In a concerning discovery, Wiz Research has uncovered a publicly accessible database belonging to DeepSeek, a rising Chinese AI startup. This exposure granted complete control over database operations, allowing access to internal data and exposing over a million lines of log streams containing highly sensitive information. The Wiz Research team responsibly disclosed the issue to DeepSeek, who promptly secured the vulnerability. This incident underscores the critical importance of robust security measures in the rapidly evolving AI landscape.
DeepSeek has quickly gained attention in the AI community for its advanced AI models, particularly the DeepSeek-R1 reasoning model. This model rivals leading AI systems like OpenAI's o1 in performance while offering greater cost-effectiveness and efficiency, making DeepSeek a noteworthy player in the AI space.
However, this rapid growth also brought security concerns to the forefront. The Wiz Research team initiated an assessment of DeepSeek's external security posture and swiftly identified a publicly accessible ClickHouse database linked to DeepSeek. Shockingly, this database was completely open and unauthenticated, immediately exposing sensitive data. The database was found to be hosted at oauth2callback.deepseek.com:9000 and dev.deepseek.com:9000.
The exposed ClickHouse database contained a significant volume of chat history, backend data, and sensitive information, including:
More alarmingly, the exposure allowed for full database control and potential privilege escalation within the DeepSeek environment. An attacker could potentially retrieve sensitive logs, plaintext chat messages, plaintext passwords, and proprietary information directly from the server.
Wiz Research's reconnaissance began by assessing DeepSeek’s publicly accessible domains. Using passive and active subdomain discovery techniques, the team identified around 30 internet-facing subdomains. While most appeared benign, hosting elements like the chatbot interface and API documentation, the discovery of unusual open ports (8123 & 9000) associated with oauth2callback.deepseek.com and dev.deepseek.com raised immediate suspicion.
Further investigation revealed that these ports led to a publicly exposed ClickHouse database, accessible without any authentication. ClickHouse is a columnar database management system designed for fast analytical queries on large datasets, widely used for real-time data processing, log storage, and big data analytics.
By leveraging ClickHouse's HTTP interface, the Wiz Research team accessed the /play path, enabling direct execution of arbitrary SQL queries via the browser. A simple SHOW TABLES; query returned a full list of accessible datasets, including the highly sensitive log_stream table.
The log_stream table contained over 1 million log entries with particularly revealing columns:
This level of access posed a critical risk to DeepSeek's own security and that of its end-users. An attacker could have not only retrieved sensitive logs and chat messages but also potentially exfiltrated plaintext passwords and local files containing proprietary information using queries like SELECT * FROM file('filename').
This incident highlights several critical takeaways for organizations adopting AI services:
The AI industry is experiencing unprecedented growth, with many companies rapidly becoming critical infrastructure providers. However, this rapid adoption often outpaces the implementation of robust security frameworks. As AI becomes increasingly integrated into businesses worldwide, the industry must recognize the risks associated with handling sensitive data and enforce security practices no less stringent than those required for public cloud providers and major infrastructure providers. Discover more about AI landscape in The State of AI in the Cloud 2025.
Tags: #Research
