**Not privateSECURITY-ISSUE* DO NOT USE UNTIL CHANGES ARE MADE*

Question

**Not privateSECURITY-ISSUE* DO NOT USE UNTIL CHANGES ARE MADE*

4m0ses opened this issue 2 years ago · 11 comments

@D-32 @liady @adrianmarinwork it is important to note that the current implementation of the code uploads data to the author's S3 bucket. While this may be a convenient solution for the author, it poses a potential security risk, as it could allow the author to access sensitive data, such as passwords or API keys, that users may inadvertently include in their data.

To address this concern, it would be advisable to modify the code so that it does not upload user data to a third-party service, such as the author's S3 bucket. One potential solution could be to modify the code so that it saves the user's data locally on their own machine instead of uploading it to a remote server. This would help ensure that the user's data remains secure and under their control.

It is important to be mindful of potential security risks when using third-party software or services. Users should always carefully review the code and configuration of any software or service they use, and take appropriate steps to secure their data and systems.

Answer 1 · 2023-02-22T13:51:08.000Z

I would recommand allow people to add their own links or save the html file to local

Answer 2 · 2023-02-22T22:13:20.000Z

There is no cause for alarm here. You clearly didn't make any analysis, pure speculation. I can confirm that Generate PNG and Download PDF is processed locally and no user data is being smuggled. Share Link is something which has to be hosted in the cloud for universal access. And by observing the network activities, no sensitive user data is being sent when a post request is made to https://chat-gpt-static.netlify.app/.netlify/functions/chatgpt-upload.

Answer 3 · 2023-02-23T17:53:53.000Z

Whether sensitive data is sent to that Netlify function or not would rather seem to depend on whether any sensitive data was included in the chat itself. With that in mind it might indeed be nice to warn users that their data is being sent to a third party in order to be shared.

Answer 4 · 2023-02-23T19:46:17.000Z

Ok, i am confused. An alert like Your chat may include sensitive data. Proceed to share ? before being uploaded?

Answer 5 · 2023-02-23T19:54:28.000Z

1# - The danger here is that you not in control of the chats that are been sent to the s3 bucket,

2# What if you want to delete the chat because you had forgot that you had put your password or sensitive information - you can't

#3 it is important to understand that data is being harvested here... lastly why can't the code be transparent enough so you could add you own s3 bucket or storj or even your own server

Listen i am not saying that this is what they would do, but i am suggesting for them to be open and trust worthly.

@watsonbox @spidy0x0 @liady @D-32

Answer 6 · 2023-02-23T20:02:13.000Z

Agreed. Vouch

Answer 7 · 2023-02-23T21:24:07.000Z

Hello guys, thank you for all your information about security issues. It's good to have in mind this kind of things.
Unfortunately, the owner of this project has stopped developing/maintaining the repository, I'm not a collaborator or the owner, I helped him with an issue some time ago.
I don't know if there are other projects that can do the same as this one.

Answer 8 · 2023-03-02T04:59:55.000Z

@4m0ses could you give a starting point for where these changes would need to be made? I'm happy to take a look at it.

Answer 9 · 2023-03-02T07:44:52.000Z

async function sendRequest() {
const data = getData();
const uploadUrlResponse = await fetch(
"https://chatgpt-static.s3.amazonaws.com/url.txt"
);
const uploadUrl = await uploadUrlResponse.text();
fetch(uploadUrl, {
method: "POST",
headers: {
"Content-Type": "application/json",
},
body: JSON.stringify(data),
})
.then((response) => response.json())
.then((data) => {
window.open(data.url, "_blank");
});
}

Answer 10 · 2023-03-02T07:45:54.000Z

I believe this where the code goes and send the html file and returns with a link @trydalch

async function sendRequest() {
  const data = getData();
  const uploadUrlResponse = await fetch(
    "https://chatgpt-static.s3.amazonaws.com/url.txt"
  );
  const uploadUrl = await uploadUrlResponse.text();
  fetch(uploadUrl, {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
    },
    body: JSON.stringify(data),
  })
    .then((response) => response.json())
    .then((data) => {
      window.open(data.url, "_blank");
    });
}

Answer 11 · 2023-04-06T11:40:35.000Z

Why don't you just remove sendRequest(); from the actionsArea.appendChild(downloadPdfButton);? Therefore, the code would never call the sendRequest function.