Multiple newly disclosed vulnerabilities in Apple’s AirDrop and Google/Samsung Quick Share proximity-sharing protocols allow attackers within wireless range to crash or disrupt nearby devices without user interaction repeatedly.
Security researchers from CISPA Helmholtz Center for Information Security conducted a systematic reverse-engineering and protocol-aware fuzzing study of AirDrop and Quick Share across macOS, iOS, Android, and Windows.
Their research uncovered six distinct issues, several of which enable remote denial-of-service (DoS) attacks by crashing critical system daemons responsible for file-sharing and continuity features.
AirDrop and Quick Share Vulnerabilities
Three vulnerabilities (V1–V3) affect AirDrop’s application-layer stack in current macOS and iOS releases.
V1: Unhandled HTTP path fatal error
AirDrop’s sharing daemon uses a Swift path router that calls a fatalError when receiving an HTTP request to an unknown URI.
Any unauthenticated device within AWDL range that POSTs to an unrecognized path on the AirDrop port can immediately crash the sharing daemon, taking down AirDrop, AirPlay, Handoff, Universal Clipboard, and other continuity services.
V2: Unbounded XML plist recursion
The XML property list scanner in Foundation framework parses nested dict structures with no depth limit, causing a stack overflow at around 180–200 levels of nesting.
A crafted AirDrop Discover request containing a deeply nested XML plist can exhaust the stack and crash the process, creating a generic DoS primitive wherever untrusted XML plists are accepted.
V3: HTTP/1.1 parser NULL dereference
Network. framework’s HTTP/1.1 connection setup path can be forced into an inconsistent state using malformed framing (e.g., negative chunk sizes or conflicting Content-Length headers).
This leads to a NULL-pointer dereference in the HTTP parser, again crashing the sharing daemon and impacting all continuity services on affected Apple devices.
Three further vulnerabilities (V4–V6) impact Quick Share implementations on Samsung Android devices and Google’s Quick Share client for Windows.
V4: Pre-authentication frame-processing bypass
The Nearby Connections layer begins dispatching certain OfflineFrame messages immediately after a single unauthenticated ConnectionRequest, before the UKEY2 handshake completes.
This lets an attacker in proximity interact with the Quick Share protocol state machine and process attacker-controlled protobuf content without any cryptographic authentication, broadening the zero-click attack surface.
V5: Device-to-device encryption bypass
After UKEY2, three frame types (CONNECTIONRESPONSE, BANDWIDTHUPGRADE, KEEPALIVE) are still accepted and processed in plaintext if sent as raw OfflineFrame protobufs rather than wrapped in the SecureMessage encryption layer.
An on-path attacker on the same network can thus inject unencrypted control frames into an active Quick Share session, potentially forcing connections into an accepted state, keeping them alive, or leaking endpoint state.
V6: Windows Quick Share use-after-free
Google’s Quick Share for Windows suffers a race-condition use-after-free in endpoint management when two connections collide on the same identifier and nonce.
A worker thread dereferences a freed EndpointChannel object for a virtual call, yielding a reliable DoS and a plausible path to code execution via vtable hijack in the absence of Control Flow Guard.
According to researchers, these issues affect a vast ecosystem, with over 2.2 billion active Apple devices and more than 3 billion Android devices, including Samsung devices with Quick Share integration.
All six vulnerabilities were responsibly disclosed to Apple, Samsung, and Google. Apple has acknowledged V1–V3 and is developing fixes, while Google has awarded a bounty for V6 and is investigating flaws in the Quick Share protocol.
