DeepSeek, a popular AI chatbot app, is facing serious security concerns after researchers discovered multiple vulnerabilities that could expose user data and pose a national security risk. A recent investigation by cybersecurity firm NowSecure revealed that the app transmits unencrypted user data to servers controlled by ByteDance, the parent company of TikTok. Additionally, DeepSeek uses outdated encryption protocols and deliberately disables Apple’s App Transport Security (ATS), leaving user data exposed to potential interception by third parties.
One of the most alarming findings in the report is that DeepSeek hardcodes a deprecated 3DES encryption key into the app, meaning that all users share the same encryption key. This weak security measure makes it easy for attackers to decrypt and access sensitive user information. Even more concerning, once the data reaches ByteDance’s servers, encryption is stripped away, allowing for potential tracking and de-anonymization. Given China’s strict data access laws, which compel companies to provide information to government authorities upon request, this raises significant privacy concerns, especially for users handling sensitive or confidential information.
Cybersecurity experts warn that DeepSeek’s lax security practices make it an easy target for hackers and surveillance efforts. High-value individuals, such as government officials, journalists, and corporate executives, could be particularly vulnerable to espionage or targeted attacks. The risks extend beyond personal privacy, as compromised data could be exploited for political, economic, or strategic advantages.
Despite these serious security flaws, DeepSeek remains available on Apple’s App Store, raising questions about Apple’s app review process. Apple has long marketed its ecosystem as secure, implementing strict privacy standards for developers, yet DeepSeek’s presence on the platform challenges that narrative. The Android version of the app reportedly has even weaker security, heightening concerns about its availability on Google Play.
This situation bears similarities to the ongoing scrutiny surrounding TikTok, which has faced bans and restrictions in several countries over concerns about data privacy and its ties to ByteDance. U.S. lawmakers have repeatedly warned about the risks associated with Chinese-owned apps, and some experts speculate that DeepSeek could soon face similar government action. If the developers fail to address these security concerns, regulatory pressure could mount, potentially leading to DeepSeek’s removal from app stores or restrictions on its use in sensitive environments.
For now, users are advised to exercise caution when using DeepSeek, particularly when sharing personal or confidential information. Until the developers implement stronger encryption standards and address data privacy concerns, the app remains a significant security risk.
(via Ars Technica)
