A significant security breach has occurred, with the Chinese AI chatbot DeepSeek inadvertently exposing chat logs and other sensitive data in an accessible database without any authentication.
Security researchers who uncovered this flaw reported that the exposure encompassed over a million lines of log entries, which included extensive chat histories and sensitive keys.
Earlier today, it was reported that DeepSeek is facing investigations in both Europe and the United States due to privacy and national security issues. Despite being the leading app on Apple’s App Store, DeepSeek has been removed in Italy following concerns raised by the nation’s data protection authority—a precedent that may be mirrored in other nations.
Besides the risks arising from the company’s privacy measures, researchers have highlighted a critical security vulnerability. Wiz Research shares their findings below.
Wiz Research detected a publicly accessible ClickHouse database linked to DeepSeek, granting unrestricted access to all database operations, including sensitive internal data. The exposed information comprises over a million lines of log streams […]
Within just minutes, we found [the database] completely open without authentication, revealing sensitive data [including] a considerable amount of chat history, backend information, and crucial details such as log streams, API secrets, and operational insights.
The issue stemmed from the company setting up a ClickHouse database without any form of authentication.
ClickHouse is an open-source, columnar database management system tailored for rapid analytical queries across large data sets. Developed by Yandex, it is widely employed for real-time data processing, log storage, and big data analytics, indicating that such exposure is not only valuable but also extremely sensitive.
The relevant sensitive data was located within one of these datasets, specifically in the log_stream.
Wiz Research could not identify a security contact for the company, resulting in efforts to contact every available email address to disclose their findings. DeepSeek has since taken measures to secure the database.
Photo by Steve Johnson on Unsplash
: . More.
