This has been discovered by the ethical hacker @cowreth, which has re-analyzed a reported failure in Github a year ago and which was downplayed, and which stated that the websites you visited by the user ended up leaking to DuckDuckGo servers.
The favicon of the websites we visit, compiled by DuckDuckGo
The failure is that the application of DuckDuckGo for Android collects all the domains that the user visits. When we visit a website, the website calls its own server or checks the local cache of the computer user to download the favicon, showing on the user’s screen either one is more recent.
The problem is that none of this is a convincing reason to store the data of the websites that users visit in a service other than the local cache of the browser. With the data, the app can organize user profiles based on their preferences, and they can also find out the IP addresses from which those pages are visited.
Its creator has recognized the flaw and promises to fix it
After the rain of criticism, the founder and CEO of DuckDuckGo, Gabriel Weinberg, states that it is the first time that he has knowledge of this failure, and that they are going to fix it immediately by storing the favicons locally on the mobile. The change says they will apply it as soon as possible.
In addition, he wanted to make it clear that have not collected any personal information in the process, that its services are encrypted, and that any personal information, such as the IP address, is always automatically discarded. However, it recognizes that the most logical thing is that this information is stored locally and that it never reaches its servers, which is why they are going to make the change as soon as possible.
It is a shame that a year has passed and complaints have had to accumulate in the media and social networks so that they have decided to implement this change. DuckDuckGo is the default search engine in browsers like Tor Browser, and therefore privacy must be guaranteed at all times.