A significant vulnerability in OpenAI’s newly released ChatGPT Atlas browser reveals that it stores unencrypted OAuth tokens in a SQLite database with overly permissive file settings on macOS, potentially allowing unauthorized access to user accounts.
This flaw, discovered by Pete Johnson just days after the browser’s October 21, 2025, launch, bypasses standard encryption practices used by major browsers like Chrome, leaving sensitive authentication data exposed to any process on the system.
The issue raises concerns about the privacy safeguards in AI-integrated browsing tools, especially as Atlas aims to handle tasks such as research and automation on behalf of users.
The vulnerability came to light when a non-expert user, intrigued by the browser’s data handling after installing ChatGPT Atlas, examined the cache directory at ~/Library/Caches/com.openai.atlas/.
Token Stored With 644 Permissions
Pete Johnson found a SQLite database storing functional OAuth tokens without encryption, protected only by 644 file permissions, which makes the file readable by all users and processes on the Mac.
Unlike established browsers that leverage macOS Keychain for token encryption, Atlas appears to skip this step by default, enabling straightforward extraction and reuse of the tokens via simple scripts.
Pete Johnson demonstrated this by crafting a local script that queried the database, retrieved the unencrypted tokens, and successfully accessed the OpenAI API to fetch the user’s full profile details and conversation history across sessions.
Even attempts to pull account status returned a 405 error rather than a 401 unauthorized response, confirming the tokens’ validity.
To verify the risks, the user consulted the web version of ChatGPT, which itself acknowledged that such unencrypted storage in a hypothetical browser would pose a severe security threat, potentially allowing malware or other apps to hijack sessions without detection.
This oversight persisted despite the installation process not prompting users about Keychain integration, a standard query in secure applications.
The exposure is particularly concerning given Atlas’s design as a Chromium-based AI browser that imports bookmarks, passwords, and history while enabling agentic features for premium users.
Unencrypted tokens could enable attackers to impersonate users, accessing not just ChatGPT conversations but potentially linked services if scopes overlap, echoing past OAuth leakage incidents in AI tools.
While macOS user permissions limit cross-account exploitation, intra-account risks remain high, especially on shared or compromised devices.
Cybersecurity experts have already flagged Atlas for related issues like prompt injection attacks, where malicious web content could manipulate the AI to exfiltrate data, amplifying the token flaw’s dangers.
OpenAI emphasizes privacy controls in Atlas, such as opt-out data training and memory management, but this storage misconfiguration undermines those claims.
The browser’s rapid rollout to Free, Plus, and Pro users worldwide on macOS, with Windows and mobile versions pending, heightens the urgency for patches.
Pete Johnson hesitated to release the extraction script publicly after the launch hype, but shared it privately with contacts for validation.
UK-based researcher Matt Johnson confirmed the issue on his setup, noting it extracts profiles and histories effectively within the same account.
However, no official bug reporting mechanism exists for Atlas yet, leaving users in limbo as of October 22, 2025.
Further inquiries revealed inconsistency: some users report Keychain prompts during setup, resulting in encrypted tokens, while others, like the discoverer, do not, suggesting a rollout bug or A/B testing glitch.
OpenAI has not explicitly commented, though its security team has addressed broader AI browser risks, such as injection attacks, through red-teaming and guardrails.
Experts urge immediate updates, recommending that users monitor permissions, enable 2FA on OpenAI accounts, and avoid sensitive tasks in Atlas until the issue is resolved.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
