For a company that talks constantly about safety, OpenAI made a remarkably basic mistake. Its ChatGPT desktop application for macOS was storing user conversations in plain text — readable by any other application on the machine, any script, any piece of malware. No encryption. No sandboxing. Just raw conversation data sitting in an accessible directory, waiting to be harvested.
The vulnerability, first flagged by developer Pedro José Pereira Vieito in July 2024, exposed a fundamental tension at the heart of OpenAI’s operation: the company pours billions into aligning superintelligent AI systems while simultaneously shipping consumer software that ignores platform security conventions a junior developer would know to follow. As TechRadar reported, OpenAI has since acknowledged the issue and pushed an update, but the episode raises uncomfortable questions about the company’s software engineering discipline — and about what other oversights might be lurking in products used by tens of millions of people.
Here’s what happened. When OpenAI released the ChatGPT desktop app for macOS in May 2024, it distributed the application outside of Apple’s Mac App Store. That decision alone isn’t unusual — many enterprise and developer tools skip the App Store. But it meant the app wasn’t subject to Apple’s sandboxing requirements, which restrict what files an application can access and where it can store data. OpenAI’s app stored conversations in plain text files within the macOS filesystem, in a location accessible to other processes running on the same machine.
Vieito demonstrated the flaw by building a separate app that could read ChatGPT conversation histories in real time. He shared his findings on social media, and the story quickly gained traction in security circles. The implications were stark: anyone with local access to a Mac running ChatGPT — whether through physical access, a compromised user account, or malicious software — could silently exfiltrate every conversation the user had with the AI assistant.
That’s not a theoretical risk. It’s a practical one.
Consider the typical ChatGPT power user. They paste in proprietary code for debugging. They draft sensitive business communications. They brainstorm strategy documents. They ask questions about confidential projects. All of that, stored as plain text. A gift-wrapped intelligence package for any attacker who managed to get even limited access to the machine.
OpenAI responded by releasing an updated version of the app that encrypts stored conversations. The company told TechRadar that it was aware of the issue and had shipped a fix, urging all macOS users to update immediately. But the company didn’t issue a formal CVE or publish a detailed security advisory — a choice that itself drew criticism from security professionals who argue that transparency about vulnerabilities is essential for enterprise trust.
The timing is particularly awkward. OpenAI has been aggressively courting enterprise customers, pitching ChatGPT Team and ChatGPT Enterprise as secure, compliant tools for business use. The company’s own security documentation emphasizes data protection and access controls. Yet the consumer Mac app — which many of those same enterprise employees use on their personal and work machines — was failing at the most elementary level of local data protection.
And this wasn’t a sophisticated cryptographic flaw or a subtle race condition. It was plain text storage. The kind of mistake that security training materials use as a cautionary example for first-year developers.
The broader context matters. OpenAI has faced a string of security-related incidents and concerns over the past year. In March 2023, a bug in the open-source library used by ChatGPT exposed some users’ chat histories and payment information to other users. The company disclosed the issue and patched it, but the incident shook confidence in OpenAI’s operational security posture. More recently, reports have surfaced about internal disagreements at OpenAI over the pace of product releases versus the thoroughness of security reviews — a tension familiar to any fast-growing technology company, but one with higher stakes when the product handles sensitive user data and sits at the center of an intensifying geopolitical competition over AI capabilities.
Security researchers have been paying closer attention to AI applications in general. The attack surface is novel and expanding. AI assistants process and store conversations that can contain anything — trade secrets, medical information, legal strategies, personal confessions. The applications themselves are often built rapidly, with small teams focused primarily on model integration and user experience rather than on hardening the local client. This creates a pattern that security professionals find deeply concerning: high-value data flowing through applications that haven’t been subjected to the same rigor as, say, a banking app or a password manager.
Apple’s own security model is relevant here. macOS has steadily tightened its application sandboxing and data access controls over the past decade. Apps distributed through the Mac App Store must operate within a sandbox that limits their access to the filesystem, the network, and other system resources. Apps distributed outside the store can opt into sandboxing, but they aren’t required to. OpenAI chose the path of least restriction — and then failed to implement compensating controls of its own.
That’s a pattern worth watching across the AI industry. Speed of deployment is prized. Security review is often an afterthought.
The fix itself appears straightforward. The updated ChatGPT app now encrypts conversation data at rest, making it unreadable to other applications without the appropriate decryption key. OpenAI hasn’t published technical details about the encryption scheme used, which leaves open questions about key management and whether the implementation would withstand scrutiny from a determined attacker with local access. But it’s a significant improvement over plain text, and it brings the app closer to the baseline expectations for any application handling sensitive user data on a modern operating system.
For macOS users who haven’t updated, the advice is unambiguous: do it now. The old versions of the app leave conversation histories exposed. Updating resolves the immediate vulnerability. Users who are particularly security-conscious may also want to manually delete old conversation data stored by the previous version of the app, though OpenAI hasn’t provided specific instructions for doing so.
Enterprise security teams should take note as well. If employees have been using the ChatGPT macOS app on corporate machines — and many have, whether sanctioned or not — those machines may have stored sensitive corporate data in plain text for weeks or months. That’s a data exposure event that may warrant investigation, depending on the organization’s risk tolerance and regulatory obligations.
So where does this leave OpenAI’s credibility on security? Dented, but not destroyed. The company fixed the issue relatively quickly once it was publicly reported. But the fact that it shipped the vulnerability in the first place — and that it took an external researcher to flag it — suggests gaps in OpenAI’s internal security review processes. For a company valued at over $150 billion and positioning itself as a trusted partner for governments and Fortune 500 companies, those gaps are harder to explain away than they might be for a scrappy startup.
The incident also highlights a structural challenge for the AI industry. These companies are building some of the most sophisticated machine learning systems ever created. The engineering talent is extraordinary. But the mundane, unglamorous work of application security — input validation, encryption at rest, proper sandboxing, secure storage — doesn’t always get the same attention or resources. It should. Because no amount of frontier AI research matters if the product that delivers it to users can’t protect their data from a trivial local attack.
One more thing. OpenAI isn’t alone in this kind of oversight. Security researchers have found similar issues in other AI-powered desktop applications, where the rush to ship has outpaced the discipline of secure development. The difference is that OpenAI is the most prominent player in the space, with the largest user base and the most to lose. When OpenAI gets basic security wrong, it signals something about the industry’s priorities — and it gives ammunition to regulators and critics who argue that AI companies need more external oversight, not less.
The ChatGPT macOS vulnerability is fixed. But the questions it raises aren’t going away.
WebProNews is an iEntry Publication