that a user had with the chatbot, in plain text format on the local storage.

ChatGPT for Mac was storing conversations in plain text

The security enthusiast noted that macOS has been blocking other apps from snooping into user data, since macOS Mojave 10.4, which was released 6 years ago. Vieito pointed out that macOS should not be allowing other apps to access the chats, if the app in question was sandboxed. More specifically, ChatGPT's Mac app was saving the data in the following non-protected location: ~/Library/Application\ Support/…{uuid}/

The researcher had created a special tool to obtain the data, and says that he was successful in extracting the chats without any special permissions from the app or the operating system. So in theory, any app, including malware or an attacker, could access ChatGPT chats without permission from the user. OpenAI acknowledged the fact that its app did not encrypt the data. That might seem alarming, but The Verge reports that the issue has already been patched in an update for the ChatGPT macOS app.

As for why the app didn't use a sandbox, well that is because OpenAI distributes the ChatGPT app for Mac via its own website, instead of distributing it via Apple's Mac App Store. This means that OpenAI does not have to follow the rules set for apps, in this case, it did not need to meet the requirement to sandbox the app and its data.

Is this a big issue? Probably not

That said, I'm not sure that this is a high security risk. Why? Well, this "vulnerability" if you can call it that, is only applicable in 2 scenarios: if a hacker has physical access to your Mac, or if your device is already infected by malware. Those are very rare scenarios, and if your device is already compromised, I think you may have bigger things to worry about than some random conversations with ChatGPT. Think about it, most apps store the user data on your device's local storage, and they do this by saving the information in an unencrypted database, i.e. your browser, document editor, and other apps save your data in plain text, so the fact that the ChatGPT app was also doing this is not really that big a deal. Many outlets have omitted this piece of information, and the result has been a bit of a fearmongering thing.

Don't get me wrong, I'm not defending OpenAI or any company here. I'd actually be more concerned about the privacy risks surrounding the usage of chatbots, as these services can, and will, use your data to train their language models. Rumor has it that Apple is working to bring Google Gemini to iPhones, iPads and Macs, in addition to OpenAI as part of iOS 18, iPadOS 18, and macOS 18.

ChatGPT's macOS app was storing chats in plain text
Article Name
ChatGPT's macOS app was storing chats in plain text
ChatGPT for macOS was storing chats in plain text, but an update has fixed the issue.
Ghacks Technology News

Tutorials & Tips

Previous Post: «


  1. Anonymous said on July 9, 2024 at 10:11 am

    Man I wish I had a Mac. This behavior is the default on Windows, all applications have access to a lot of things even without granting admin access.
    It’s a shame what Microsoft has gotten us all used to. Maybe I should switch to Macs after all.

  2. Carl said on July 8, 2024 at 6:16 pm

    Just use triple ROT13 “encryption” and the security researchers are thrown off.

  3. John G. said on July 8, 2024 at 11:00 am

    I think this is an important security issue, nothing should be stored without permission.

    Thanks @Ashwin for the articles of the MacOS world! :]

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.