HeadlinesBriefing favicon HeadlinesBriefing.com

Cross‑Platform Study Finds Six Flaws in AirDrop and Quick Share

Hacker News •
×

Researchers performed the first cross‑platform reverse‑engineering of Apple AirDrop and Android‑based Quick Share protocols, which power file transfers on more than five billion devices. Because the stacks are proprietary, their application‑layer security has seen little scrutiny despite being reachable via Wi‑Fi or Bluetooth without prior pairing. Attackers could exploit these flaws to spread malware or exfiltrate data without user interaction.

The team rebuilt AirDrop’s seven‑layer state machine, uncovered its DVZip compression, and built AIRFUZZ, a fuzzer that mutates pre‑compression data. Their analysis yielded three bugs in macOS/iOS – a Swift fatal error, an unbounded XML plist recursion, and a NULL dereference in the HTTP/1.1 parser. Work on Samsung’s Quick Share identified two flaws, while a bug was found in Google’s Windows client, earning a bounty.

All six vulnerabilities (V1‑V6) were responsibly disclosed; Apple, Samsung, and Google have acknowledged the reports. The findings expose zero‑click attack vectors that could let malicious actors execute code inside privileged daemons across iOS, macOS, Android, and Windows platforms. Security teams now have concrete patches to harden proximity transfer services. Patch deployments are already rolling out to recent OS updates, reducing immediate risk for most users.