The IT Nerd

Last week I brought you a story about DeepSeek having a database that for a brief period of time was publicly accessible. That was on top of the fact that DeepSeek was under attack, and two reports of successful jailbreaks popped up. Now there’s news that the iOS version of DeepSeek seriously fails at basic security:

A NowSecure mobile application security and privacy assessment has uncovered multiple security and privacy issues in the DeepSeek iOS mobile app that lead us to urge enterprises to prohibit/forbid its usage in their organizations.

And:

Key Risks Identified:

1. Unencrypted Data Transmission: The app transmits sensitive data over the internet without encryption, making it vulnerable to interception and manipulation.
2. Weak & Hardcoded Encryption Keys: Uses outdated Triple DES encryption, reuses initialization vectors, and hardcodes encryption keys, violating best security practices.
3. Insecure Data Storage: Username, password, and encryption keys are stored insecurely, increasing the risk of credential theft.
4. Extensive Data Collection & Fingerprinting: The app collects user and device data, which can be used for tracking and de-anonymization.
5. Data Sent to China & Governed by PRC Laws: User data is transmitted to servers controlled by ByteDance, raising concerns over government access and compliance risks.

Implications for Enterprises & Government Agencies:

• Exposure of sensitive data, including prompt data; intellectual property, strategic plans, and confidential communications.
• Increased risk of surveillance through fingerprinting and data aggregation.
• Regulatory & compliance risks, as data is stored and processed in China under its legal framework.

Recommended Actions:

NowSecure urges enterprises and agencies to:

Continuously monitor all mobile applications to detect emerging risks.

Immediately remove the DeepSeek iOS app from managed and BYOD environments.

Explore alternative AI platforms that prioritize mobile app security and data protection.

This is pretty bad. In fact it’s horrific. Thus I am going to say that if you have the DeepSeek app installed on any device, delete it ASAP. It’s clearly risky to have on your device based on what we see with the iOS version of their app. And to be clear, there are risks when using any AI as data that you may not want to be out in the public eye might be used for purposes like training the AI or it might be exposed to third parties like this example. But this example with DeepSeek is way worse. Hopefully DeepSeek gets investigated to see how far the rabbit hole DeepSeek’s security issues go.

A few days ago, DeepSeek was setting the world on fire because the AI that it put on the table offered strong LLM performance at a much lower cost to train. That made heads explode. But heads are exploding again with news that cybersecurity researchers from Wiz have found a ClickHouse database owned by Chinese AI start-up DeepSeek containing over a million lines of chat history and sensitive information. The database was publicly accessible and allowed the researchers full control over database operations. That too made heads explode. And this is on top of attacks DeepSeek.

Gunter Ollmann, CTO, Cobalt had this to say:

“The DeepSeek exposure highlights a critical and recurring issue—organizations, especially those innovating rapidly in AI, often prioritize speed over security. Wiz’s discovery reinforces the importance of proactive security testing, particularly as attack surfaces expand with cloud-based infrastructure and publicly accessible APIs. Given DeepSeek’s recent global recognition and growth in the AI space, the breach could have had a huge impact, significantly affecting businesses and individuals relying on their services, with potential ripple effects across industries.

This case underscores why organizations must continuously evaluate the robustness of their defensive controls —not just to meet compliance, but to protect sensitive data and improve their risk posture. Offensive security, including penetration testing and attack surface monitoring, is essential in identifying these open doors before adversaries do. AI-driven platforms like DeepSeek must integrate security testing into their development lifecycle, ensuring rigorous assessments of infrastructure, access controls, and data handling policies.

AI may be “new” but the basics of security processes and controls still apply.

As AI companies become integral to critical infrastructure, security can’t be an afterthought. The industry needs to adopt a proactive mindset—regular pentesting, red teaming, and continuous attack surface monitoring—to safeguard both intellectual property and customer trust.”

The more I hear about DeepSeek, the more I think that this is an AI that should be avoided. They don’t seem to have their act together, and that’s on top of them being based in China which by itself should set off alarm bells.