lol

ChatGPT Atlas stores unencrypted oAuth tokens in SQLite | Pete Johnson posted on the topic | LinkedIn

It appears that ChatGPT Atlas is storing functional, unencrypted oAuth tokens in a SQLite database with 644 file permissions. I am hardly a security expert and even I figured this out in 90 minutes. Here's what I did and what the screenshot shows . . . After installing ChatGPT Atlas last night, I was curious this morning in how it might be storing cached data so I went snooping around ~/Library/Caches/com.openai.atlas/ But then what I found was surprising. While it is standard practice on the Mac for a browser to store oAuth tokens in a SQLite database, what I discovered that apparently isn't standard practice is that by default the ChatGPT Atlas install has 644 permissions on that file (making it accessible to any process on your system) and that unlike Chrome and other browsers, ChatGPT Atlas isn't using keychain to encrypt the oAuth tokens within that SQLite database (which means that those tokens are queryable and then usable). I never got asked about enabling keychain during the install process, but I could have missed something. If you click and then right click the image in this post in a new tab, you can see the detail. The green terminal window shows the local script I wrote, the file permissions on the SQLite database, and the redacted output of the script, which pulls the unencrypted oAuth tokens and then uses them against the OpenAI API to pull my profile (full contents in the blue terminal window) and conversation history (partial contents in the red terminal window, pulling messages given the conversation ID works but is not shown). In the green window, notice that the script attempts to pull account status but gets a 405 (method not allowed) but not a 401 (unauthorized). Also note that the conversation history isn't just from ChatGPT Atlas. When I couldn't believe when I was seeing, I opened a new Chrome tab and asked the web version of ChatGPT what standard practice here was and even it agreed that if an unnamed browser were doing this it would be a security risk. That separate web conversation is the first one listed. I hesitate to publish the script given the number of people who are at risk given the fanfare of the release yesterday, but if you want it DM me. I'm looking at you Krish Subramanian Casey Bleeker Brent Blawat Sonny Baillargeon Joseph Fu UPDATE (11a EDT 10/22): Matt Johnson confirmed for me that the script I wrote extracts the profile and conversations from his account/install as well. He pointed out that default Mac user profile permissions will stop this from working cross-account. Also, there does not appear to be a way to log a bug against Atlas currently. Even so, I would hope this gets fixed by the end of the week. UPDATE 2 (10:30p EDT 10/22): Based on comments and conversations throughout the day, it appears that some users get asked about their keychains and presumably get encrypted oAuth tokens while others do not. It's unclear why some get unlucky, like I did. | 114 comments on LinkedIn