New Vulnerability in Google’s Quick Share for Windows Allows Unauthorized File Transfers and DoS Attacks
Cybersecurity researchers have revealed details of a newly discovered vulnerability in Google's Quick Share data transfer utility for Windows, which could be exploited to trigger a denial-of-service (DoS) attack or send arbitrary files to a target device without user approval.
The flaw, identified as CVE-2024-10668 with a CVSS score of 5.9, is a bypass for two of the 10 vulnerabilities originally disclosed by SafeBreach Labs in August 2024 under the name QuickShell. Google has since addressed the issue in Quick Share for Windows version 1.0.2002.2 following responsible disclosure.
The original set of vulnerabilities, tracked collectively as CVE-2024-38271 (CVSS score: 5.9) and CVE-2024-38272 (CVSS score: 7.1), could have been exploited together to achieve arbitrary code execution on Windows systems.
Quick Share's Security Flaws: A Persistent Issue
Quick Share, formerly known as Nearby Share, is a peer-to-peer file-sharing feature similar to Apple's AirDrop, enabling seamless transfers between Android devices, Chromebooks, and Windows PCs.
However, a follow-up investigation by cybersecurity experts found that two of the previously reported vulnerabilities were not properly fixed. As a result, the application remains susceptible to crashes and unauthorized file transfers, allowing attackers to bypass recipient approval and directly send files to a device.
The DoS vulnerability can be triggered using a file name with an invalid UTF-8 continuation byte (e.g., "\xc5\xff") instead of a NULL terminator ("\x00"), causing the application to crash.
The unauthorized file transfer vulnerability was initially patched by marking transferred files as "unknown" and automatically deleting them after the session. However, SafeBreach researcher Or Yair demonstrated a bypass: sending two files with the same payload ID in one session causes only one to be deleted, leaving the second file intact in the Downloads folder.
Industry-Wide Security Implications
While this research focuses on Google’s Quick Share, experts believe it highlights a broader issue in software security. Or Yair emphasized that vendors must identify and address the root cause of vulnerabilities rather than applying surface-level fixes, especially when dealing with complex codebases.
This discovery serves as a reminder that even after vulnerabilities are patched, follow-up assessments are crucial to ensure proper remediation and prevent further security risks.
