Google has warned about two security vulnerabilities in its Quick Share software, also known as Nearby Share. These vulnerabilities affect Android and Windows versions and could allow attackers to send data to Windows computers without user consent.
The first vulnerability (CVE-2024-38272), rated with a CVSS score of 7.1, permits attackers to bypass the file accept dialog in Quick Share for Windows. Typically, Quick Share requires user confirmation to receive files when set to “Receive from everyone” or “Receive from contacts” modes. However, this vulnerability allows attackers to circumvent this security measure.
The second vulnerability (CVE-2024-38271), with a CVSS score 5.9, enables malicious actors to position themselves as man-in-the-middle during data transfers. Google explained that Quick Share sets up a temporary Wi-Fi hotspot for fast data transfer. Attackers can exploit this process by tricking victims into staying connected to the attacker’s Wi-Fi network. They achieve this by sending an offline frame that causes Quick Share to crash, maintaining the connection to the attacker’s network. This situation allows the attacker to intercept and spy on network traffic.
Google has addressed these vulnerabilities in Quick Share version 1.0.1724.0, which closes the identified security gaps. Users can download this update from the Quickshare download page. However, be advised that the update cannot be forced. In a test conducted by Stack Diary, we found that systems with vulnerable version 1.0.1637.0 do not automatically update to the secure version.
Until the automatic update is applied, we recommend that Quickshare users exercise caution. Users should verify their Wi-Fi network connection after file transfers to ensure they are not connected to an unexpected network. Additionally, inspecting the download folder for unsolicited files is advised, as these could contain malware. To further mitigate risk, users should change the visibility setting to “Nobody” when not actively using Quick Share, since the vulnerabilities are only exploitable in “Everyone” or “Contacts” modes.
Quick Share, initially called Nearby Share, left its beta phase for the Windows app in July last year. It serves as Google’s counterpart to Apple’s AirDrop, offering a simple and efficient method for data exchange between devices such as smartphones and computers.
