NVD Vulnerability Detail

CVE-2020-15502

Summary	The DuckDuckGo application through 5.58.0 for Android, and through 7.47.1.0 for iOS, sends hostnames of visited web sites within HTTPS .ico requests to servers in the duckduckgo.com domain, which might make visit data available temporarily at a Potentially Unwanted Endpoint. NOTE: the vendor has stated "the favicon service adheres to our strict privacy policy.
Publication Date	July 2, 2020, 8:15 p.m.
Registration Date	Jan. 26, 2021, 11:53 a.m.
Last Update	Nov. 21, 2024, 2:05 p.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:duckduckgo:duckduckgo::::::iphone_os::*		7.47.1.0
cpe:2.3:a:duckduckgo:duckduckgo::::::android::*		5.58.0

Related information, measures and tools

No	URL	タグ
1	https://github.com/duckduckgo/Android/blob/e2f2d54a6b4452277467db403a3546512401b493/app/src/main/java/com/duckduckgo/app/global/UriExtension.kt#L83-L88	Patch Third Party Advisory
2	https://github.com/duckduckgo/Android/blob/e2f2d54a6b4452277467db403a3546512401b493/app/src/main/java/com/duckduckgo/app/global/UriExtension.kt#L83-L88	Patch Third Party Advisory
3	https://github.com/duckduckgo/Android/issues/527	Third Party Advisory
4	https://github.com/duckduckgo/Android/issues/527	Third Party Advisory
5	https://github.com/duckduckgo/iOS/blob/1ae03d7221180bd6791cf6f7f06922a96335cf75/Core/AppUrls.swift#L98-L100	Third Party Advisory
6	https://github.com/duckduckgo/iOS/blob/1ae03d7221180bd6791cf6f7f06922a96335cf75/Core/AppUrls.swift#L98-L100	Third Party Advisory
7	https://news.ycombinator.com/item?id=23708166	Patch Third Party Advisory
8	https://news.ycombinator.com/item?id=23708166	Patch Third Party Advisory
9	https://news.ycombinator.com/item?id=23711597	Third Party Advisory
10	https://news.ycombinator.com/item?id=23711597	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-200	情報漏えい	https://cwe.mitre.org/data/definitions/200.html

JVN Vulnerability Information

Android および iOS 用 DuckDuckGo アプリケーションにおける情報漏えいに関する脆弱性

Title	Android および iOS 用 DuckDuckGo アプリケーションにおける情報漏えいに関する脆弱性
Summary	未確定本件は、脆弱性として確定していません。 Android および iOS 用 DuckDuckGo アプリケーションには、情報漏えいに関する脆弱性が存在します。ベンダは、本脆弱性に対して異議を唱えています。詳細については、以下の NVD の Current Description を確認してください。 https://nvd.nist.gov/vuln/detail/CVE-2020-15502
Possible impacts	情報を取得される可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	May 17, 2020, midnight
Registration Date	Aug. 21, 2020, 4:24 p.m.
Last Update	Aug. 21, 2020, 4:24 p.m.

Affected System

DuckDuckGo

DuckDuckGo 1.0.1

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2020-15502	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15502
National Vulnerability Database (NVD)
2	CVE-2020-15502	https://nvd.nist.gov/vuln/detail/CVE-2020-15502

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-200	https://jvndb.jvn.jp/ja/cwe/CWE-200.html

ベンダー情報

No	Name	URL
GitHub
1	Android/app/src/main/java/com/duckduckgo/app/global/UriExtension.kt	https://github.com/duckduckgo/Android/blob/e2f2d54a6b4452277467db403a3546512401b493/app/src/main/java/com/duckduckgo/app/global/UriExtension.kt#L83-L88
2	Domains visited get leaked to DDG servers #527	https://github.com/duckduckgo/Android/issues/527
3	iOS/Core/AppUrls.swift	https://github.com/duckduckgo/iOS/blob/1ae03d7221180bd6791cf6f7f06922a96335cf75/Core/AppUrls.swift#L98-L100

その他

No	Name	URL
関連文書
1	DuckDuckGo browser seemingly sends domains a user visits to DDG servers (github.com)	https://news.ycombinator.com/item?id=23708166

Change Log

No	Changed Details	Date of change
1	[2020年08月21日] 掲載	Aug. 21, 2020, 4:24 p.m.