AirDrop and Quick Share Vulnerabilities Expose Billions of Devices to Local Attacks
New research has uncovered six security flaws affecting both **Apple's AirDrop** and **Google's Quick Share** functionalities. These vulnerabilities could allow attackers within wireless range to crash sharing services, bypass security checks, or potentially exploit memory bugs on billions of active devices, highlighting critical issues in wireless file transfer protocols.
# Wireless File Sharing Under Scrutiny: AirDrop and Quick Share Flaws Revealed
Two cybersecurity researchers have identified six distinct security vulnerabilities impacting **AirDrop** and **Quick Share**, the popular wireless file-sharing features integrated into over five billion **Apple** and **Android** devices globally. These flaws could allow an attacker, equipped with just a laptop and within wireless range, to disrupt device functionality without requiring prior connection or user interaction.
The findings, detailed in a new research paper by **Arash Ale Ebrahim** and **Nils Ole Tippenhauer** of the **CISPA Helmholtz Center for Information Security**, represent the first side-by-side analysis of the discovery and session handling layers of both platforms.
## Patches Underway, But Risks Remain
**Apple** has already patched one of the three **AirDrop** bugs and assigned a **CVE** (though the advisory is not yet public), with the remaining two still in coordinated disclosure. **Google** has issued a bounty and deployed a code fix for a **Quick Share** flaw affecting its Windows application, with its **CVE** pending. **Samsung's** two identified **Quick Share** bugs are under investigation by **Google**. As of this writing, there are no public reports of these flaws being actively exploited.
## Three Ways to Disrupt Apple's Sharing Ecosystem
All three **AirDrop** vulnerabilities lead to a crash of `sharingd`, the macOS and iOS background service responsible for **AirDrop**, **AirPlay**, **Handoff**, **Universal Clipboard**, **Continuity Camera**, and **NameDrop**. A continuous loop of malformed requests, sent approximately every two seconds to a device with **AirDrop** set to 'Everyone,' can keep these essential features offline for the duration of the attack.
Two of these vulnerabilities extend beyond **AirDrop**, residing within shared **Apple** frameworks. The most widespread is a stack overflow in **Foundation's** XML property list parser, triggered by a small file with around 200 nested layers. This flaw could potentially affect any **Apple** application opening an untrusted file of this type across **macOS**, **iOS**, **watchOS**, **tvOS**, and **visionOS**. The researchers successfully reproduced **AirDrop** crashes on **macOS 15.7.4**, **macOS 26.3**, **iOS 18.x**, and **iOS 26.3**, though an older **iOS 16** build remained unaffected.
## Quick Share Vulnerabilities and a Recurring Problem
On **Android**, two flaws in **Samsung's Quick Share** allow an attacker to bypass the handshake intended to secure a session. One enables an unverified device to initiate a connection before encryption is established, while the other permits unencrypted control messages to pass even within an existing secure session. These vulnerabilities, tested on a **Galaxy S23 Ultra**, could allow an attacker on the same Wi-Fi network to manipulate connection states or force the server to return attacker-supplied IP and port values, effectively circumventing system protections.
The most critical flaw was discovered in **Google's Quick Share for Windows**, a memory bug that surfaces when two connections collide, leading to a use-after-free condition. This type of bug can often be exploited for arbitrary code execution, a plausible scenario here given that the **Control Flow Guard** defense is disabled in the app. **Google** acknowledged the bug, paid a bounty, and has since deployed a fix.
This isn't the first time **Quick Share for Windows** has faced such issues. **SafeBreach** reported a 10-bug code-execution chain in 2024 (**CVE-2024-38271** and **CVE-2024-38272**), and later bypassed **Google's** fixes (**CVE-2024-10668**). The new use-after-free vulnerability further highlights a persistent pattern of security weaknesses in this component. Ironically, the program's source code contained a comment acknowledging a prior bug in the exact same spot, indicating that a previous fix inadvertently reintroduced a similar flaw.
## Localized Risk, Widespread Impact
These attacks are localized, requiring the attacker to be within 10 to 30 meters or on the same local network. While not internet-wide, a single attacker in a public space like an airport or conference could affect numerous devices. The researchers have openly released their tools to facilitate independent verification.
### Recommendations for Users and IT Professionals:
* **Apple Devices:** Install the latest updates (**iOS** and **macOS 26.5.2** shipped June 29). Set **AirDrop** to 'Contacts Only' or disable it entirely, as the 'Everyone' setting is required for these specific flaws to be exploited.
* **Quick Share (Android/Windows):** Avoid setting visibility to 'Everyone' when not actively receiving files. Update the **Quick Share for Windows** app immediately to incorporate **Google's** fix.
The timing of these discoveries is particularly noteworthy as **Google's AirDrop** interoperability for **Quick Share** is rolling out, which specifically requires iPhones to be set to 'Everyone' β the very setting that exposes them to these crash bugs.