Days after a significant cyber attack of unknown provenance caused significant disruption for users of emergent Chinese generative artificial intelligence (GenAI) model DeepSeek, persistent security issues continue to dog the fast-growing application, and reports are emerging of a fundamental lack of attention paid to basic cyber security measures at DeepSeek itself.
This is according to researcher Gal Nagli of Wiz, a cloud security specialist, who on Wednesday 29 January published details of a publicly accessible DeepSeek database containing a trove of data, which he said enabled full control over database operations.
Nagli said he was motivated to assess DeepSeek’s external cyber security posture and identify possible vulnerabilities in light of the platform’s meteoric rise to global prominence.
“Within minutes, we found a publicly accessible ClickHouse database linked to DeepSeek, completely open and unauthenticated, exposing sensitive data. It was hosted at oauth2callback.deepseek.com:9000 and dev.deepseek.com:9000,” said Nagli.
“This database contained a significant volume of chat history, back-end data and sensitive information, including log streams, API secrets, and operational details.
“More critically, the exposure allowed for full database control and potential privilege escalation within the DeepSeek environment, without any authentication or defence mechanism to the outside world,” he added.
Nagli found the exposed database through a standard mapping exercise of DeepSeek’s publicly accessible domains. He found about 30 internet-facing subdomains, most of which were benign, but on expanding his search beyond standard HTTP ports 80 and 443, he found two open ports, 8123 and 9000, associated with the vulnerable hosts.
Leveraging ClickHouse’s HTTP interface, he was then able to access a specific path that enabled direct execution of arbitrary SQL queries in a web browser; running a ‘show tables’ query returned the list of exposed datasets.
“This level of access posed a critical risk to DeepSeek’s own security and for its end-users. Not only could an attacker retrieve sensitive logs and actual plain text chat messages, but they could also potentially exfiltrate plain text passwords and local files along with propriety information directly from the server … depending on their ClickHouse configuration,” said Nagli.
Nagli informed DeepSeek of the exposed ClickHouse service through responsible disclosure channels, and Computer Weekly understands they have now been locked down.
ClickHouse is an open source database management tool used for processing, log storage and analytics – which was initially developed at Yandex in Russia, although it is now based in Silicon Valley.
William Wright, CEO of Closed Door Security, a consultancy based in Scotland’s Western Isles, said the issues were highly concerning given DeepSeek was giving some of the world’s most well-established AI leaders a run for their money.
“Security must be a priority, but leaving a database like this exposed is a rookie mistake,” he said. “In the last week, DeepSeek has been thrust into the public eye, but the company is clearly now learning that not all publicity is good publicity.
“Having plain text conversations in a public-facing database could provide criminals with access to confidential information relating to businesses and individuals. Criminals could also exploit further commands to steal more information from users, which would put them at even greater risk.
“This is also one of the key reasons why organisations must run proactive assessments across their networks, so weaknesses can be identified and mitigated before they are exposed by researchers or threat actors,” said Wright.
#DeepSeek #API #chat #log #exposure #rookie #cyber #error
