Feb 10, 2025 at 3:15 PM DeepSeek iOS app sends sensitive user data unencrypted to ByteDance's servers
Mobile app security firm NowSecure has identified significant security and privacy vulnerabilities in the DeepSeek iOS application. Despite DeepSeek's recent acclaim for its open-source AI chatbot, DeepSeek R1, which rivals market leaders like OpenAI in simulated reasoning, the app's security flaws pose serious risks for individuals and companies.
The app, already installed on millions of devices used by individuals, enterprises, and government employees, transmits sensitive data without encryption, exposing it to potential interception and manipulation. User data is sent unencrypted to ByteDance-controlled servers, raising concerns about government access and compliance issues. Additionally, the app stores usernames, passwords, and encryption keys insecurely, heightening the risk of credential theft. It also employs outdated Triple DES encryption, reuses initialization vectors, and hardcodes encryption keys, contravening established security protocols.
These vulnerabilities underscore the critical need for organizations to immediately restrict the app's use to protect sensitive information and reduce cyber risk exposure.
- AI Chatbot
- Freemium • Open Source
Related news
External links
- NowSecure Uncovers Multiple Security and Privacy Flaws in DeepSeek iOS Mobile App
- DeepSeek iOS app sends data unencrypted to ByteDance-controlled servers
- DeepSeek App Transmits Sensitive User and Device Data Without Encryption
- Multiple security flaws found in DeepSeek iOS app
- Popular AI App DeepSeek Sends Unencrypted Data to ByteDance Servers
- DeepSeek iOS App Sending Data Unencrypted to ByteDance Controlled Server
I completely agree with the importance of security, especially when sensitive user data is involved. It's crucial to ensure that any app, whether it's an AI-based one like DeepSeek or anything else, follows the best security practices and protects user information with proper encryption methods. The vulnerabilities mentioned are concerning, as they could expose valuable data to malicious entities. It's a good reminder for all of us to not just trust an app based on its popularity but also verify its security standards regularly.
It's definitely crucial that developers take a security-first approach to avoid these types of risks.
true or false this was obviously bound to happen. The whole appeal of this Model for me was to run it locally on my consumer level gpu
Wow. So, America fears China might outpace them in the AI race, attempts to threaten and bully a company (loosely) associated with a company famous for being sold billions of users data by Mark Zuckerberg just 5 or so years ago (the world conveniently forgot the facebook/Tencent 2 billion user data deal controversy. Thats right, Tencent owns bytedance. Is it possible that the 2024 Russian company who funded American live streamers, called TENET, also a subsidiary of TENCENT? Government says no, the blatant similarity of the company names, says "probably". But, I digress). America wanted to win the war over AI, but they only ended up Winning the Poo(h). Glad ol uncle sam is looking out for is though, Ive got 6 USA flag banner t-shirts being delivered to me by Temu right now. When they shutdown deepseek in america, the kids will all be deeply seeking their consciousness for a shred of sympathy from a greedy elite class of app-banning boomers.
Oh, please. The whole 'America fears China' narrative isn't even the real issue here (though watching the US squirm isn't exactly keeping anyone up at night). The truly delicious irony? China's apparent knack for 'innovating' – and by innovating, I mean either helping themselves to existing technology or slapping their name on open-source projects. Because nothing says 'technological supremacy' quite like claiming you've built a better, faster, cheaper mousetrap when you've basically redecorated someone else's blueprint. But hey, who doesn't love a good propaganda story?
The key issue here is that sensitive data is being transmitted without encryption, leaving it vulnerable to interception and manipulation. This includes personal information such as credit card details, Apple Pay and Google Pay data, passwords, bank account information, and other private data that we routinely access and store on our phones. While these devices are marketed as "ultra-secure" and supposedly keep our data protected through encryption, this security becomes meaningless if we leave obvious vulnerabilities exposed. It's similar to having a high-security vault but leaving its door wide open - or worse, securing the door while ignoring a massive hole in the wall that allows anyone to walk in and take whatever they want.
TL;DR: The point is not as much about China as it is about the huge gaping hole in the security of the devices we run DeepSeek on!
Reply written Feb 11, 2025
Bro used AI to write a comment about AI
Reply written Feb 15, 2025
What a turn!... Well, good thing Tiktok, Opera and Capcut send all your data to China encrypted.
LOL
Reply written Feb 11, 2025
And it seems very unlikely that the DeepSeek's 150 engineers are that bad at security. (Also, it seems unrelated to earlier Italia's concerns tough.) Worse, that's happening even after Apple has supposedly "validated" manually the app. It's another kind reminder to never blindly trust any app (or anything), especially proprietary ones because nobody can easily check.
Use distilled versions locally or use OpenRouter instead.