In a significant security breach, the Chinese AI chatbot DeepSeek has inadvertently exposed its chat history and other sensitive information in a publicly accessible database without any form of authentication.
According to the security experts who uncovered this vulnerability, the data leak encompasses over a million lines of log entries, detailing chat interactions and confidential keys.
Earlier today, we reported that DeepSeek is facing scrutiny in both Europe and the United States due to privacy and national security issues. Despite still being a popular choice in the Apple App Store, the app has been pulled from circulation in Italy following concerns raised by the nation’s privacy authority, a decision that may be echoed by other countries.
Aside from the concerns stemming from the company’s privacy protections, security researchers have unveiled a critical security flaw. Wiz Research has shared their findings.
Wiz Research has discovered a publicly available ClickHouse database that belongs to DeepSeek, granting complete access to database operations, including sensitive internal data. The exposed information contains over a million lines of log streams […]
We quickly found that the database was entirely unprotected and open, revealing sensitive information that included a substantial amount of chat history, backend data, and critical details like log streams, API secrets, and operational specifics.
The issue arose from the company establishing a ClickHouse database without implementing any security measures.
ClickHouse is an open-source, columnar database management system optimized for swift analytical queries on extensive datasets. Created by Yandex, it is commonly utilized for real-time data processing, log storage, and large-scale data analytics, emphasizing the severity and sensitivity of such an exposure.
The sensitive data was located within one of these datasets, specifically the log_stream.
Wiz was unable to find a designated security contact to report the issue, ultimately resorting to sending numerous emails to different addresses associated with the company to communicate their discovery. DeepSeek has since secured the vulnerable database.
Photo by Steve Johnson on Unsplash
FTC: We use income earning auto affiliate links. More.
