TCL devices vulnerable to IMEI leak through high-privilege process
CVE-2023-38298
What is CVE-2023-38298?
Certain TCL devices, including models 30Z, A3X, 20XE, and 10L, exhibit a vulnerability that permits local applications to access the device's IMEI number via a system property. This occurs without any permissions or special privileges, undermining user privacy. Android's restrictions enacted in version 10 aimed to prevent third-party apps from directly accessing such non-resettable identifiers. However, in the case of these TCL devices, high-privilege processes inadvertently expose sensitive information, allowing malicious applications to indirectly extract the IMEI by reading from the 'gsm.device.imei0' system property. This poses significant risks for end-users, as unauthorized access to device identifiers can lead to tracking and other malicious activities.