The generative intelligence platform DeepSeek has set the world on fire this week, but with great popularity comes increased scrutiny. Analysts with Wiz Research have found a fairly substantial hole in the software’s security. The research shows that DeepSeek left one of its critical databases exposed.
This means that whoever came across the database would be allowed access to more than one million records, including user data, system logs, API keys and even prompt submissions. The researchers also noted that they were able to find the database almost immediately, without too much scanning or probing.
BREAKING: Internal #DeepSeek database publicly exposed 🚨
— Wiz (@wiz_io) January 29, 2025
Wiz Research has discovered "DeepLeak" - a publicly accessible ClickHouse database belonging to DeepSeek, exposing highly sensitive information, including secret keys, plain-text chat messages, backend details, and logs. pic.twitter.com/C7HZTKNO3p
“Usually when we find this kind of exposure, it’s in some neglected service that takes us hours to find—hours of scanning,” Nir Ohfeld, the head of vulnerability research at Wiz, told Wired. But this time, he said, “here it was at the front door.”
Wiz Research says it’s possible that a nefarious actor could have used this security hole to access other DeepSeek systems, but the company admits it only performed the base minimum assessment. This was to confirm its findings without further compromising user privacy. There is also no evidence that anyone else found the database.
Wiz staffers didn’t exactly know how to disclose their findings, given that DeepSeek is both a new entity and based in China. Researchers eventually sent their findings to every email address and LinkedIn profile they could find. The database was locked down within 30 minutes of the mass email.
DeepSeek isn’t the only AI company that has experienced a serious security breach (or two.) A hacker was able to access OpenAI’s internal messaging logs back in 2023 and a bug exposed personal information later that year.
“AI is the new frontier in everything related to technology and cybersecurity,” Ohfeld said. “Still we see the same old vulnerabilities like databases left open on the internet.”
As previously mentioned, DeepSeek took the world by storm in the past week or so. The disruptive AI model was allegedly created for just several million dollars. OpenAI runs through billions of dollars each year. This massive financial discrepancy sent the stock market into a tailspin, with many AI-adjacent stocks taking a plunge.
This article originally appeared on Engadget at https://www.engadget.com/ai/security-researchers-found-a-big-hole-in-deepseeks-security-163536961.html?src=rss https://www.engadget.com/ai/security-researchers-found-a-big-hole-in-deepseeks-security-163536961.html?src=rssChcete-li přidat komentář, přihlaste se
Ostatní příspěvky v této skupině
Last year’s Silent Hill 2 remake work
Proving that truly no IP is safe from modern reboot
If you're a music fan of a certain age, there's a good chance MTV Unplugged has special place in your heart. With the first episode airing in 1989, over the decades the series has produced some of
British creatives are speaking out against the government's proposed changes to copyright law. Take Kate Bush, Annie Lennox and Ben Howard, who join over 1,000 musicians in releasing a protest albu
One thing writers and multinational consumer electronics corporations have in common is we both need a good editor. Or, failing that, at least a good spell-checker. OnePlus somehow missed that step
