If a project genuinely needs to modify browser behavior, creating a custom browser extension (using the WebExtension API) with well-defined permissions is safer than using Tampermonkey. So using tamper monkey is somewhat of a red flag. The account being sponsored and sponsoring Chinese github account’s is also a bit suspicious.

Tampermonkey allows users to inject JavaScript directly into websites. This creates an inherent risk if the scripts are not thoroughly audited. Malicious actors could inject code that steals data, modifies content, or performs other harmful actions.

I haven’t fully audited the code yet, but I’ll take a look.

the red flag is not associated with the code being open source or not, it’s associated with the usage of tamper monkey over more commonly used and safer options. using temper monkey as an attack vector to foothold several user is very common, hence the red flag for it.

here’s a conversation regarding it if you want to look more into it; Reddit - Dive into anything

will do, but considering any malicious activity in the repository might be deeply obfuscated and de-compilation with binary analysis takes significant amount of technical endeavor, it might be too time consuming for most devs to rightfully check it out

who knows, it might be some benign extension or it might be some malicious extension with active users getting exploited by it…

just to be clear, my intentions here are only to do good, to keep individuals safe, it just seems… off… you know?

You’re assuming there people are only using ChatGPT to chat with it as though it’s a human friend, and not experimenting with it for other purposes.

Has anyone experimented with using LLMs to do this? I’ve generally found it’s better at understanding code/documenting it/looking for potential issues, rather than generating code.

It’d be interesting running some tests, getting it to analyse code for potential malicious uses/bugs that could cause issues.

as of right now, LLMs are ok-ish at low level programing vulnerability analysis, both in terms of static and dynamic binary analysis. Code obfuscation and malicious binary are still not that good in terms of LLM. It equates to an intern, but still misses crucial parts.

has this been solved for you?

I can export the latest chats as of today (and have been able to for a few weeks).

that’s good to hear man, sometimes it takes a few days to fix a bug

its always good to check with the community if others are experiencing the same thing or if there’s a user error

a good guide to report bugs is to follow this post: https://community.openai.com/t/how-to-properly-report-a-bug-to-openai/

this usually speeds up the process of fixes

i am getting the green confirmation which you have posted. the problem is that i don’t receive the email with the URL to the zip file. there are no emails about export at all (including in my spam folder).

Screenshot 2024-10-13 at 13.27.363248×2112 597 KB

i have tried on Arc browser and in iOS app, several times during the last ~2 weeks. in each case i received the frontend confirmation of my request, no errors in console (on browser) and no email with my zip.

i have already stored the script you have posted, thank you for sharing! if i won’t receive any email after yet another attempt to export my data, i will give it a shot.

The only thing that has fixed it for me when mine was broken just for me and not everyone else was deleting some old conversations, as it appeared the export was too “big”.

i think you might be right.

the length of the conversation, the amount of chats and maybe something specific about some conversations seem to prevent the export from being packaged.

I don’t remember saying anything like that.
It’s interesting how content is perceived from different perspectives

Well, AI can no longer be called just a “tool”. The technology is getting more and more complex and @proxy has shared very valuable and critical thoughts here - which, however, were not fully understood as it seems to me.
Keyword “responsibility”.

arc browser had a catastrophic vulnerability recently… it had a vulnerability worthy of a 9.8 CVSS: Researcher reveals ‘catastrophic’ security flaw in the Arc browser - The Verge

you can also check out fireship’s take on this: https://www.youtube.com/watch?v=QINoB1_OXUk

I would highly recommend leaving arc browser asap

as some have mentioned about the arc browser:

"

• Proprietary browser made by a for-profit startup
• Requires an account to use
• Pinky-promises absolute privacy yet gives the browser away for free and expect to be profitable
• Already had a vulnerability worthy of a 9.8 CVSS
• Valued the bounty for said 9.8 CVE a measly $2000

Yeah, I’m staying as far away from that as possible…"

it would probably be safest for you to change the browser and see if you still have the same issue. using a random tempermonkey script in the wild can be very dangerous as well.

Is Tampermonkey an unsafe extension to use?

image687×636 65.9 KB

> uses arc browser
> uses random tampermokey script

man, really feels like you are gambling with your security here

I was trying out a lot of things to get it to work again, including deleting a number of chat histories, but I kept my most important chats (the extra-long ones). The export function then started working again for me at the exact same time it started worked again for other users (@scottjlawson, @cakeller98 et al.) as you can see in this topic.

So, I believe that it will be working again for you soon™️- in the meantime, you can create backups either via user script, or if you are concerned about security, just copy and paste, or make a full page screenshot and parse the text with an OCR method.

I appreciate that you are looking out for the community, but I’m not convinced that it’s conducive to solving the problem (of being able to reliably export chats) by talking about unrelated exploits.

CVE-2024-45489 was only possible because Arc botched their implementation of Firebase (which is also why Jeff Delaney reported it like he did on his Fireship YT channel). This is super-bad, but you also need to mention that they fixed right away.

So, Arc messed up, but they also did their very best to mend the issue, and that’s a good thing. They literally fixed it overnight after they became aware of it:

In my opinion Tampermonkey is safe.

The extension has been around since 2010 (long before I was even able to comprehend what a computer really does ), and while it went closed-source eventually, the developer is confident and transparent enough to even publicly list his phone number on the Tampermonkey web page. If you are worried, just ring him up, and ask, I guess? (Imprint | Tampermonkey)

Redditor First-Piano3005 from the 2 year old screenshot from Reddit has a good take on it “it’s safe as long as you only install the safe userscripts” - and that can be extended to any app, add-on, script, or plugin in any type of environment that allows the creation of such.

Don’t panic.

suddenly received an email with my data archive. just requested it when i replied last time on that thread.

either it is working again, or it is just a random thing.

anyways i will keep the extension recommended here handy.

Nice! Make sure to check if all your chats are in the archive. Some users were missing chats, but that problem cleared up as well.

When that happens to be it’s usually working again, and sometimes I’ll get a bunch in a row, from the multiple attempts I tried!

FYI not sure how big your ZIP files are, and whether the issue around was related to number of conversations, or size of the ZIP or JSON file… but I’ve found when the JSON file is above roughly 17mb I’ve run into problems, and ZIP above 7mb or so, and not sure about number of conversations, but probably a couple of thousand.

its not the use of tampermonkey, it is using shaddy scripts with it. There’s been so many hacks involving seemly safe tampermonkey scripts that it raises a red flag for a good cause.

image587×255 28.4 KB

Given that this URL is within a tampermonkey script, this is particularly concerning. Tampermonkey scripts can be used to modify or automate interactions with websites, and in this context, it might be used to manipulate or spoof ChatGPT’s user interface for unauthorized purposes. This could be done to bypass rate limits, alter responses, or even steal personal data.

Such scripts and third-party sites often carry privacy and security risks, especially since they may involve rerouting or intercepting data between the user and legitimate platforms. It is advisable to avoid interacting with or using this site, especially if it was associated with suspicious scripts. Ensure that you’re using only official OpenAI channels to interact with ChatGPT for a secure experience.

image770×889 92.2 KB

Potential Issue: Fetching external libraries from CDNs, while convenient, comes with some risks. If the CDN is compromised or if the versions are not properly locked, you could unknowingly include a malicious or tampered version of these libraries.

in api.ts, there is also this:

• Proper sanitization of all user-generated or API-fetched content before insertion into the DOM.
• Secure handling of access tokens and session data.
• Validation of all API responses, especially image and file downloads.
• Implementation of proper Content Security Policies (CSP) to mitigate risks like XSS or data injection.

Now, back to the shaddy URL:
If the oaifree.com domain is a malicious actor, this could allow the script to execute on that site, potentially leading to unauthorized access to sensitive user information (such as their OpenAI session tokens, chat history, or other personal details).

Potential Issue: Userscripts that interact with sensitive pages (like those dealing with user chats or API data) need to ensure they are not exposed to unauthorized or malicious sites. The inclusion of potentially rogue domains like oaifree.com should be carefully scrutinized.

Conclusion:

While a user who only interacts with chat.openai.com may think they are safe, the presence of oaifree.com in both the domain match list and the API URL mappings means that data could be sent to a rogue domain under certain conditions, such as redirection or phishing. To prevent this, it’s essential to:

• Remove any references to oaifree.com in the code.
• Hardcode trusted API URLs to ensure sensitive data isn’t sent to unauthorized servers.
• Restrict the script’s domain matching to only the official domains you trust.

This will mitigate the risk of information being sent to suspicious third-party domains like oaifree.com.

With this being said, I wouldn’t defend this repository any longer. There’s no good reason to have this shaddy url there. It might seem ok at a naive glance, but it is as simple as hiding some obfuscated code in the UI scripts and all of the sudden your private chat history is getting sent to the backend of this website.

my ZIP is 32.5 mb ;D

i guess that’s is a lot.