Wiz, a New York-based cloud security startup, identified a publicly accessible ClickHouse database belonging to DeepSeek, exposing sensitive data such as chat histories and API secrets. The database was completely open and unauthenticated, allowing full control over operations. Wiz responsibly disclosed the issue to DeepSeek, which quickly secured the data. ClickHouse, developed by Yandex, is essential for data processing and analytics. DeepSeek, an AI firm from Hangzhou, China, recently launched an advanced reasoning model competing with OpenAI's offerings.
The exposure provided complete control over the database and the possibility of privilege escalation within the DeepSeek environment, with no authentication or protective measures.
Wiz began their reconnaissance by examining the publicly available domains of DeepSeek, identifying approximately 30 internet-facing subdomains.
This database contained significant volumes of chat history, backend data, and sensitive information, including log streams, API secrets, and operational details.
DeepSeek is an AI company based out of Hangzhou, China, which has launched the DeepSeek-R1 reasoning model, rivalling OpenAI's o1 in performance.
Collection
[
|
...
]