Once again, OpenAI finds itself in the news, but this time it’s because of two separate security issues. The first problem focuses on the Mac app for ChatGPT, while the second issue raises questions about the company’s cybersecurity management.
Pedro José Pereira Vieito, an engineer and Swift developer, discovered earlier this week that the Mac program ChatGPT keeps user conversations locally in plain text instead of encrypted. OpenAI’s website allows direct downloads of the program, bypassing Apple’s sandboxing regulations. After The Verge highlighted Vieito’s work, OpenAI launched an upgrade that encrypted locally stored chats in response to the exploit’s notice.
Non-programmers know that sandboxing prevents errors and vulnerabilities from spreading across a computer. Also, for those who aren’t tech-savvy, keeping local files in plain text makes sensitive information accessible to malicious programs and other apps.
In 2023, a second issue surfaced, lingering to this day. An unauthorized third party gained access to OpenAI’s internal messaging systems last spring, allowing them to steal sensitive information. Leopold Aschenbrenner, a technical program manager at OpenAI, reportedly voiced security concerns to the company’s board of directors after the hack, claiming that it revealed internal weaknesses that potential attackers from outside the country may exploit. The New York Times covered this incident.
Aschenbrenner has since claimed that his firing was a result of leaking information on OpenAI and raising security issues within the company. According to an OpenAI spokesman who spoke with The Times, “while we share his commitment to building safe A.G.I., we disagree with many of the claims he has since made about our work,” and that his departure was not due to blowing the whistle.
Software companies have all dealt with app vulnerabilities. Hacker breaches and strained relationships between whistleblowers and their companies are both tragically common. Nevertheless, the widespread integration of ChatGPT into services offered by large companies, along with the disarray around the company’s control, processes, and public image, has raised concerns regarding OpenAI’s data management capabilities.