CVE-2020-25900 PUBLISHED

Assigner: mitre
Reserved: 24.09.2020 Published: 05.06.2026 Updated: 05.06.2026

HelloTalk through 3.4.1 stores full-precision GPS coordinates even when the user had intended to share only a country or city. Furthermore, these coordinates are placed into a database on the client of other users. (The client side was changed in 2019 to encrypt that database.)

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS Score: 5.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	HelloTalk
Product	HelloTalk
Versions	Default: unknown affected from 0 to 3.4.1 (incl.)

References

https://isopach.dev/CVE-2020-25900/

Problem Types

CWE-359 Exposure of Private Personal Information to an Unauthorized Actor CWE