Vulnerability Details : CVE-2020-15502
The DuckDuckGo application through 5.58.0 for Android, and through 7.47.1.0 for iOS, sends hostnames of visited web sites within HTTPS .ico requests to servers in the duckduckgo.com domain, which might make visit data available temporarily at a Potentially Unwanted Endpoint. NOTE: the vendor has stated "the favicon service adheres to our strict privacy policy.
Products affected by CVE-2020-15502
- cpe:2.3:a:duckduckgo:duckduckgo:*:*:*:*:*:iphone_os:*:*
- cpe:2.3:a:duckduckgo:duckduckgo:*:*:*:*:*:android:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-15502
0.14%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 50 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-15502
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2020-15502
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-15502
-
https://github.com/duckduckgo/iOS/blob/1ae03d7221180bd6791cf6f7f06922a96335cf75/Core/AppUrls.swift#L98-L100
iOS/AppUrls.swift at 1ae03d7221180bd6791cf6f7f06922a96335cf75 · duckduckgo/iOS · GitHubThird Party Advisory
-
https://github.com/duckduckgo/Android/blob/e2f2d54a6b4452277467db403a3546512401b493/app/src/main/java/com/duckduckgo/app/global/UriExtension.kt#L83-L88
Android/UriExtension.kt at e2f2d54a6b4452277467db403a3546512401b493 · duckduckgo/Android · GitHubPatch;Third Party Advisory
-
https://github.com/duckduckgo/Android/issues/527
Domains visited get leaked to DDG servers · Issue #527 · duckduckgo/Android · GitHubThird Party Advisory
-
https://news.ycombinator.com/item?id=23711597
Hi all, Founder and CEO of DuckDuckGo here. I’m literally just waking up and rea... | Hacker NewsThird Party Advisory
-
https://news.ycombinator.com/item?id=23708166
DuckDuckGo browser seemingly sends domains a user visits to DDG servers | Hacker NewsPatch;Third Party Advisory
Jump to