TCL Devices Vulnerable to ICCID Leak Through High-Privilege Process
CVE-2023-38296
What is CVE-2023-38296?
A significant security concern has arisen with certain builds of TCL 30Z and TCL A3X devices, where the ICCID (Integrated Circuit Card Identifier) is inadvertently exposed due to a misconfiguration in the system properties. This vulnerability allows any local application on the device to access sensitive ICCID information without requiring any special permissions or privileges. Despite Android 10 and higher restrictions that prevent third-party applications from accessing non-resettable device identifiers, the ICCID in this scenario is disclosed through a high-privilege process, enabling indirect access. Targeted devices include specific software build fingerprints for both TCL 30Z and TCL A3X models. The exploitation of this flaw poses a risk to user privacy and highlights potential vulnerabilities in device security architecture.