Cloud security services provider Wiz Research discovered a publicly accessible database of DeepSeek's secret keys, messages and other information, the firm reported earlier today. This database included details such as chat history and API secrets, according to Wiz. The firm adds that the database could be fully controlled which means that they could execute code without any oversight and manipulate the data to serve their needs. After informing DeepSeek about the database, the Chinese firm immediately took it down after restricting public acces.
DeepSeek's Publicly Available Database Enabled Plaintext Password Extraction & Proprietary Information Directly From The Server
The startling discovery by Wiz shares that as it scoured through DeepSeek's publicly accessible domains, it came across a ClickHouse database that was "accessible without any authentication at all." This database contained a plethora of ordinary and sensitive information, which is typically reserved only for the operators of an AI model and not its users or other members of the general public.
Wiz reveals that it could run SQL commands on the database to allow for a variety of operations. SQL is a database programming language that enables users to extract data and other insights by linking different items or running other operations.
The security firm ran a simple command that generates a list of all tables in a database. This command revealed several sub-databases, one of which contained more than one million 'log' entries.
A log entry is a record of a user's interaction with DeepSeek, and according to Wiz, the records contained information about chat history, keys used to identify users and other details that could allow attackers to "exfiltrate plaintext passwords and local files along propriety information," according to Wiz.
The rising popularity of AI chatbots and the sudden splash DeepSeek made this month have generated fresh concerns about AI privacy. User data has been at the heart of America's TikTok ban as lawmakers fret about the ability of hostile foreign nations to misuse the information of millions of Americans.
For DeepSeek, the US Navy stopped servicemembers from using the AI platform for either their work or personal use. Concerns about data privacy and the application's national origin were at the heart of the Navy's decision.
After DeepSeek's soaring popularity, a closer look at its English-language privacy policy revealed that the firm confirmed that it "store[s] the information we collect in secure servers located in the People's Republic of China." The privacy policy added that the firm "may collect your text or audio input, prompt, uploaded files, feedback, chat history, or other content that you provide to our model and Services."
China's laws, which require all companies to share their data with the government for intelligence gathering or other purposes, have raised concerns about the potential misuse of data. These concerns have also led to the Protecting Americans from Foreign Adversary Controlled Applications Act (PAFACA) to require TikTok US to divest itself from China's ByteDance if it wants to continue operating in the US.
About the author: Ramish is a seasoned technology writer and editor with more than a decade of experience. He specializes in semiconductor fabrication and market analysis. With a background in finance and supply chain management - via his bachelors in Finance and a micromasters in supply chain management from MIT - Ramish combines financial rigor with deep industry insight to deliver accurate and authoritative coverage.
Follow Wccftech on Google to get more of our news coverage in your feeds.
