VYPR
← All advisories
Medium severity5.3NVD Advisory· Published Jun 5, 2026· Updated Jun 5, 2026

CVE-2020-25900

CVE-2020-25900

Description

HelloTalk versions up to 3.4.1 leak precise GPS coordinates to other users' local databases, even when only country/city sharing was intended.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

HelloTalk versions up to 3.4.1 leak precise GPS coordinates to other users' local databases, even when only country/city sharing was intended.

Vulnerability

HelloTalk for Android versions up to and including 3.4.1 stored full-precision GPS coordinates in an unencrypted SQLite database within the htbackup/ directory on the client. This occurred even when users intended to share only their country or city, and the coordinates were accessible to other users' client-side databases [1].

Exploitation

An attacker with the HelloTalk application installed would need to view the profile of a victim user. The precise GPS coordinates of the victim, regardless of their privacy settings, would then be stored in the attacker's local htbackup/ database. No network access or special privileges are required beyond using the application normally [1].

Impact

Attackers could obtain the precise GPS coordinates of other users, potentially revealing their home addresses or other sensitive location information. This constitutes a significant disclosure of personally identifiable information (PII) [1].

Mitigation

The local database file under htbackup/ was encrypted in a release rolled out around August 2019. The vendor did not publish an exact fixed version number, but the issue was no longer reproducible by the time of the CVE request in 2020 [1].

References
  1. HelloTalk Precise GPS Location Disclosure via Unencrypted Local Database (CVE-2020-25900)

AI Insight generated on Jun 5, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.