[Ducky Research Investigation] A warning about third-party AI wrappers and services
A deep dive by Ducky Research into third party AI service providers or "wrappers" and some of there questionable security practices
In recent years the usage of third party AI Services (often based on The OpenAI API) have become more popular, unfortunately many of these services are becoming increasingly sketchy and can employ questionable security and data management practices. This article is to serve as a warning against using most not all of these services. We understand there are developers doing great work with AI tools, this is no way supposed to jeopardize their work but rather bring awareness to companies that may not have your best interest(s) in mind. Recently Ducky Software conducted an investigation into one of these sites after a tip from a user.
Before we get started if you or someone you know is struggling with addiction or considering self-harm or any kind please contact your local crisis hotline. We are here for you.
Index:
1. Ad Practices & Data Management
2. Account Management and Management
3. Questionable Content
1a. Ducky Software found significant evidence that this service was sending upwards of fifteen Google AdWords cookies in a given series API call(s) associated with a message (per message) it also found repeated evidence that users were being profiled by separate cookies that were used by this company for user cross-site profiling.
1b. While Ducky Software is unsure the exact site that are buying access to this content we suspect (given the nature of the site) it may have been individuals in vulnerable or dangerous situations, for this reason and for the protection of the users given the potential nature of the content Ducky Software is not naming the brand. Regardless this behavior is disgusting and we strongly advise taking further steps to protect your privacy when using these sites if you choose to use them.
2a. Ducky Software found repeated evidence across multiple devices that accounts that were "deleted" and then re-created (or later re-signed up for the service) maintained some of there previous "suggestions" through auto-complete despite the fact that the account was removed and in many cases Ducky Software waited days between deleting the accounts and re-signing up. It is also important to note that this company claims no delay or recovery period when deleting an account. The text suggestions were retained even after the browser cookies, history and cache were cleared multiple times. This suggests possible fraud and (at minimum) severe compliance issues with GDPR and other international standards, the company in question was contacted, we hope they change their backend services to comply.
3. Ducky Software was able to (using default configurations) repeatedly produce outputs that we deem outside of normal operating range. We have alerted the company in question of these issues, to our knowledge they have not acted and or did not comment.
4. If law enforcement personal would like more information Ducky Software is more than happy to comply. Please email us: team@ducky.software