Google Patches Quick Share Vulnerability Enabling Silent File Transfers Without Consent

Cybersecurity researchers have disclosed details of a new vulnerability impacting Google's Quick Share data transfer utility for Windows that could be exploited to achieve a denial-of-service (DoS) or send arbitrary files to a target's device without their approval.
The flaw, tracked as CVE-2024-10668 (CVSS score: 5.9), is a bypass for two of the 10 shortcomings that were originally disclosed by SafeBreach Labs in August 2024 under the name QuickShell. It has been addressed in Quick Share for Windows version 1.0.2002.2 following responsible disclosure in August 2024.
A consequence of these 10 vulnerabilities, collectively tracked as CVE-2024-38271 (CVSS score: 5.9) and CVE-2024-38272 (CVSS score: 7.1), was that they could have been fashioned into an exploit chain to obtain arbitrary code execution on Windows hosts.
Quick Share (previously Nearby Share) is a peer-to-peer file-sharing utility similar to Apple AirDrop that allows users to transfer files, photos, videos, and other documents between Android devices, Chromebooks, and Windows desktops and laptops in close physical proximity.
A follow-up analysis by the cybersecurity company found that two of the vulnerabilities were not fixed correctly, once again causing the application to crash or bypass the need for a recipient to accept the file transfer request by directly transmitting a file to the device.
Specifically, the DoS bug could be triggered by using a file name that starts with a different invalid UTF8 continuation byte (e.g., "\xc5\xff") instead of a file name that begins with a NULL terminator ("\x00").
On the other hand, the initial fix for the unauthorized file write vulnerability marked such transferred files as "unknown" and deleted them from the disk after the file transfer session was complete.
This, SafeBreach researcher Or Yair said, could be circumvented by sending two different files in the same session with the same "payload ID," causing the application to delete only one of them, leaving the other intact in the Downloads folder.
"While this research is specific to the Quick Share utility, we believe the implications are relevant to the software industry as a whole and suggest that even when code is complex, vendors should always address the real root cause of vulnerabilities that they fix," Yair said.
Europol Dismantles Kidflix With 72,000 CSAM Videos Seized in Major Operation
Triada Malware Preloaded on Counterfeit Android Phones Infects 2,600+ Devices
CVE-2024-20439 Cisco Smart Licensing Utility Static Credential Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2025-30154 reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
Free online web security scanner