Wiz Research has identified a publicly accessible ClickHouse database belonging to DeepSeek, which allows full control over database operations, including the ability to access internal data. The exposure includes over a million lines of log streams containing chat history, secret keys, backend details, and other highly sensitive information. The Wiz Research team immediately and responsibly disclosed the issue to DeepSeek, which promptly secured the exposure.

Our reconnaissance began with assessing DeepSeek’s publicly accessible domains. By mapping the external attack surface with straightforward reconnaissance techniques (passive and active discovery of subdomains), we identified around 30 internet-facing subdomains. Most appeared benign, hosting elements like the chatbot interface, status page, and API documentation—none of which initially suggested a high-risk exposure.

However, as we expanded our search beyond standard HTTP ports (80/443), we detected two unusual, open ports (8123 & 9000) associated with the following hosts:

http://oauth2callback.deepseek.com:8123  

Upon further investigation, these ports led to a publicly exposed ClickHouse database, accessible without any authentication at all – immediately raising red flags.

ClickHouse is an open-source, columnar database management system designed for fast analytical queries on large datasets. It was developed by Yandex and is widely used for real-time data processing, log storage, and big data analytics, which indicates such exposure as a very valuable and sensitive discovery. Read more..