Overview
- CISPA researchers announced on Tuesday that they found six vulnerabilities across Apple AirDrop and Google/Samsung Quick Share that affect macOS, iOS, Android and Windows.
- Three AirDrop issues cause the privileged sharing daemon (sharingd) to crash by triggering a Swift fatalError, forcing unbounded recursion in Apple's XML plist parser, or causing a null pointer in the HTTP parser, which can disable AirDrop, AirPlay, Handoff and other services until the attack stops.
- Two Quick Share logic flaws let an attacker drive session state ahead of authentication or have some post‑handshake frames processed unencrypted, and a Windows Quick Share client had a use‑after‑free memory bug that Google patched after paying a bounty.
- All attacks require physical proximity, typically about 10 to 30 meters, and need no pairing or prior connection, so a single attacker in a crowded place can target many devices but cannot exploit them remotely over the Internet.
- Researchers released their protocol fuzzer, crash scripts, and notes and recommend installing vendor updates, setting sharing visibility to Contacts Only or off, and moving authentication checks to a central boundary to reduce pre‑auth exposure.