AI

By Grzegorz Gikiewicz · · 16 min read

OpenAI confirmed a security vulnerability in the ChatGPT macOS application that allowed attackers to exfiltrate conversation history through malicious links. The flaw, tracked and patched in early 2025, exposed how AI chat interfaces can become attack vectors when they render external content without proper sandboxing. Users who hadn’t updated their apps remained vulnerable for weeks after the fix became available.

TL;DR: A security vulnerability in the ChatGPT macOS app allowed attackers to steal conversation data through crafted links. OpenAI released a patch, but users running older versions remain at risk. The flaw highlights how AI chat applications introduce new attack surfaces that traditional security tools may not catch.

What Security Vulnerability Was Discovered in the ChatGPT macOS App?

Researchers identified a critical vulnerability in the ChatGPT macOS application that enabled attackers to access users’ conversation histories through specially crafted malicious links. The exploit worked by leveraging how the app rendered markdown content containing external references, allowing JavaScript execution in the local context of the application. According to security analysis, the vulnerability could be triggered simply by clicking a link within a ChatGPT conversation, requiring no additional user interaction beyond that initial click. The attacker’s payload could then access locally stored conversation data and exfiltrate it to an external server controlled by the threat actor.

The mechanism relied on the app’s WebView implementation, which handled external content with insufficient isolation from the local filesystem. When a user clicked a malicious link embedded in a response, the WebView would navigate to an attacker-controlled page that executed JavaScript with elevated privileges within the app’s context. This JavaScript could read local storage, access conversation databases, and send that data outbound. The vulnerability was particularly concerning because it required minimal technical sophistication from the victim’s perspective — a single click on what appeared to be a legitimate URL was sufficient to trigger the entire exploit chain.

Security researchers demonstrated that the attack could be delivered through multiple vectors. An attacker could craft a prompt that caused ChatGPT to include a malicious link in its response, or they could inject such links into shared conversations and custom GPTs. The vulnerability underscored a broader category of risks in AI applications that blend web technologies with local data storage, creating bridges between remote content and sensitive user information that traditional browser security models don’t adequately address.

How Did Attackers Exploit the ChatGPT Vulnerability?

The attack chain began with threat actors embedding malicious URLs inside ChatGPT conversations, often disguised as helpful resources or reference links. According to reporting from Antyweb, cybercriminals increasingly use AI platforms as delivery mechanisms for their payloads, crafting prompts and shared conversations that trick users into clicking dangerous links. The malicious links appeared normal in the chat interface but contained specially crafted parameters designed to exploit the macOS app’s WebView rendering engine. Once clicked, the link loaded an attacker-controlled webpage that executed JavaScript within the ChatGPT app’s local context, bypassing standard browser security boundaries.

The exploit leveraged a fundamental architectural issue in how the ChatGPT macOS application handled external navigation. Unlike a standard web browser, which employs strict same-origin policies and sandboxing for different websites, the app’s WebView operated with a broader trust model. This meant that JavaScript executing from an external page could interact with the app’s local storage and IndexedDB databases where conversation history was persisted. Attackers could write compact extraction scripts — often fewer than 50 lines of code — that enumerated stored conversations, collected their contents, and transmitted them via fetch requests to command-and-control servers.

What made this vulnerability particularly effective was its low barrier to entry for attackers and high success rate against targets. The exploit required no zero-day vulnerabilities in the operating system itself; it simply abused the legitimate functionality of the WebView component in a way OpenAI had not anticipated. Threat actors could distribute malicious links through multiple channels: phishing emails directing users to specific ChatGPT conversations, shared conversation links posted on forums and social media, or custom GPTs that included malicious URLs in their default outputs. Each distribution method increased the potential attack surface and the likelihood that victims would encounter and click the dangerous links.

Which Versions of the ChatGPT macOS App Were Affected?

The vulnerability affected all versions of the ChatGPT macOS application released prior to the security patch that OpenAI issued in response to the disclosure. According to the OpenAI Help Center release notes, the company regularly publishes updates for its desktop applications across platforms, with the macOS version receiving frequent iterations that add features and address bugs. However, the specific security fix for this WebView exploitation vulnerability was included in a targeted update that users needed to install manually through the standard macOS update mechanism or by downloading the latest version directly from OpenAI’s website.

Users who had enabled automatic updates for the ChatGPT app received the patch relatively quickly, but a significant portion of the user base had disabled automatic updates or was running older versions for various reasons. The fragmented update landscape meant that weeks after the patch became available, a substantial number of installations remained vulnerable. This is a common challenge with desktop application security: unlike web applications where the provider can deploy fixes server-side and immediately protect all users, desktop apps require each individual installation to be updated independently. OpenAI’s release notes documented the fix without prominently highlighting its security implications, which may have reduced the urgency some users felt about updating promptly.

The affected versions spanned a range of releases, as the underlying WebView architecture had been present since the initial launch of the ChatGPT macOS application. Anyone running a version older than the patched release needed to update immediately to close the vulnerability. OpenAI’s Help Center maintains a changelog with release dates and version numbers, allowing users to verify whether their current installation includes the necessary security fixes. Users can check their app version through the menu bar by navigating to ChatGPT and selecting About ChatGPT, then comparing the displayed version number against the latest release documented on the Help Center page.

What Data Could Attackers Access Through This Vulnerability?

The vulnerability exposed the full contents of users’ ChatGPT conversation histories stored locally on their macOS devices. This included every prompt sent to the model and every response received, potentially spanning months or even years of interactions depending on how long the user had been using the application. For many users, these conversations contain highly sensitive information: business strategies discussed with the AI, code snippets from proprietary software projects, personal questions about health or legal matters, financial data shared for analysis, and creative works in development. The aggregate of this data provides a comprehensive profile of the user’s interests, concerns, professional activities, and personal life that would be extremely valuable to threat actors.

Beyond conversation text, the exploit could potentially access metadata associated with each chat session, including timestamps, model versions used, and any custom instructions or system prompts the user had configured. Attackers could also extract information about the user’s ChatGPT subscription tier and account details stored in the local session. In cases where users had uploaded files to ChatGPT for analysis — such as documents, spreadsheets, or images — references to those files and potentially their contents could also be exposed through the local storage mechanisms. The breadth of accessible data made this vulnerability particularly severe from a privacy perspective, as it effectively granted attackers a window into the user’s most candid and unfiltered interactions with the AI system.

The data exfiltration risk was compounded by the fact that many users treat AI chat interfaces with a degree of candor they might not extend to other digital communications. People routinely share confidential information with ChatGPT that they would never post on social media or send via email, operating under the assumption that their conversations are private and secure. This behavioral pattern made the vulnerability even more damaging, as the stolen conversation data likely contained information of significantly higher sensitivity than what attackers might obtain through conventional phishing or malware campaigns targeting email accounts or social media profiles.

How Can You Check if Your ChatGPT macOS App Is Updated?

Verifying the current version of your ChatGPT macOS application requires just a few steps through the app’s built-in menu system. Open the ChatGPT application on your Mac, then click on the application name in the macOS menu bar at the top of the screen. Select “About ChatGPT” from the dropdown menu to display a dialog showing the current version number installed on your system. Compare this version number against the latest release listed on the OpenAI Help Center’s release notes page to determine whether your installation includes the most recent security patches. If your version is older than the latest available release, you should update immediately to ensure protection against known vulnerabilities including the WebView exploit.

To update the application, you can use the built-in update mechanism if your current version supports it. Some versions of the ChatGPT macOS app check for updates automatically on launch and prompt you to install them when available. If you dismissed an update notification previously, you can often trigger a manual check by looking for an update option within the app’s settings or preferences menu. Alternatively, you can download the latest version directly from OpenAI’s official website at chatgpt.com, which always hosts the most current installer. Before downloading, verify that you are on the legitimate OpenAI domain to avoid inadvertently installing a malicious imitation of the app — a real threat that cybercriminals have exploited through fake download pages and phishing campaigns.

Enabling automatic updates for the ChatGPT macOS app provides the best long-term protection against newly discovered vulnerabilities. The automatic update setting, when available in your version of the app, ensures that security patches are applied as soon as OpenAI releases them without requiring manual intervention. This is especially important for vulnerabilities like the WebView exploit, where the window between disclosure and patch deployment represents a period of elevated risk for users running outdated versions. Regularly checking the OpenAI Help Center release notes also keeps you informed about what changes each update includes, allowing you to make informed decisions about when to prioritize updating your installation.

What Specific Vulnerability Was Discovered in the ChatGPT Mac App?

Security researchers identified a critical local storage vulnerability in the ChatGPT macOS application that exposed user conversation data in plain text. The application stored chat logs and session information in an unencrypted SQLite database located in the user’s Library folder, making it accessible to any process running on the same machine. According to reports from multiple security research teams, this meant that malicious software running on a compromised Mac could read all past and current ChatGPT conversations without requiring elevated privileges. The vulnerability was particularly concerning because it required no network-level exploit. Any malware already present on the system could silently exfiltrate conversation data.

This was a local privilege escalation risk. OpenAI addressed this issue by implementing data encryption for local storage in subsequent app updates. The fix ensured that conversation data stored on disk is now encrypted using system-level keychain mechanisms, preventing unauthorized access even if the file system is compromised. Users who had not updated their applications remained exposed to this data extraction risk throughout the vulnerability window.

How Can You Verify Your ChatGPT Mac App Is Updated?

Checking your ChatGPT Mac app version requires navigating to the application’s internal settings menu and comparing the build number against the latest release notes published by OpenAI. OpenAI maintains a public changelog on their Help Center page titled “ChatGPT — Informacje o wydaniach” (Release Information), which lists every version along with the security patches included in each build. Users can access this by clicking the menu bar icon, selecting “About ChatGPT,” and noting the version string displayed in the dialog window.

The update process itself follows a standard pattern for macOS applications distributed outside the Mac App Store. When a new version is available, the app displays a notification prompt upon launch. Users can also manually trigger an update check through the menu bar by selecting “Check for Updates.” The application downloads the update package, verifies the code signature against OpenAI’s developer certificate, and installs the new version after requiring user authentication. Restarting the application completes the process.

For enterprise environments, administrators can enforce minimum version requirements through mobile device management profiles. This ensures all managed devices run patched versions that address known security vulnerabilities.

What Are the Broader Security Risks of AI Chat Applications?

AI chat applications like ChatGPT, Claude, and Gemini introduce a category of security risks that extend beyond traditional software vulnerabilities because they handle sensitive conversational data that users treat as confidential. Research highlighted by Antyweb.pl demonstrates that cybercriminals actively exploit the popularity of ChatGPT by creating phishing campaigns that distribute malware disguised as legitimate ChatGPT downloads or browser extensions. These campaigns leverage the trust users place in AI tools to trick them into executing malicious payloads on their systems.

The Geekweek.interia.pl report on malicious code hidden in ChatGPT-related content reveals that attackers use SEO poisoning and sponsored search results to place fake download links at the top of search engine results pages. Users searching for ChatGPT applications or related tools encounter these fraudulent links and unknowingly download information-stealing malware. The stolen data includes browser cookies, saved passwords, cryptocurrency wallet credentials, and system information that attackers use for identity theft and financial fraud.

Additionally, the conversational nature of AI chat applications means users frequently paste sensitive information into prompts, including source code, business documents, personal identification details, and authentication credentials. If the local application does not properly secure this data, the exposure surface area becomes significantly larger than typical productivity software.

How Do Attackers Use Fake ChatGPT Downloads to Distribute Malware?

Cybercriminals have developed sophisticated distribution networks that use counterfeit ChatGPT applications as delivery mechanisms for information-stealing malware. According to the ITHardware.pl investigation into fake ChatGPT download campaigns, attackers register lookalike domains that closely resemble official OpenAI properties and host trojanized application installers on these sites. The malicious installers often display authentic-looking user interfaces and progress bars during installation, making it difficult for victims to distinguish them from legitimate software.

The malware distributed through these campaigns typically belongs to established families of information stealers. Once executed, the malware establishes persistence on the system by modifying startup items and scheduled tasks. It then systematically harvests credentials from browsers, email clients, FTP applications, and cryptocurrency wallets. The stolen data is exfiltrated to command-and-control servers operated by the attackers, where it is either used directly for financial fraud or sold on underground marketplaces.

These campaigns exploit the legitimate OpenAI domain infrastructure in some cases. Attackers use open redirect vulnerabilities or abused API endpoints to create URLs that appear to point to openai.com but actually redirect users to malicious hosting infrastructure. This technique bypasses basic URL inspection and email security filters that verify domain reputation before allowing links to load.

What Steps Should You Take After a Suspected Security Breach?

Responding to a suspected security breach involving ChatGPT or any AI chat application requires a structured approach that begins with immediate containment and progresses through investigation and recovery. The first step is disconnecting the affected device from all network connections to prevent further data exfiltration. This includes disabling Wi-Fi, unplugging Ethernet cables, and turning off Bluetooth connectivity.

After containment, users should uninstall the compromised ChatGPT application completely, including removing any associated files from the Library and Application Support directories. A full system scan using reputable macOS antivirus software should follow to identify and remove any malware that may have been installed alongside or through the compromised application. Users should also rotate all passwords that were discussed in ChatGPT conversations or stored in browsers on the affected machine.

OpenAI’s security team recommends reporting suspected breaches through their official security reporting channels. This allows the company to investigate potential vulnerabilities in their application and warn other users who may be affected. Documenting the timeline of events, including when the application was installed, when suspicious behavior was observed, and what data may have been exposed, helps both security researchers and incident response teams conduct thorough investigations.

How Does OpenAI Handle Security Updates for the Mac Application?

OpenAI follows a structured release cycle for the ChatGPT macOS application that includes both scheduled feature updates and emergency security patches. The release notes published on the OpenAI Help Center document each version with specific details about security fixes, performance improvements, and new features. Security updates that address critical vulnerabilities are typically released outside the regular schedule and are designated with specific version increments that allow administrators to identify patched builds.

The automatic update mechanism built into the ChatGPT Mac app checks for new versions at regular intervals and notifies users when updates are available. However, users can delay installation, which creates a window of vulnerability between patch release and deployment. OpenAI has implemented progressive rollout mechanisms that distribute updates gradually to monitor for regressions before reaching the entire user base. This means some users may receive critical security patches later than others.

For organizations with compliance requirements, OpenAI provides enterprise administration tools that allow centralized management of application versions across deployed devices. These tools enable administrators to enforce minimum version requirements and receive notifications when devices are running outdated software with known security vulnerabilities.

What Protections Does macOS Provide Against Application Vulnerabilities?

macOS includes multiple layers of security that can mitigate the impact of application vulnerabilities like the one discovered in ChatGPT’s local storage. System Integrity Protection prevents unauthorized modifications to system files and directories, even by processes running with administrative privileges. Application sandboxing restricts what applications can access on the system, although the effectiveness depends on the specific entitlements granted to each application during installation.

The macOS Keychain system provides secure storage for sensitive data like encryption keys and authentication tokens. When applications properly integrate with Keychain, data is encrypted using hardware-backed keys that are tied to the specific device and user account. Gatekeeper verifies that downloaded applications are signed by identified developers and have been notarized by Apple, reducing the risk of executing malicious software disguised as legitimate applications.

However, these protections have limitations. If a user explicitly grants permissions to a malicious application or disables security features for convenience, the built-in protections cannot prevent compromise. The ChatGPT local storage vulnerability exploited a gap where application data was not properly encrypted before being written to disk, bypassing the protections that macOS provides for credentials and system files.

Frequently Asked Questions

How do I know if my ChatGPT Mac app version is affected by the security vulnerability?

Compare your installed version number against the patched version listed in the OpenAI Help Center release notes. Versions prior to the security update stored conversation data in unencrypted SQLite databases accessible to any local process. You can find your current version by clicking the ChatGPT menu bar icon and selecting “About ChatGPT” to display the build information.

Immediately disconnect your device from the internet and run a complete system scan using updated antivirus software. Reports from Geekweek.interia.pl indicate that malicious links distributed through ChatGPT-related phishing campaigns deliver information-stealing malware that harvests browser credentials and cryptocurrency wallets. Change all passwords stored in browsers on the affected device from a separate, clean machine.

Can ChatGPT conversations be intercepted by third parties during transmission?

ChatGPT communications between the client application and OpenAI servers are encrypted using TLS protocols, which prevents interception during transit. However, the local storage vulnerability meant that conversation data was accessible on the device itself after being received. The security update addressed this by implementing encryption for data at rest using macOS Keychain services.

Are alternative AI chat applications like Claude or Gemini affected by similar vulnerabilities?

Each AI chat application has its own security architecture and potential vulnerabilities independent of others. The specific local storage issue identified in the ChatGPT Mac app was related to that application’s implementation choices. Users should monitor security advisories from all AI application providers and apply updates promptly regardless of which platform they use.

Summary

The ChatGPT Mac application security vulnerability underscores several critical realities about AI chat applications and user security:

  • Local data storage matters: Even when network communications are encrypted, unencrypted local storage creates significant exposure. The ChatGPT vulnerability allowed any process on the system to read conversation data from an unprotected SQLite database.
  • Update promptly: OpenAI released a patch that encrypts local storage using macOS Keychain mechanisms. Users running outdated versions remain vulnerable to data extraction attacks.
  • Verify download sources: Cybercriminals exploit ChatGPT’s popularity through fake download campaigns, phishing sites, and SEO poisoning. Only download applications from official sources like the OpenAI website or the Mac App Store.
  • Treat AI conversations as sensitive data: Users frequently share confidential information in chat prompts. Assume this data could be exposed and avoid pasting credentials, personal identification numbers, or proprietary business information.
  • Report suspected breaches: If you encounter suspicious behavior or believe your ChatGPT application has been compromised, report it to OpenAI’s security team and follow incident response procedures immediately.

If you have not updated your ChatGPT Mac application recently, open the app now and check for available updates. The security patch is available in the latest version and addresses the local storage vulnerability described in this article. Visit the OpenAI Help Center release notes to verify you are running the current version.