CVE-2020-15502
HIGHDuckDuckGo <5.58.0 (Android) & <7.47.1.0 (iOS) - Visited Hostnames Exposure via Favicon HTTPS
Title source: llmDescription
The DuckDuckGo application through 5.58.0 for Android, and through 7.47.1.0 for iOS, sends hostnames of visited web sites within HTTPS .ico requests to servers in the duckduckgo.com domain, which might make visit data available temporarily at a Potentially Unwanted Endpoint. NOTE: the vendor has stated "the favicon service adheres to our strict privacy policy.
References (5)
Core 5
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/duckduckgo/Android/blob/e2f2d54a6b4452277467db403a3546512401b493/app/src/main/java/com/duckduckgo/app/global/UriExtension.kt#L83-L88
Third Party Advisory x_refsource_misc
https://github.com/duckduckgo/iOS/blob/1ae03d7221180bd6791cf6f7f06922a96335cf75/Core/AppUrls.swift#L98-L100
Patch, Third Party Advisory x_refsource_misc
https://news.ycombinator.com/item?id=23708166
Third Party Advisory x_refsource_misc
https://github.com/duckduckgo/Android/issues/527
Third Party Advisory x_refsource_misc
https://news.ycombinator.com/item?id=23711597
Scores
CVSS v3
7.5
EPSS
0.0153
EPSS Percentile
71.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (2)
duckduckgo/duckduckgo
< 5.58.0
duckduckgo/duckduckgo
< 7.47.1.0
Published
Jul 02, 2020
Tracked Since
Feb 18, 2026