MEDIUM 5.3

CVE-2020-25900: HelloTalk Location Privacy Flaw – Unintended GPS Exposure

HelloTalk, a language exchange and social networking application, contains a privacy flaw in versions through 3.4.1 where the app stores precise GPS coordinates even when users intend to share only their country or city location. These full-precision coordinates are inadvertently saved to a local database accessible by other users' clients. While the client-side database was encrypted in a 2019 update, the vulnerability persists in how location data is initially processed and stored, creating an unintended disclosure of user whereabouts to a level of granularity the user did not authorize.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-359
Affected products
0 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

HelloTalk through 3.4.1 stores full-precision GPS coordinates even when the user had intended to share only a country or city. Furthermore, these coordinates are placed into a database on the client of other users. (The client side was changed in 2019 to encrypt that database.)

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2020-25900 is a privacy and information disclosure vulnerability stemming from improper handling of location data in HelloTalk through version 3.4.1. When a user selects a reduced-precision location share (country or city level), the application internally captures and persists the full GPS latitude and longitude coordinates to a client-side database. This database is accessible to other users' client instances, bypassing the user's intent to limit location visibility. The issue is classified as CWE-359 (Privacy Violation), reflecting inadequate privacy controls over sensitive personal information. Although client-side encryption was introduced in 2019, the vulnerability relates to data handling prior to or outside that encryption layer.

Business impact

For HelloTalk and its user community, this vulnerability undermines trust in location privacy controls. Users who believe they are sharing only a city or country location are unknowingly exposing precise GPS data to other users, elevating the risk of physical stalking, harassment, or location-based targeting. Organizations operating location-based social networks face reputational damage, potential regulatory scrutiny under GDPR and similar privacy frameworks, and user attrition. The flaw is particularly sensitive given HelloTalk's global user base and language learner demographic, which may include minors in some jurisdictions.

Affected systems

HelloTalk versions 3.4.1 and earlier are affected. The vulnerability affects both Android and iOS clients that implement the location-sharing feature with reduced-precision options. Any user account that has ever enabled location visibility—even with a city or country selection—may have had precise coordinates persisted to the app's database. Other users whose clients have synchronized that database are at risk of viewing those coordinates.

Exploitability

The vulnerability does not require authentication bypass or complex exploitation techniques. Any HelloTalk user with access to another user's location data through the app's normal functionality can inadvertently view the high-precision coordinates. The CVSS 3.1 score of 5.3 (Medium) reflects a network-based attack vector with low complexity and no user interaction required—indicating that the unintended exposure occurs passively during normal app operation. No active exploitation or malicious intent is necessary; the flaw manifests through the app's design.

Remediation

Users of HelloTalk should update to a version beyond 3.4.1 as soon as available. The vendor should issue a patch that enforces precision reduction at the data storage layer, ensuring that only the user-selected location precision (country, city, or full coordinates) is retained in the database. A privacy audit of existing stored data may be warranted to understand the scope of exposure. Users concerned about past exposure should review their location sharing settings and consider disabling location visibility until a patched version is deployed.

Patch guidance

Verify the HelloTalk app store listing (both Google Play and Apple App Store) for available updates beyond version 3.4.1. Security patches addressing this vulnerability should be clearly documented in release notes as fixing a location privacy issue. Organizations managing HelloTalk deployments should enforce automatic app updates or block usage of version 3.4.1 and earlier until a patched build is verified. Confirm with the vendor that the patch addresses CWE-359 and location data truncation at the storage layer.

Detection guidance

Organizations can monitor HelloTalk version adoption through mobile device management (MDM) systems to identify devices running 3.4.1 or earlier. On the user side, review location permissions in app settings: if HelloTalk requests fine location access but you have selected city-level visibility, this is a sign the flaw may be present. Privacy auditors can request HelloTalk to disclose whether existing databases contain full-precision coordinates for users who selected reduced-precision shares. Log analysis of app version deployments can identify which user populations remain on vulnerable builds.

Why prioritize this

Although this vulnerability carries a Medium CVSS score and is not on the KEV catalog, it warrants prioritization for privacy-conscious organizations and those handling sensitive user bases. The ease of exploitation (no special tools or authentication), combined with the sensitive nature of location data and potential for real-world harm (stalking, harassment), makes it a strong candidate for timely patching. Organizations with policies requiring user location safety or GDPR compliance should treat this as a near-term remediation priority.

Risk score, explained

The CVSS 3.1 score of 5.3 reflects a low-complexity, network-based privacy disclosure affecting a single user (user confidentiality only, no integrity or availability impact). The vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N indicates that no privileges or user interaction are needed to trigger the flaw—it occurs during normal app operation. The score does not capture real-world harm potential (physical danger from location exposure) or regulatory consequences, which may justify a higher business risk even if the technical CVSS remains at 5.3.

Frequently asked questions

Can I be harmed if my HelloTalk account has location sharing enabled?

Yes. If you have enabled location sharing on HelloTalk version 3.4.1 or earlier and selected city or country visibility, the app may store and expose your precise GPS coordinates to other users regardless of your choice. This increases the risk of physical stalking, harassment, or unwanted tracking. Disable location sharing until you can update the app.

Does the 2019 encryption update protect me from this vulnerability?

The 2019 client-side encryption protects the database in transit or at rest, but does not prevent the app from storing full-precision coordinates in the first place when you selected reduced precision. Encryption is a necessary but insufficient fix; the real remedy is preventing high-precision data from being stored when the user did not authorize it.

Is this vulnerability being exploited in the wild?

There is no evidence of active exploitation in the wild, and this vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. However, the flaw is inherent to the app's design, so exposure is passive and ongoing for affected users. The risk is primarily from other users within the HelloTalk ecosystem, not external attackers.

What should organizations do if employees use HelloTalk?

Organizations should block or deprecate HelloTalk versions through 3.4.1 via mobile device management (MDM) policies, or require employees to update immediately. If HelloTalk is used for business purposes, consider whether location sharing is necessary. Alternatively, restrict usage to patched versions only and review HelloTalk's privacy policies for compliance with company data handling standards.

This analysis is based on publicly available vulnerability data and CVE records current as of the publish date. Patch availability, version numbers, and vendor timeline information should be verified against official HelloTalk release notes and security advisories. The business and privacy risk assessment reflects industry best practices but may vary depending on organizational context and regulatory obligations. No warranty or liability is expressed or implied for actions taken in reliance on this information. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).