Pierluigi Paganini January 30, 2025

Chinese AI platform DeepSeek has publicly exposed two databases containing highly sensitive user and backend details.

Wiz Research discovered a publicly accessible ClickHouse database belonging to DeepSeek, exposing chat history, secret keys, and backend details. After responsible disclosure, DeepSeek promptly secured the issue.

“Within minutes, we found a publicly accessible ClickHouse database linked to DeepSeek, completely open and unauthenticated, exposing sensitive data. It was hosted at oauth2callback.deepseek.com:9000 and dev.deepseek.com:9000.” reads the report published by Wiz.

“This database contained a significant volume of chat history, backend data and sensitive information, including log streams, API Secrets, and operational details.”

The researchers noted that the leak could have allowed attackers to take full control of the database and potentially escalate privileges within the DeepSeek environment, without any authentication.

Researchers discovered two unusual open ports (8123 and 9000) on DeepSeek’s servers, which provided access to a publicly exposed ClickHouse database without authentication, raising significant security concerns.

The experts used ClickHouse’s HTTP interface and accessed the /play path to execute arbitrary SQL queries via the browser.  

Upon executing a SHOW TABLES; query, the researchers obtained the full list of datasets, including a log_stream table with over one million log entries containing highly sensitive data. The table included the following columns:

• timestamp – Logs dating from January 6, 2025 
• span_name – References to various internal DeepSeek API endpoints 
• string.values – Plaintext logs, including Chat History, API Keys, backend details, and operational metadata 
• _service – Indicating which DeepSeek service generated the logs 
• _source – Exposing the origin of log requests, containing Chat History, API Keys, directory structures, and chatbot metadata logs 

The researchers explained they did not execute intrusive queries beyond enumeration to preserve ethical research practices.

“This level of access posed a critical risk to DeepSeek’s own security and for its end-users. Not only an attacker could retrieve sensitive logs and actual plain-text chat messages, but they could also potentially exfiltrate plaintext passwords and local files along propriety information directly from the server using queries like: SELECT * FROM file(‘filename’) depending on their ClickHouse configuration.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, DeepSeek)