A big vulnerability in OpenAI’s newly launched ChatGPT Atlas browser reveals that it shops unencrypted OAuth tokens in a SQLite database with overly permissive file settings on macOS, probably permitting unauthorized entry to consumer accounts.
This flaw, found by Pete Johnson simply days after the browser’s October 21, 2025, launch, bypasses customary encryption practices utilized by main browsers like Chrome, leaving delicate authentication information uncovered to any course of on the system.
The difficulty raises issues concerning the privateness safeguards in AI-integrated searching instruments, particularly as Atlas goals to deal with duties similar to analysis and automation on behalf of customers.
The vulnerability got here to mild when a non-expert consumer, intrigued by the browser’s information dealing with after putting in ChatGPT Atlas, examined the cache listing at ~/Library/Caches/com.openai.atlas/.
Token Saved With 644 Permissions
Pete Johnson discovered a SQLite database storing purposeful OAuth tokens with out encryption, protected solely by 644 file permissions, which makes the file readable by all customers and processes on the Mac.
In contrast to established browsers that leverage macOS Keychain for token encryption, Atlas seems to skip this step by default, enabling simple extraction and reuse of the tokens through easy scripts.
ChatGPT Atlas Exposes Customers’ Particulars (Supply: Pete Johnson)
Pete Johnson demonstrated this by crafting an area script that queried the database, retrieved the unencrypted tokens, and efficiently accessed the OpenAI API to fetch the consumer’s full profile particulars and dialog historical past throughout periods.
Even makes an attempt to drag account standing returned a 405 error reasonably than a 401 unauthorized response, confirming the tokens’ validity.
To confirm the dangers, the consumer consulted the online model of ChatGPT, which itself acknowledged that such unencrypted storage in a hypothetical browser would pose a extreme safety menace, probably permitting malware or different apps to hijack periods with out detection.
This oversight continued regardless of the set up course of not prompting customers about Keychain integration, a typical question in safe purposes.
The publicity is especially regarding given Atlas’s design as a Chromium-based AI browser that imports bookmarks, passwords, and historical past whereas enabling agentic options for premium customers.
Unencrypted tokens might allow attackers to impersonate customers, accessing not simply ChatGPT conversations however probably linked providers if scopes overlap, echoing previous OAuth leakage incidents in AI instruments.
Whereas macOS consumer permissions restrict cross-account exploitation, intra-account dangers stay excessive, particularly on shared or compromised units.
Cybersecurity specialists have already flagged Atlas for associated points like immediate injection assaults, the place malicious net content material might manipulate the AI to exfiltrate information, amplifying the token flaw’s risks.
OpenAI emphasizes privateness controls in Atlas, similar to opt-out information coaching and reminiscence administration, however this storage misconfiguration undermines these claims.
The browser’s speedy rollout to Free, Plus, and Professional customers worldwide on macOS, with Home windows and cellular variations pending, heightens the urgency for patches.
Pete Johnson hesitated to launch the extraction script publicly after the launch hype, however shared it privately with contacts for validation.
UK-based researcher Matt Johnson confirmed the problem on his setup, noting it extracts profiles and histories successfully throughout the similar account.
Nevertheless, no official bug reporting mechanism exists for Atlas but, leaving customers in limbo as of October 22, 2025.
Additional inquiries revealed inconsistency: some customers report Keychain prompts throughout setup, leading to encrypted tokens, whereas others, just like the discoverer, don’t, suggesting a rollout bug or A/B testing glitch.
OpenAI has not explicitly commented, although its safety crew has addressed broader AI browser dangers, similar to injection assaults, via red-teaming and guardrails.
Specialists urge fast updates, recommending that customers monitor permissions, allow 2FA on OpenAI accounts, and keep away from delicate duties in Atlas till the problem is resolved.
Comply with us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to function your tales.
