The generative intelligence platform DeepSeek has set the world on fire this week, but with great popularity comes increased scrutiny. Analysts with Wiz Research have found a fairly substantial hole in the software’s security. The research shows that DeepSeek left one of its critical databases exposed.
This means that whoever came across the database would be allowed access to more than one million records, including user data, system logs, API keys and even prompt submissions. The researchers also noted that they were able to find the database almost immediately, without too much scanning or probing.
BREAKING: Internal #DeepSeek database publicly exposed 🚨
— Wiz (@wiz_io) January 29, 2025
Wiz Research has discovered "DeepLeak" - a publicly accessible ClickHouse database belonging to DeepSeek, exposing highly sensitive information, including secret keys, plain-text chat messages, backend details, and logs. pic.twitter.com/C7HZTKNO3p
“Usually when we find this kind of exposure, it’s in some neglected service that takes us hours to find—hours of scanning,” Nir Ohfeld, the head of vulnerability research at Wiz, told Wired. But this time, he said, “here it was at the front door.”
Wiz Research says it’s possible that a nefarious actor could have used this security hole to access other DeepSeek systems, but the company admits it only performed the base minimum assessment. This was to confirm its findings without further compromising user privacy. There is also no evidence that anyone else found the database.
Wiz staffers didn’t exactly know how to disclose their findings, given that DeepSeek is both a new entity and based in China. Researchers eventually sent their findings to every email address and LinkedIn profile they could find. The database was locked down within 30 minutes of the mass email.
DeepSeek isn’t the only AI company that has experienced a serious security breach (or two.) A hacker was able to access OpenAI’s internal messaging logs back in 2023 and a bug exposed personal information later that year.
“AI is the new frontier in everything related to technology and cybersecurity,” Ohfeld said. “Still we see the same old vulnerabilities like databases left open on the internet.”
As previously mentioned, DeepSeek took the world by storm in the past week or so. The disruptive AI model was allegedly created for just several million dollars. OpenAI runs through billions of dollars each year. This massive financial discrepancy sent the stock market into a tailspin, with many AI-adjacent stocks taking a plunge.
This article originally appeared on Engadget at https://www.engadget.com/ai/security-researchers-found-a-big-hole-in-deepseeks-security-163536961.html?src=rss https://www.engadget.com/ai/security-researchers-found-a-big-hole-in-deepseeks-security-163536961.html?src=rssConnectez-vous pour ajouter un commentaire
Autres messages de ce groupe
Hasbro Entertainment and Legendary Entertainment have joined forces to bring Magic: The Gathering to the big and small screens. The pair have signed a licensing deal to create "a live-acti
The Entertainment Software Association is making a fresh attempt to launch a gaming event. The new project is called iicon, or the "interactive innovation conference." It's not as catchy a name as
Spotting AI's work can be increasingly difficult as its capabilities and subtleties continue to improve. This continued shift makes labeling AI generated work all the more critical — something that
