DeepSeek, the Chinese startup behind an AI of the same name, has been the victim of a data leak. Wiz researchers have discovered an internal database of the company that is entirely open to the public. It can be accessed without any authentication request.
This directory includes "more than a million lines of logs", that is, records of activities generated by the computer system. It includes in particular "secret keys, details on the backend infrastructure and other highly sensitive information" about the Chinese group.
This information can obviously be used to carry out cyberattacks against the startup. Note that DeepSeek is already in the hackers' sights.
Compromised conversations
Above all, the database includes the history of DeepSeek users' discussions. The requests of chatbot users were therefore at the mercy of the first cybercriminal to come along. De facto, all personal data potentially communicated by users was also at risk.
According to the Wiz report, anyone could read, modify or delete data, or even inject malicious commands into the files. An attacker could have exploited this leak to obtain administrator rights within DeepSeek's computer systems.
Wiz emphasizes that the most serious threats against AI "often come from fundamental vulnerabilities, such as the involuntary exposure of databases accessible from the outside". AI companies are exposed to the same risks as other firms.
DeepSeek fixes the flaw
Wiz researchers contacted DeepSeek’s teams to warn them of the security flaw. The China-based startup was quick to fix the issue. The database is no longer freely available. There is no indication that attackers were able to view the exposed data before DeepSeek deployed a patch.
This is not the first time that DeepSeek’s security has been criticized. Shortly after the AI was made available, researchers realized that the chatbot was riddled with security flaws. They even estimate that DeepSeek is two years behind ChatGPT in terms of security.
Source: Wiz
0 Comments