Google’s Quick Share data transfer utility for Android and Windows has been found to contain 10 security flaws that could lead to remote code execution. SafeBreach Labs uncovered these vulnerabilities, which could be exploited to run arbitrary code on systems with the Quick Share software installed.
The researchers at SafeBreach Labs explained in a technical report shared with The Hacker News that the Quick Share application uses its own communication protocol to facilitate file transfers between compatible devices. By analyzing this protocol, they were able to identify weaknesses that could be manipulated to create an innovative RCE attack chain, called QuickShell.
These vulnerabilities include denial-of-service flaws, unauthorized file write bugs, directory traversal, and issues related to Wi-Fi connections. Google has released an updated version of Quick Share, addressing these flaws and assigning them unique CVE identifiers.
- CVE-2024-38271 (CVSS score: 5.9) – Forcing a victim to connect to a temporary Wi-Fi network
- CVE-2024-38272 (CVSS score: 7.1) – Allowing an attacker to bypass file dialog on Windows
Quick Share, previously known as Nearby Share, enables users to transfer files between devices in close proximity. Despite its convenience, the identified vulnerabilities could lead to serious security risks such as unauthorized file writes, crashes, and redirection of traffic.
Researchers highlighted at DEF CON 32 the importance of addressing seemingly low-risk vulnerabilities that could be exploited in combination to compromise systems. They emphasized the need for robust security measures in data-transfer utilities like Quick Share to prevent potential attacks.
If you found this article interesting, follow us on Twitter and LinkedIn for more exclusive content.