Google’s Quick Share data transfer utility for Android and Windows has been found to have 10 security flaws that could lead to remote code execution (RCE) on systems with the software installed.
“The Quick Share application uses a specific application-layer communication protocol for file transfers between compatible devices,” explained SafeBreach Labs researchers Or Yair and Shmuel Cohen.
These vulnerabilities, collectively named QuickShell, could be exploited to run arbitrary code on Windows hosts and have been addressed in Quick Share version 1.0.1724.0 and above.
The flaws are being tracked by Google under two CVE identifiers: CVE-2024-38271 and CVE-2024-38272.
Quick Share, previously known as Nearby Share, allows for peer-to-peer file sharing between Android devices, Chromebooks, and Windows machines in close proximity.
The security risks identified highlight the importance of addressing seemingly low-risk vulnerabilities that could be exploited when combined with other flaws.
section class=”dog_two clear”>
The findings of this research, presented at DEF CON 32, emphasize the need to address security challenges in data-transfer utilities supporting multiple protocols and devices.
“This research reveals the security challenges introduced by the complexity of a data-transfer utility attempting to support so many communication protocols and devices,” said SafeBreach Labs.
