OpenAI’s recent release of the ChatGPT Atlas browser has unveiled a critical security vulnerability: the storage of unencrypted OAuth tokens within a SQLite database on macOS systems. This flaw, identified by researcher Pete Johnson shortly after the browser’s launch on October 21, 2025, exposes users to potential unauthorized access to their accounts.
Discovery of the Vulnerability
The issue was uncovered when a user, curious about how ChatGPT Atlas manages data, examined the cache directory located at `~/Library/Caches/com.openai.atlas/`. Within this directory, Johnson found a SQLite database containing active OAuth tokens stored without encryption. Compounding the problem, the database was set with 644 file permissions, making it readable by all users and processes on the system.
Implications of Unencrypted Token Storage
Unlike established browsers such as Chrome, which utilize macOS Keychain to encrypt sensitive data, ChatGPT Atlas appears to bypass this security measure. This oversight allows for straightforward extraction and reuse of tokens through simple scripting. Johnson demonstrated this vulnerability by creating a local script that queried the database, retrieved the unencrypted tokens, and successfully accessed the OpenAI API. This access provided him with the user’s full profile details and conversation history across multiple sessions.
Further testing revealed that attempts to retrieve account status returned a 405 error instead of the expected 401 unauthorized response, indicating the tokens’ continued validity. This suggests that malicious actors could exploit this flaw to impersonate users, gaining access not only to ChatGPT conversations but also to any linked services if the OAuth scopes overlap.
Broader Security Concerns
The design of ChatGPT Atlas as a Chromium-based AI browser that imports bookmarks, passwords, and browsing history raises additional privacy concerns. The unencrypted storage of OAuth tokens could enable attackers to impersonate users, accessing not just ChatGPT conversations but potentially linked services if scopes overlap, echoing past OAuth leakage incidents in AI tools.
While macOS user permissions limit cross-account exploitation, intra-account risks remain high, especially on shared or compromised devices. Cybersecurity experts have already flagged Atlas for related issues like prompt injection attacks, where malicious web content could manipulate the AI to exfiltrate data, amplifying the token flaw’s dangers.
OpenAI’s Response and User Recommendations
OpenAI emphasizes privacy controls in Atlas, such as opt-out data training and memory management, but this storage misconfiguration undermines those claims. The browser’s rapid rollout to Free, Plus, and Pro users worldwide on macOS, with Windows and mobile versions pending, heightens the urgency for patches.
As of October 22, 2025, no official bug reporting mechanism exists for Atlas, leaving users uncertain about the timeline for a fix. In the interim, users are advised to monitor their account activity closely, enable two-factor authentication on their OpenAI accounts, and avoid using ChatGPT Atlas for tasks involving sensitive information until the issue is resolved.
