this post was submitted on 03 Jul 2024
76 points (96.3% liked)

Furry Technologists

1308 readers
1 users here now

Science, Technology, and pawbs

founded 1 year ago
MODERATORS
 

Oops

top 10 comments
sorted by: hot top controversial new old
[–] realDek4y@lemmy.world 18 points 4 months ago

“We’re committed to providing a helpful user experience while maintaining our high security standards as our technology evolves.”

Ah, the most high security there is, plain text files.

[–] henfredemars@infosec.pub 5 points 4 months ago (1 children)

I’m a little confused. If the conversations weren’t stored in plain text, wouldn’t the key have to be stored on your computer also? Isn’t that plain text with extra steps?

[–] black0ut@pawb.social 10 points 4 months ago (1 children)

Depends on the system, but normally, the OS provides a way to encrypt a file using the user credentials. It's completely seamless while the user is logged in and using the computer. It's true that any program running with the user privileges and within its session can open the file, but once the user logs out it's unreadable.

[–] pivot_root@lemmy.world 6 points 4 months ago* (last edited 4 months ago)

With MacOS, specifically, it's stupidly easy and unintrusive to enable disk encryption. Outside of that, programs can save key-value pairs to Keychain (a credential store) and use that to store a randomly-generated encryption key.

It's true that any program running with the user privileges and within its session can open the file, but once the user logs out it's unreadable.

If the data was saved to the login Keychain, it should only be accessible while that specific user is logged in. The existence of vulnerabilities notwithstanding, it should actually be reasonably secure as long as System Integrity Protection is enabled and the program in question isn't running. SIP stops users (including root) from messing with system files or processes, and the Keychain requires a user password prompt to give programs access to entries created by other programs.

Now, considering all the above... it would have taken a day at most to figure out how to encrypt the data before it gets written to the file so it's not just sitting completely out in the open.

[–] qx128@lemmy.world 4 points 4 months ago (1 children)

Sadly, looks like they also didn’t store the files in an area accessible only to the user that created them. That seems like the most logical protection… I’m less worried about encryption if only my user id can access the files…

[–] pivot_root@lemmy.world 3 points 4 months ago* (last edited 4 months ago)

According to the post linked in the article, it's under ~/Library/Application Support.

The good news is that ~/Library isn't world-readable by default. The bad news is that it's still very easily readable by any process running under the user and by any other user with admin privileges or access to sudo.

[–] muntedcrocodile@lemm.ee 3 points 4 months ago* (last edited 4 months ago)

Um whats the problwm here plain text on ur local computer? Isnt it only really a problem if u dont have disk encryption but u guess in that case u got far bigger issues.

[–] subignition@fedia.io 2 points 4 months ago

What kind of bullshit are people doing with GPT that this is even a concern?

[–] Blaster_M@lemmy.world 1 points 4 months ago

Well, so does Ollama, but it is on your PC.

[–] autotldr@lemmings.world 1 points 4 months ago

This is the best summary I could come up with:


Until Friday, OpenAI’s recently launched ChatGPT macOS app had a potentially worrying security issue: it wasn’t hard to find your chats stored on your computer and read them in plain text.

That meant that if a bad actor or malicious app had access to your machine, they could easily read your conversations with ChatGPT and the data contained within them.

After The Verge contacted OpenAI about the issue, the company released an update that it says encrypts the chats.

“We are aware of this issue and have shipped a new version of the application which encrypts these conversations,” OpenAI spokesperson Taya Christianson says in a statement to The Verge.

“We’re committed to providing a helpful user experience while maintaining our high security standards as our technology evolves.”

After downloading the update, Pereira Vieito’s app no longer works for me, and I can’t see my conversations in plain text.


The original article contains 364 words, the summary contains 148 words. Saved 59%. I'm a bot and I'm open source!