OpenAI, the company behind ChatGPT, has been in the spotlight again, but this time for security issues. Two recent incidents have raised significant concerns about the company’s handling of cybersecurity, casting a shadow over its reputation.
The first issue emerged this week when engineer and Swift developer Pedro José Pereira Vieito uncovered a troubling vulnerability in the Mac ChatGPT app. Vieito discovered that the app was storing user conversations locally in plain text rather than encrypting them.
This means potentially sensitive data could be easily accessed by other apps or malware on the same machine. The app, available only from OpenAI’s website, bypasses Apple’s App Store and its sandboxing requirements, which are designed to contain potential vulnerabilities within individual applications.
Sandboxing is a crucial security practice that prevents vulnerabilities in one app from affecting others on a machine. Without it, the risk of sensitive information being exposed increases. Following Vieito’s findings, which The Verge later reported, OpenAI released an update that added encryption to the locally stored chats.
The second issue dates back to 2023 but continues to resonate today. Last spring, a hacker managed to infiltrate OpenAI’s internal messaging systems, gaining access to sensitive information about the company. This breach highlighted potential internal security weaknesses that malicious actors could exploit. OpenAI’s technical program manager at the time, Leopold Aschenbrenner, raised these concerns with the company’s board of directors, emphasizing the risk of foreign adversaries exploiting these vulnerabilities.
Aschenbrenner now alleges that he was fired for bringing these security issues to light and disclosing information about the breach. OpenAI, however, disputes this, stating that his termination was unrelated to whistleblowing. A representative from OpenAI told The New York Times that while the company shares Aschenbrenner’s commitment to building safe artificial general intelligence (AGI), it disagrees with many of his claims about their security practices.
Security vulnerabilities in software applications are not uncommon in the tech industry, and breaches by hackers are a persistent threat. Contentious relationships between whistleblowers and their former employers also frequently make headlines.
However, the combination of these issues at OpenAI, especially given the widespread adoption of ChatGPT, raises serious concerns. The app’s integration into services by significant players and the perceived chaotic oversight at OpenAI are beginning to create a more troubling narrative about the company’s ability to manage and protect its data.
The recent incidents underscore the need for robust cybersecurity measures and transparent practices, particularly for a company at the forefront of AI development. As OpenAI continues to navigate these challenges, the broader implications for data security and trust in AI technology remain critical issues for both the company and its users.