Inzamam Nizam Jul 06, 2026

Security Researchers Discover Critical AirDrop and Quick Share Vulnerabilities

Key Takeaways

  • Six security flaws were found across Apple's AirDrop and the Samsung and Google Quick Share implementations, technologies running on more than five billion active devices.
  • An attacker within wireless range, with just a laptop and no prior connection, can crash the sharing service on a Mac or iPhone set to receive from “Everyone” with no tap or prompt required.
  • Quick Share flaws let attackers bypass Samsung's session security checks and trigger a potentially exploitable crash in Google's Windows app.
  • Apple has patched one of three AirDrop bugs (CVE assigned, advisory not yet public); the other two remain in coordinated disclosure.
  • Google has fixed its Windows flaw and paid a bounty, with the CVE still pending. Samsung's two bugs remain under investigation at Google.

What Happened

Researchers Arash Ale Ebrahim and Nils Ole Tippenhauer of the CISPA Helmholtz Center for Information Security published the first study to analyse AirDrop and Quick Share side by side above the radio layer, focusing on discovery, session handling, parsing, and trust decisions.

Their work uncovered six distinct flaws: three in Apple's AirDrop (and the shared frameworks beneath it), two in Samsung's Quick Share implementation, and one in Google's Quick Share for Windows. The vulnerabilities affect specific implementations and versions rather than the entire five-billion-device ecosystem uniformly, but the affected components are foundational to how these features operate.

Three Ways The Apps Leaked

1. Apple AirDrop

Researchers discovered three vulnerabilities affecting the shared service that powers AirDrop, AirPlay, Handoff, and other Continuity features. A malformed request could repeatedly crash the service when AirDrop is set to "Everyone," while a separate flaw in Apple's shared Foundation framework could affect multiple apps and operating systems that process untrusted XML property lists.

2. Samsung Quick Share

Two vulnerabilities allowed attackers to bypass parts of Quick Share's authentication process, enabling unauthorised devices on the same Wi-Fi network to manipulate connections before or after encryption was established. Although researchers did not demonstrate file theft, the flaws weakened the protocol's built-in security guarantees.

3. Google Quick Share for Windows

The most severe flaw was a use-after-free memory vulnerability that could potentially be exploited for remote code execution because Windows Control Flow Guard was disabled. Researchers confirmed the crash but did not develop a working exploit. The finding also highlights a recurring pattern, with similar vulnerabilities repeatedly discovered in the same Quick Share component despite previous patches.

The Response Gap

Apple (AirDrop): Three vulnerabilities were discovered. One has been patched and assigned a CVE (although the security advisory has not yet been published), while the remaining two are still undergoing coordinated disclosure.

Samsung (Quick Share): Two vulnerabilities were reported to Google and are currently under investigation.

Google (Quick Share for Windows): One vulnerability was reported through Google's bug bounty program. The researcher received a bounty, the fix has been released, and a CVE assignment is pending.

No public reports of in-the-wild exploitation have surfaced as of this writing. Apple's broader security update, iOS and macOS 26.5.2, shipped June 29 and includes relevant fixes.

The timing is notable: Google's AirDrop interoperability for Quick Share is rolling out across flagship Android phones, and it only works when the iPhone is set to receive from “Everyone”, the exact setting that exposes the crash bugs. Cross-platform convenience is arriving at the same moment researchers are exposing its risks.

What Users and Developers Should Do

Apple users: Install the latest update (iOS/macOS 26.5.2 or newer), and set AirDrop to “Contacts Only” or off entirely rather than “Everyone.”

Quick Share (Android/Windows) users: Keep visibility out of “Everyone” mode except when actively receiving a file, and update the Windows Quick Share app now that Google's fix has landed.

Developers: Any Apple-platform app that parses untrusted XML property list files should be reviewed, since the stack-overflow bug lives in Foundation, not just AirDrop. Windows developers with similar connection-handling logic should audit for race conditions around session and encryption setup, particularly where Control Flow Guard or equivalent protections are disabled.

Expert View

Speaking to Help Net Security, the paper's lead author noted that despite AirDrop and Quick Share sharing almost no code, “the two ecosystems arrived at similar classes of weaknesses through entirely different implementations.” He recommended that authentication and encryption be enforced once, at a single dispatcher or framework boundary, rather than left to individual protocol handlers and that protocol-aware fuzzing become part of the standard development process.

— Arash Ale Ebrahim, Security Researcher, CISPA Helmholtz Center for Information Security

“What stands out is how low the barrier is: the attacker needs nothing but a laptop within wireless range. No pairing, no prompt, no user mistake. Malformed-input denial of service is one of the first attack classes we cover in ethical hacking training, and this research shows why organisations must re-test patched code, not just new code, and enforce safer sharing defaults through MDM policy instead of leaving them to end users.”

— Inzamam Nizam, Cyber Security & Security Engineer, Edoxi

What This Means for Security Professionals

Proximity-based attacks along with other cybersecurity attacks are a real-world threat today, especially in crowded environments like airports, conferences, and offices, where a single attacker could target multiple nearby devices. Vulnerabilities such as the Foundation parser flaw also show how shared frameworks can amplify security risks across platforms. Understanding these attack vectors and mitigation strategies is a key part of practical cybersecurity training. Edoxi's training centres across Dubai, Qatar, and London offer certification courses including CEH, CISSP, CISA, and CISM for professionals and corporates looking to upskill. With several vulnerabilities still unpatched and CVEs pending, organisations should closely monitor security advisories and enforce secure file-sharing policies through MDM instead of relying on user settings.

 

Cyber Security & Security Engineer

Inzamam Nizam is a Cyber Security & Security Engineer with over six years of experience in offensive cybersecurity, vulnerability research, and application security. His expertise includes mobile (iOS/Android), web, and network penetration testing, secure code review, red teaming, exploit development, and secure architecture assessments. Recognised in the SynAck Hall of Fame for discovering critical security vulnerabilities, he is passionate about helping organisations strengthen their security posture through practical, research-driven approaches.

Throughout his career, Inzamam has led security assessments, adversary emulation exercises, and secure development initiatives across diverse industries, including banking and enterprise environments. He has contributed to innovative cybersecurity projects such as SPELL-BOUND, an open-source adversary emulation framework, GHOSTWARE AI, an AI-powered security assessment platform, and KAEDAE, a behaviour-based keylogger detection solution. Through his writing, he shares practical insights, emerging attack techniques, and defensive strategies to help security professionals stay ahead of the evolving threat landscape.

Tags
Technology
Education