Wiz Research has identified a clickhouse database accessible to the public belonging to Deepseek, which allows complete control of database operations, including the possibility of accessing internal data. The exhibition includes more than a million newspaper flow lines containing cat history, secret keys, backend details and other very sensitive information. The WIZ research team immediately and responsible the problem at Deepseek, who quickly obtained the exhibition.
In this blog article, we will detail our discovery and also consider the broader implications for industry as a whole.
Deepseek, a Chinese AI startup, recently drew significant media attention due to its influence models on AI, in particular the Deepseek-R1 reasoning model. This model competes with head AI systems like O1 of Openai in performance and is distinguished by its profitability and efficiency.
As Deepseek has made waves in AI space, the Wiz research team has decided to assess their external security posture and identify all potential vulnerabilities.
In a few minutes, we found a clickhouse database accessible to the public linked to Deepseek, completely open and not authenticated, exhibiting sensitive data. He was hosted on oauth2Callback.deepseek.com:9000 and Dev.deepseek.com:9000.
This database contained a large volume of chat history, backend data and sensitive information, including newspaper flows, API secrets and operational details.
More critical, the exposure allowed a complete control of the database and an escalation of potential privileges in the Deepseek environment, without any authentication or defense mechanism to the outside world.
Our recognition began by assessing the areas accessible to the DEEPSEEK public. By mapping the external attack surface with simple recognition techniques (passive and active discovery of sub-domains), we have identified around 30 internet oriented sub-domains. Most appeared benign, hosting elements such as the chatbot interface, the state page and the documentation of the API, none of which has initially suggested high -risk exposure.
However, while we extend our research beyond the standard HTTP ports (80/443), we detected two Unusual and open ports (8123 and 9000) Associated with the following hosts:
After a more in -depth investigation, these ports led to a Publicly exposed clickhouse databaseAccessible without any authentication – immediately increasing the red flags.
Clickhouse is a database management system in open source chronicle designed for rapid analytical requests on large data sets. It has been developed by Yandex and is widely used for the processing of real -time data, the storage of newspapers and the analysis of megadata, which indicates such an exposure as a very precious and sensitive discovery.
By taking advantage of the HTTP interface of Clickhouse, we have accessed the path / game, which Authorized direct execution of arbitrary SQL requests via the browser. Execute a simple show tables; Query has returned a complete list of accessible data sets.
Among them, a table stood out: log_stream, which contained extensive newspapers with very sensitive data.
The Log_Stream Content table More than a million newspaper entriesWith particularly revealing columns:
-
Horodat – newspapers dating back January 6, 2025
-
span_name – references to various DEEPSEEK API termination points
-
String.Values- Clear text newspapersincluding Cat history,, API keys, backend details and operational metadata
-
_Service – indicating which Deep service generated newspapers
-
_Source – Expose the Origin of newspaper requestscontainer Cat history, API keys, repertoire structures and chatbot metadata newspapers
This level of access posed a critical risk for the security of Deepseek and for its end users. Not only can an attacker recover sensitive newspapers and chat messages in real raw text, but they could also exfiltrate the passwords in text in clear and local files along property information directly from the server using queries like: Select * From File (‘File name’) according to their click configuration.
(Note: we have not executed intrusive requests beyond enumeration to preserve ethical research practices.)
The rapid adoption of IA services without corresponding security is intrinsically risky. This exhibition highlights the fact that the immediate security risks for AI applications arise from the infrastructure and the tools that support them.
Although a large part of AI security attention focuses on futuristic threats, real dangers often come from basic risks, such as accidental external exposure of databases. These risks, which are fundamental to security, should remain an absolute priority for security teams.
While organizations rush to adopt AI tools and services from an increasing number of startups and suppliers, it is essential to remember that by doing this, we entrust these companies sensitive data. The rapid pace of adoption often leads to neglecting security, but the protection of customer data must remain absolute priority. It is crucial that the security teams work closely with AI engineers to ensure visibility in the architecture, tools and models used, so that we can protect the data and prevent exposure.
The world has never seen an element of technology adopted at the rate of AI. Many AI companies quickly transformed into critical infrastructure providers without security executives who generally accompany such widespread adoptions. While AI is deeply integrated into businesses around the world, industry must recognize the risk of sensitive data management and apply security practices with that required for public cloud suppliers and the main infrastructure providers.