Six Flaws in AirDrop and Quick Share Enable Nearby Service Crashes

Six security flaws in AirDrop and Quick Share let nearby attackers crash file sharing services and bypass session protections across billions of Apple and Android devices.

CSBadmin
2 Min Read

Vulnerabilities Discovered

Researchers from the CISPA Helmholtz Center for Information Security have identified six security vulnerabilities in Apple’s AirDrop and Google’s Quick Share wireless file transfer services. These flaws allow an attacker within wireless range, approximately 10 to 30 meters, to crash the sharing service on target devices using only a laptop with no prior connection or user interaction. The research provides the first side by side analysis of both systems above the radio layer, examining discovery, session handling, parsing, and trust decisions.

Impact and Scope

On Apple devices, three distinct AirDrop flaws all crash the sharingd background service on macOS and iOS. This service also handles AirPlay, Handoff, Universal Clipboard, Continuity Camera, and NameDrop, meaning a single crash takes down the entire suite. The simplest attack requires sending a single malformed request to a device set to receive from Everyone, and can be sustained by sending such messages every two seconds. One particularly broad flaw involves a stack overflow in Foundation’s XML property list parser, which could affect any Apple app that opens an untrusted file across macOS, iOS, watchOS, tvOS, and visionOS. For Quick Share, two Samsung implementation bugs allow attackers to bypass session handshake protections and send unencrypted control messages. The most serious flaw is a use after free memory bug in Google’s Quick Share for Windows app, where Control Flow Guard is disabled, potentially enabling code execution.

Patches and Mitigations

Apple has patched one of the three AirDrop bugs with a CVE assigned, while the other two remain in coordinated disclosure. Google has paid a bounty for the Windows flaw and implemented a code fix, with its CVE still pending. Samsung’s two bugs are under investigation by Google. Users should install the latest Apple updates (iOS and macOS 26.5.2 released June 29), set AirDrop to Contacts Only rather than Everyone, and update the Quick Share Windows app immediately.

Source: The Hacker News

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.