Major Security, Public Safety and Privacy Concerns #22
Comments
|
See also my same comment here, with more details on the actual code that is (not) visible to us. |
|
@Manamama I've found the code that's running inside the Netlify function under the same developer here: https://github.com/liady/chatgpt-static/blob/main/netlify/functions/chatgpt-upload/chatgpt-upload.js The code is harmless but we still don't know if this is the exact code running on Netlify and the function called inside the url.txt file could still be changed at any time by the owner. That being said, it's obvious to me that the developer has no malicious intentions, just look at all the other projects they've uploaded here on github. The main concern is this: If @liady github login or his personal computer ever become compromised then the attacker could potentially replace the function inside of url.txt with their own malicious code. |
|
Thanks for the legwork - my i-flowers sent to you above.
And I have never claimed otherwise.
Just look: (in)security by affinity (our) mindtrick: here among us, the anonymous Githubers.
or if he, his brother, or his (lol)cat decide to turn to a black hat hacker...
And here we all agree in full. (*) "Attacker", I presume |
|
@Manamama Yes I feel your concerns. I'm not using this unless the netlify code is moved to local. |
The way this extension currently works, when someone clicks the Share Link or Download PDF buttons the full conversation log is uploaded to an Amazon S3 container and set to public. This all happens through a function hosted at https://chat-gpt-static.netlify.app/.netlify/functions/chatgpt-upload which we are unable to see the code for.
In addition to the above, the way this function is referenced is through a text file also hosted on Amazon S3. The owner of the chatgpt-static S3 container on AWS could change the contents of the url.txt file (https://chatgpt-static.s3.amazonaws.com/url.txt) at any time to include a malicious script, which poses another serious security issue, on top of the one above.
Further, since the full conversation log is uploaded to an S3 container and set to public, with no way for us to delete the data. If someone happens to have some personal or other potentially harmful information in the conversation log being uploaded, then that poses a serious public safety issue on top of the security issue.
I would highly recommend you come up with a more direct and local way to achieve the same goals in light of the major issues above.
The text was updated successfully, but these errors were encountered: