Users Alert About New ChatGPT Security Flaws - 1

Image by Sanket Mishra on Pexels

Users Alert About New ChatGPT Security Flaws

  • Written by Andrea Miliani Former Tech News Expert
  • Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor

Users have noticed multiple issues with OpenAI’s assistant ChatGPT, including security flaws for the new ChatGPT Mac software and an internal leak, since last week.

According to The Verge , OpenAI’s new macOS app was storing information from users in plain text. This issue could potentially allow malicious actors with access to the user’s computer to read previous conversations with ChatGPT.

User Pedro José Pereira Vieito shared a video on X and Threads demonstrating the security flaw and how easy it was to access private files.

The OpenAI ChatGPT app on macOS is not sandboxed and stores all the conversations in plain-text in a non-protected location: ~/Library/Application\ Support/com.openai.chat/conversations-{uuid}/ So basically any other app / malware can read all your ChatGPT conversations: pic.twitter.com/IqtNUOSql7 — Pedro José Pereira Vieito (@pvieito) July 2, 2024

The Verge reached out to OpenAI and they responded. “We are aware of this issue and have shipped a new version of the application which encrypts these conversations,” said spokesperson Taya Christianson. “We’re committed to providing a helpful user experience while maintaining our high-security standards as our technology evolves.”

The new update no longer shows this vulnerability, it has been fixed, but another issue was also revealed on Reddit .

As reported by Tech Radar , ChatGPT shared internal information to a user after they casually greeted the assistant with a “Hi.” The user explained that the AI assistant replied with a set of instructions.

“You are ChatGPT, a large language model trained by OpenAI, based on the GPT-4 architecture. You are chatting with the user via the ChatGPT iOS app,” wrote ChatGPT. “This means most of the time your lines should be a sentence or two unless the user’s request requires reasoning or long-form outputs. Never use emojis, unless explicitly asked to. Knowledge cutoff: 2023-10 Current date: 2024-06-30.”

The user kept chatting with the bot and learned more information about how Dall-E—the image generator tool— worked. It provided details on how the AI assistant interacts and manages information.

Other users revealed that ChatGPT has multiple personalities, known as V1, v2, v3, and v4. The AI assistant revealed their potential values and the differences between multiple versions. “My enabled personality is v2. This personality represents a balanced, conversational tone with an emphasis on providing clear, concise, and helpful responses. It aims to strike a balance between friendly and professional communication,” wrote ChatGPT to one of the users.

Hacker Leaks Collection of 10 Billion Passwords From Users Worldwide - 2

Hacker Leaks Collection of 10 Billion Passwords From Users Worldwide

  • Written by Andrea Miliani Former Tech News Expert
  • Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor

A hacker under the user name ObamaCare posted on an underground hacker forum a compilation of 9,948,575,739 passwords in plaintext through a file titled “rockyou2024.txt” on July 4th.

The leak has been discovered by researchers at Cybernews , who consider this to be the largest password compilation leak in history. Cybernews researchers used their site’s Leaked Password Checker and confirmed that the document contains login details from users from all over the world collected from old and recent data breaches.

“In its essence, the RockYou2024 leak is a compilation of real-world passwords used by individuals all over the world. Revealing that many passwords for threat actors substantially heightens the risk of credential stuffing attacks,” said researchers from Cybernews. “Threat actors could exploit the RockYou2024 password compilation to conduct brute-force attacks and gain unauthorized access to various online accounts used by individuals who employ passwords included in the dataset.”

It’s not the first time this hacker has revealed databases. According to the researchers, even though the account ObamaCare was created in May this year, the user had already shared sensitive information from Simmons & Simmons, AskGamblers, and Rowan College at Burlington County.

A similar collection was leaked three years ago, the RockYou2021 collection contained 8.4 billion passwords. The new database, RockYou2024, includes the previous leak data plus 1.5 billion passwords collected from the past three years. Hackers have been piling up information for years—another RockYou leak was reported in 2009— for these leaks.

Another massive data breach—from different hackers— including Snowflake’s clients like Santander and Ticketmaster was reported just a few weeks ago. However, these recent events should not be feared.

According to security experts interviewed by Forbes , even though RockYou2024 seems massive and is an unfortunate situation, users shouldn’t panic. Experts recommend people to update passwords, add a two-step verification system—multi-factor authentication is crucial to maintain personal and organizational safety—, and use password managers.