Experts Flag Security, Privacy Risks in DeepSeek AI App

Read Time:4 Minute, 26 Second

New mobile apps from the Chinese artificial intelligence (AI) company DeepSeek have remained among the top three “free” downloads for Apple and Google devices since their debut on Jan. 25, 2025. But experts caution that many of DeepSeek’s design choices — such as using hard-coded encryption keys, and sending unencrypted user and device data to Chinese companies — introduce a number of glaring security and privacy risks.

Public interest in the DeepSeek AI chat apps swelled following widespread media reports that the upstart Chinese AI firm had managed to match the abilities of cutting-edge chatbots while using a fraction of the specialized computer chips that leading AI companies rely on. As of this writing, DeepSeek is the third most-downloaded “free” app on the Apple store, and #1 on Google Play.

DeepSeek’s rapid rise caught the attention of the mobile security firm NowSecure, a Chicago-based company that helps clients screen mobile apps for security and privacy threats. In a teardown of the DeepSeek app published today, NowSecure urged organizations to remove the DeepSeek iOS mobile app from their environments, citing security concerns.

NowSecure founder Andrew Hoog said they haven’t yet concluded an in-depth analysis of the DeepSeek app for Android devices, but that there is little reason to believe its basic design would be functionally much different.

Hoog told KrebsOnSecurity there were a number of qualities about the DeepSeek iOS app that suggest the presence of deep-seated security and privacy risks. For starters, he said, the app collects an awful lot of data about the user’s device.

“They are doing some very interesting things that are on the edge of advanced device fingerprinting,” Hoog said, noting that one property of the app tracks the device’s name — which for many iOS devices defaults to the customer’s name followed by the type of iOS device.

The device information shared, combined with the user’s Internet address and data gathered from mobile advertising companies, could be used to deanonymize users of the DeepSeek iOS app, NowSecure warned. The report notes that DeepSeek communicates with Volcengine, a cloud platform developed by ByteDance (the makers of TikTok), although NowSecure said it wasn’t clear if the data is just leveraging ByteDance’s digital transformation cloud service or if the declared information share extends further between the two companies.

Image: NowSecure.

Perhaps more concerning, NowSecure said the iOS app transmits device information “in the clear,” without any encryption to encapsulate the data. This means the data being handled by the app could be intercepted, read, and even modified by anyone who has access to any of the networks that carry the app’s traffic.

“The DeepSeek iOS app globally disables App Transport Security (ATS) which is an iOS platform level protection that prevents sensitive data from being sent over unencrypted channels,” the report observed. “Since this protection is disabled, the app can (and does) send unencrypted data over the internet.”

Hoog said the app does selectively encrypt portions of the responses coming from DeepSeek servers. But they also found it uses an insecure and now deprecated encryption algorithm called 3DES (aka Triple DES), and that the developers had hard-coded the encryption key. That means the cryptographic key needed to decipher those data fields can be extracted from the app itself.

There were other, less alarming security and privacy issues highlighted in the report, but Hoog said he’s confident there are additional, unseen security concerns lurking within the app’s code.

“When we see people exhibit really simplistic coding errors, as you dig deeper there are usually a lot more issues,” Hoog said. “There is virtually no priority around security or privacy. Whether cultural, or mandated by China, or a witting choice, taken together they point to significant lapse in security and privacy controls, and that puts companies at risk.”

Apparently, plenty of others share this view. Axios reported on January 30 that U.S. congressional offices are being warned not to use the app.

“[T]hreat actors are already exploiting DeepSeek to deliver malicious software and infect devices,” read the notice from the chief administrative officer for the House of Representatives. “To mitigate these risks, the House has taken security measures to restrict DeepSeek’s functionality on all House-issued devices.”

TechCrunch reports that Italy and Taiwan have already moved to ban DeepSeek over security concerns. Bloomberg writes that The Pentagon has blocked access to DeepSeek. CNBC says NASA also banned employees from using the service, as did the U.S. Navy.

Beyond security concerns tied to the DeepSeek iOS app, there are indications the Chinese AI company may be playing fast and loose with the data that it collects from and about users. On January 29, researchers at Wiz said they discovered a publicly accessible database linked to DeepSeek that exposed “a significant volume of chat history, backend data and sensitive information, including log streams, API secrets, and operational details.”

“More critically, the exposure allowed for full database control and potential privilege escalation within the DeepSeek environment, without any authentication or defense mechanism to the outside world,” Wiz wrote. [Full disclosure: Wiz is currently an advertiser on this website.]

KrebsOnSecurity sought comment on the report from DeepSeek and from Apple. This story will be updated with any substantive replies.

Read More

A Vulnerability in Trimble Cityworks Could Allow for Remote Code Execution

Read Time:33 Second

A vulnerability has been discovered in Trimble Cityworks that could allow for remote code execution. Trimble Cityworks is a system that helps manage the lifecycle of assets for public infrastructure. It uses GIS (geographic information systems) to help with tasks such as permitting, licensing, construction, maintenance, and replacement. Successful exploitation of the of this vulnerability could allow for remote code execution in the context of the system. Depending on the privileges associated with the system, an attacker could then install programs; view, change, or delete data. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Read More

nginx-1.26.3-1.fc40 nginx-mod-fancyindex-0.5.2-8.fc40 nginx-mod-modsecurity-1.0.3-16.fc40 nginx-mod-naxsi-1.6-9.fc40 nginx-mod-vts-0.2.3-3.fc40

Read Time:49 Second

FEDORA-2025-016ed44ddc

Packages in this update:

nginx-1.26.3-1.fc40
nginx-mod-fancyindex-0.5.2-8.fc40
nginx-mod-modsecurity-1.0.3-16.fc40
nginx-mod-naxsi-1.6-9.fc40
nginx-mod-vts-0.2.3-3.fc40

Update description:

Changes with nginx 1.26.3 05 Feb 2025

*) Security: insufficient check in virtual servers handling with TLSv1.3
SNI allowed to reuse SSL sessions in a different virtual server, to
bypass client SSL certificates verification (CVE-2025-23419).

*) Bugfix: in the ngx_http_mp4_module.
Thanks to Nils Bars.

*) Workaround: “gzip filter failed to use preallocated memory” alerts
appeared in logs when using zlib-ng.

*) Bugfix: nginx could not build libatomic library using the library
sources if the –with-libatomic=DIR option was used.

*) Bugfix: nginx now ignores QUIC version negotiation packets from
clients.

*) Bugfix: nginx could not be built on Solaris 10 and earlier with the
ngx_http_v3_module.

*) Bugfixes in HTTP/3.

Read More

nginx-1.26.3-1.fc41 nginx-mod-fancyindex-0.5.2-10.fc41 nginx-mod-modsecurity-1.0.3-16.fc41 nginx-mod-naxsi-1.6-9.fc41 nginx-mod-vts-0.2.3-3.fc41

Read Time:49 Second

FEDORA-2025-66ebd291f8

Packages in this update:

nginx-1.26.3-1.fc41
nginx-mod-fancyindex-0.5.2-10.fc41
nginx-mod-modsecurity-1.0.3-16.fc41
nginx-mod-naxsi-1.6-9.fc41
nginx-mod-vts-0.2.3-3.fc41

Update description:

Changes with nginx 1.26.3 05 Feb 2025

*) Security: insufficient check in virtual servers handling with TLSv1.3
SNI allowed to reuse SSL sessions in a different virtual server, to
bypass client SSL certificates verification (CVE-2025-23419).

*) Bugfix: in the ngx_http_mp4_module.
Thanks to Nils Bars.

*) Workaround: “gzip filter failed to use preallocated memory” alerts
appeared in logs when using zlib-ng.

*) Bugfix: nginx could not build libatomic library using the library
sources if the –with-libatomic=DIR option was used.

*) Bugfix: nginx now ignores QUIC version negotiation packets from
clients.

*) Bugfix: nginx could not be built on Solaris 10 and earlier with the
ngx_http_v3_module.

*) Bugfixes in HTTP/3.

Read More

nginx-1.26.3-1.fc42 nginx-mod-fancyindex-0.5.2-10.fc42 nginx-mod-modsecurity-1.0.3-16.fc42 nginx-mod-naxsi-1.6-9.fc42 nginx-mod-vts-0.2.3-3.fc42

Read Time:49 Second

FEDORA-2025-d5a48cff6d

Packages in this update:

nginx-1.26.3-1.fc42
nginx-mod-fancyindex-0.5.2-10.fc42
nginx-mod-modsecurity-1.0.3-16.fc42
nginx-mod-naxsi-1.6-9.fc42
nginx-mod-vts-0.2.3-3.fc42

Update description:

Changes with nginx 1.26.3 05 Feb 2025

*) Security: insufficient check in virtual servers handling with TLSv1.3
SNI allowed to reuse SSL sessions in a different virtual server, to
bypass client SSL certificates verification (CVE-2025-23419).

*) Bugfix: in the ngx_http_mp4_module.
Thanks to Nils Bars.

*) Workaround: “gzip filter failed to use preallocated memory” alerts
appeared in logs when using zlib-ng.

*) Bugfix: nginx could not build libatomic library using the library
sources if the –with-libatomic=DIR option was used.

*) Bugfix: nginx now ignores QUIC version negotiation packets from
clients.

*) Bugfix: nginx could not be built on Solaris 10 and earlier with the
ngx_http_v3_module.

*) Bugfixes in HTTP/3.

Read More

rust-cargo-vendor-filterer-0.5.17-2.el9 rust-eif_build-0.2.1-3.el9 rust-nu-0.99.1-7.el9 rust-openssl-0.10.70-1.el9 rust-openssl-sys-0.9.105-1.el9 rust-pore-0.1.17-5.el9 rust-sequoia-keyring-linter-1.0.1-10.el9 rust-sequoia-policy-config-0.7.0-3.el9

Read Time:35 Second

FEDORA-EPEL-2025-bd80ef332a

Packages in this update:

rust-cargo-vendor-filterer-0.5.17-2.el9
rust-eif_build-0.2.1-3.el9
rust-nu-0.99.1-7.el9
rust-openssl-0.10.70-1.el9
rust-openssl-sys-0.9.105-1.el9
rust-pore-0.1.17-5.el9
rust-sequoia-keyring-linter-1.0.1-10.el9
rust-sequoia-policy-config-0.7.0-3.el9

Update description:

Update the openssl crate to version 0.10.70 and the openssl-sys crate to version 0.9.105.

This includes a fix for RUSTSEC-2025-0004 / CVE-2025-0977 and rebuilds of all packages that statically link the openssl crate.

Read More

rust-cargo-vendor-filterer-0.5.17-2.el10_0 rust-openssl-0.10.70-1.el10_0 rust-openssl-sys-0.9.105-1.el10_0

Read Time:24 Second

FEDORA-EPEL-2025-e9d25e012d

Packages in this update:

rust-cargo-vendor-filterer-0.5.17-2.el10_0
rust-openssl-0.10.70-1.el10_0
rust-openssl-sys-0.9.105-1.el10_0

Update description:

Update the openssl crate to version 0.10.70 and the openssl-sys crate to version 0.9.105.

This includes a fix for RUSTSEC-2025-0004 / CVE-2025-0977 and rebuilds of all packages that statically link the openssl crate.

Read More

clevis-pin-tpm2-0.5.3-9.fc40 envision-2.0.0-4.20241209git2.0.0.fc40 fido-device-onboard-0.5.0-2.fc40 gotify-desktop-1.3.7-4.fc40 keylime-agent-rust-0.2.7-4.fc40 keyring-ima-signer-0.1.0-17.fc40 libkrun-1.10.1-2.fc40 rust-afterburn-5.7.0-3.fc40 rust-cargo-vendor-filterer-0.5.17-2.fc40 rust-coreos-installer-0.23.0-2.fc40 rust-eif_build-0.2.1-3.fc40 rust-gst-plugin-reqwest-0.13.3-3.fc40 rust-nu-0.99.1-7.fc40 rust-openssl-0.10.70-1.fc40 rust-openssl-sys-0.9.105-1.fc40 rust-pore-0.1.17-5.fc40 rust-rpm-sequoia-1.7.0-5.fc40 rust-sequoia-keyring-linter-1.0.1-10.fc40 rust-sequoia-octopus-librnp-1.10.0-6.fc40 rust-sequoia-policy-config-0.7.0-3.fc40 rust-sequoia-sop-0.36.0-3.fc40 rust-sequoia-sq-1.1.0-4.fc40 rust-sequoia-sqv-1.2.1-6.fc40 rust-sevctl-0.6.0-4.fc40 rust-snphost-0.5.0-3.fc40 rust-tealdeer-1.7.1-3.fc40 rustup-1.27.1-6.fc40 s390utils-2.33.1-4.fc40

Read Time:1 Minute, 20 Second

FEDORA-2025-6f07616b52

Packages in this update:

clevis-pin-tpm2-0.5.3-9.fc40
envision-2.0.0-4.20241209git2.0.0.fc40
fido-device-onboard-0.5.0-2.fc40
gotify-desktop-1.3.7-4.fc40
keylime-agent-rust-0.2.7-4.fc40
keyring-ima-signer-0.1.0-17.fc40
libkrun-1.10.1-2.fc40
rust-afterburn-5.7.0-3.fc40
rust-cargo-vendor-filterer-0.5.17-2.fc40
rust-coreos-installer-0.23.0-2.fc40
rust-eif_build-0.2.1-3.fc40
rust-gst-plugin-reqwest-0.13.3-3.fc40
rust-nu-0.99.1-7.fc40
rust-openssl-0.10.70-1.fc40
rust-openssl-sys-0.9.105-1.fc40
rust-pore-0.1.17-5.fc40
rust-rpm-sequoia-1.7.0-5.fc40
rust-sequoia-keyring-linter-1.0.1-10.fc40
rust-sequoia-octopus-librnp-1.10.0-6.fc40
rust-sequoia-policy-config-0.7.0-3.fc40
rust-sequoia-sop-0.36.0-3.fc40
rust-sequoia-sq-1.1.0-4.fc40
rust-sequoia-sqv-1.2.1-6.fc40
rust-sevctl-0.6.0-4.fc40
rust-snphost-0.5.0-3.fc40
rust-tealdeer-1.7.1-3.fc40
rustup-1.27.1-6.fc40
s390utils-2.33.1-4.fc40

Update description:

Update the openssl crate to version 0.10.70 and the openssl-sys crate to version 0.9.105.

This includes a fix for RUSTSEC-2025-0004 / CVE-2025-0977 and rebuilds of all packages that statically link the openssl crate.

Read More