Vulnerability Description
The DuckDuckGo application through 5.58.0 for Android, and through 7.47.1.0 for iOS, sends hostnames of visited web sites within HTTPS .ico requests to servers in the duckduckgo.com domain, which might make visit data available temporarily at a Potentially Unwanted Endpoint. NOTE: the vendor has stated "the favicon service adheres to our strict privacy policy.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Duckduckgo | Duckduckgo | <= 5.58.0 |
Related Weaknesses (CWE)
References
- https://github.com/duckduckgo/Android/blob/e2f2d54a6b4452277467db403a3546512401bPatchThird Party Advisory
- https://github.com/duckduckgo/Android/issues/527Third Party Advisory
- https://github.com/duckduckgo/iOS/blob/1ae03d7221180bd6791cf6f7f06922a96335cf75/Third Party Advisory
- https://news.ycombinator.com/item?id=23708166PatchThird Party Advisory
- https://news.ycombinator.com/item?id=23711597Third Party Advisory
- https://github.com/duckduckgo/Android/blob/e2f2d54a6b4452277467db403a3546512401bPatchThird Party Advisory
- https://github.com/duckduckgo/Android/issues/527Third Party Advisory
- https://github.com/duckduckgo/iOS/blob/1ae03d7221180bd6791cf6f7f06922a96335cf75/Third Party Advisory
- https://news.ycombinator.com/item?id=23708166PatchThird Party Advisory
- https://news.ycombinator.com/item?id=23711597Third Party Advisory
FAQ
What is CVE-2020-15502?
CVE-2020-15502 is a vulnerability with a CVSS score of 7.5 (HIGH). The DuckDuckGo application through 5.58.0 for Android, and through 7.47.1.0 for iOS, sends hostnames of visited web sites within HTTPS .ico requests to servers in the duckduckgo.com domain, which migh...
How severe is CVE-2020-15502?
CVE-2020-15502 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-15502?
Check the references section above for vendor advisories and patch information. Affected products include: Duckduckgo Duckduckgo.