CVE-2023-52275

An attacker with physical access to the device can connect it to a computer via USB and enable file transfer. By navigating to the path `/Android/data/com.android.gallery3d/.privatealbum/.encryptfiles/` [ref_id=1], the attacker can list all files that were placed in the hidden album. Although the files lack a visible image extension, they remain standard JPEG images; simply appending `.jpg` or another appropriate extension makes them viewable [ref_id=1]. No PIN or authentication is required to access this directory.

The vulnerable path is `/Android/data/com.android.gallery3d/.privatealbum/.encryptfiles/` on the device's internal storage [ref_id=1]. The Gallery3d application stores hidden images in this directory without encryption or access control. The researcher's exploit script (`functions.py`) automates the retrieval by listing files in this folder and copying them with guessed MIME-type extensions [ref_id=1].

No patch is published in the supplied bundle. The advisory [ref_id=1] does not describe any vendor fix. To remediate this vulnerability, the Gallery3d application should store hidden images in a directory that is not world-readable, encrypt the files at rest, and require authentication before the files can be accessed or enumerated.

1. Connect the Tecno Camon X CA7 device to a computer via USB and enable file transfer (MTP) mode. 2. Navigate to `/Android/data/com.android.gallery3d/.privatealbum/.encryptfiles/` on the device's internal storage [ref_id=1]. 3. Copy any files from that directory to the computer. 4. Append a `.jpg` (or other appropriate image) extension to each file. 5. Open the renamed file in any image viewer to see the hidden image [ref_id=1].