Six Bugs in AirDrop and Quick Share Let Anyone Within Range Knock Out File Sharing
Researchers chained wireless-range flaws to crash receiving devices and bypass Quick Share permission checks — no taps, no pairing, no prompts.
Two researchers disclosed six vulnerabilities affecting Apple's AirDrop and Google's Quick Share, the proximity file-transfer stacks built into iOS, macOS, Android, Windows, and ChromeOS.
The headline finding: an attacker inside Bluetooth/Wi-Fi range, carrying nothing more than a laptop, can crash the AirDrop service on a Mac or iPhone configured to receive from "Everyone" — no user interaction required, no prior pairing, no on-screen prompt.
That is a zero-click denial of service against the receiver. The target doesn't have to accept a transfer. They don't have to see one. The sharing daemon simply falls over.
The same research turned up parallel weaknesses in Quick Share, including flaws that let an attacker bypass the permission checks Google added after the 2024 Quick Share patch round (which itself fixed a remote-code-execution chain disclosed at DEF CON last year). The new bugs target the handshake and capability-negotiation logic that decides whether a sender is allowed to push a file without explicit user approval.
A few operational notes for defenders.
First, the attack surface is whoever you happen to be sitting next to. Airports, conferences, transit hubs, coworking floors. "Receive from Everyone" is the dangerous setting on Apple devices; "Contacts Only" sharply narrows exposure (though not to zero, depending on which of the six flaws applies). On Android and Windows, Quick Share's visibility setting plays the equivalent role.
Second, this is a wireless-range bug class, not a network bug class. VPNs, firewalls, and EDR do not help. The attack travels over the AWDL/Wi-Fi Direct/BLE stack that AirDrop and Quick Share use to negotiate transfers, well below anything your perimeter sees.
Third, crashes are the floor, not the ceiling. A reliable remote crash in a privileged sharing daemon is frequently a stepping stone to memory-corruption work. Neither researcher has publicly claimed RCE from these specific six issues, but the pattern (a parser fault in an always-listening service exposed to unauthenticated peers) is the same pattern that produced prior AirDrop and Quick Share RCEs.
CVE assignments, CVSS scores, and patched-version strings were not included in the initial disclosure I've seen. I'll update once Apple posts to its security releases page and Google publishes to the Android Security Bulletin. Quick Share for Windows updates ship through the standalone installer, so enterprise patch teams should not assume MDM coverage.
Mitigation in the meantime is unsexy but effective: set AirDrop to "Receiving Off" or "Contacts Only" when you're not actively using it, and set Quick Share visibility to "Your devices" or off. Toggle it on for the transfer, off afterward. That's the muscle memory worth building.
The researchers have not yet published a technical writeup; I'll link it here when they do.
