O'Grady's PowerPage

Tag: plain text

  • ChatGPT Mac App saved plain text chats to local files, updated version resolves the issue

    ChatGPT Mac App saved plain text chats to local files, updated version resolves the issue

    If you downloaded and began playing around with the ChatGPT app for Mac recently, you might want to download the update.

    According to The Verge, developer Pedro José Pereira Vieito noted that the app was locally storing users’ conversations with the chatbot in unencrypted plain text.

    “I was curious about why OpenAI opted out of using the app sandbox protections and ended up checking where they stored the app data,” said Pereira Vieito.

    That led Pereira Vieito to develop “ChatGPTStealer,” a simple app to demonstrate how easy it is to load the chats in a text window outside of the ChatGPT app. After successfully trying out the app for himself, Peters said he was also able to see the text of conversations on his computer just by changing the file name, indicating the extent of the privacy risk.

    The ChatGPT Mac app is currently available solely through OpenAI’s website, meaning it has not been obligated to follow Apple’s sandboxing requirements that apply to software distributed via the Mac App Store. The oversight basically meant any other running app or process could potentially access the ChatGPT conversations without prompting the user for permission.

    The Verge later contacted OpenAI about the issue, wherein company spokesperson Taya Christianson offered the following comment:

    “We are aware of this issue and have shipped a new version of the application which encrypts these conversations. We’re committed to providing a helpful user experience while maintaining our high security standards as our technology evolves.”

    After downloading the update (v1.2024.171), Pereira Vieito’s app no longer works, and Peters said he was no longer able to see his conversations with the chatbot in plain text.

    As such, be sure to snag the new version and please let us know about your ChatGPT experience in the comments.

    Via MacRumors, @pvieito, and The Verge

  • Facebook confirms millions of Instagram users’ passwords were stored on company servers in an unencrypted format

    And the hits just keep on coming for Facebook.

    As of March, Facebook announced that millions of its users’ passwords had been stored on company servers with no encryption. The company also stated that “tens of thousands” of Instagram passwords were also stored in the same unencrypted format.

    This number has now proven to amount to million of Instagram passwords that had been stored in a readable format.

    Per the company’s blog post on the issue:

    Update on April 18, 2019 at 7AM PT: Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed.

    The unencrypted, plain text passwords had been accessible to thousands of Facebook employees. Although the company has stated that there’s no “evidence to date” of employees abusing or improperly accessing the passwords, these remain a high value target for anyone inclined.

    Facebook will be notifying Instagram users whose passwords were improperly stored, and Instagram users who are concerned about their accounts should change their passwords and make sure two-factor authentication is enabled. 

    The security leak comes only one day after news spread that the company had harvested the email contacts of 1.5 million users without their consent and used the data to build a web of social connections. 

    Stay tuned for additional details as they become available.

    Via MacRumors and Recode

  • Security hole found in FileVault under Mac OS X 10.7.3

    Ok, this isn’t the best news in the world…

    Per Crytome, Apple’s legacy FileVault Mac encryption system in OS X 10.7.3 has a security flaw that could allow malicious users to access stored passwords. According to the post, the issue only applies in specific configurations to users who have updated to OS X 10.7.3, in which a system-wide debug file that displays login passwords in plain text is created.

    “Thus anyone who can read files accessible to group admin can discover the login passwords of any users of legacy (pre LION) Filevault home directories who have logged in since the upgrade to 10.7.3 in early February 2012,” Emery explained.

    The login data can also be viewed by booting a Mac into FireWire disk mode and reading it by opening the drive as a disk. The information can also be accessed by booting the Lion recovery partition and using the available superuser shell to mount the main file system partition.

    Users can protect themselves from these methods by using the whole disk encryption capabilities of FileVault 2. Emery explained that this requires that a user know at least one login password before they can access the main partition of the disk.

    Further protection can be achieved by setting a firmware password that must be supplied before a user can boot the recover partition or external media, or enter firewire disk mode.

    “Having the password logged in the clear in an admin readable file *COMPLETELY* breaks a security model — not uncommon in families — where different users of a particular machine are isolated from each other and cannot access each others’ files or login as each other with some degree of assurance of security,” Emery wrote.

    The bug was introduced with Apple’s OS X 10.7.3 update, which was issued in early February. The latest version of Lion came with Wi-Fi connectivity fixes and Windows file sharing compatibility.

    Stay tuned for additional details as they become available.