Guess who left a database wide open, exposing chat logs, API keys, and more? Yup, DeepSeek
Jan 30, 2025 - theregister.com
China-based AI company DeepSeek has developed competitive generative models but has faced significant cybersecurity issues. According to New York-based infosec firm Wiz, DeepSeek failed to secure its database infrastructure, leaving sensitive data, including chat histories, API secrets, and operational details, publicly accessible without authentication. This vulnerability allowed for potential privilege escalation and unauthorized access to sensitive information. Wiz discovered a publicly accessible ClickHouse database linked to DeepSeek, which exposed a significant volume of sensitive data, and speculated that attackers could have retrieved even more sensitive information with appropriate SQL commands.
DeepSeek quickly addressed the security flaw after being informed by Wiz. The company offers web, app, and API access to its models, logging and storing usage data on servers in China. However, its app is unavailable in Italy due to data protection concerns, and Ireland is also investigating. Additionally, DeepSeek has reportedly upset OpenAI, which suspects that DeepSeek used its GPT models to train its neural networks. Despite these challenges, DeepSeek continues to position itself as a competitor to OpenAI, with new offerings like the image-maker Janus Pro targeting DALL-E 3.
Key takeaways:
DeepSeek's database infrastructure was unsecured, exposing sensitive data and allowing unauthorized access.
Wiz discovered a publicly accessible ClickHouse database linked to DeepSeek, containing chat history, API secrets, and operational details.
The security lapse allowed potential privilege escalation and unauthorized SQL queries, posing significant risks.
DeepSeek fixed the issue after being informed, but faces scrutiny over data handling and potential misuse of OpenAI's models.
