A critical flaw in Google’s Quick Share utility for Windows has been uncovered, allowing attackers to execute remote code and compromise user devices.
The vulnerability was initially identified by researchers Or Yair and Shmuel Cohen from SafeBreach Labs, who presented their findings at DEF CON 32 in 2024.
Despite Google’s efforts to patch the vulnerabilities, follow-up research revealed additional issues, including a bypass of one critical fix.
Quick Share Vulnerabilities: A Background
Google’s Quick Share is a peer-to-peer data transfer utility designed for Android, Windows, and Chrome operating systems.
It uses communication protocols such as Bluetooth, Wi-Fi Direct, WebRTC, and NFC to enable seamless file sharing between nearby devices.
While innovative in its functionality, the Windows version of Quick Share became a target for security researchers due to its complexity, open-source codebase, and potential pre-installation on new PCs.
SafeBreach researchers identified ten vulnerabilities in the Windows application during their initial investigation.
These included remote unauthorized file writes, forced Wi-Fi connections, directory traversal exploits, and several denial-of-service (DoS) attacks.
Among these vulnerabilities was a critical flaw enabling attackers to bypass file transfer acceptance mechanisms and send files directly to a user’s device without approval.
Google responded promptly by issuing two Common Vulnerabilities and Exposures (CVEs)—CVE-2024-38271 and CVE-2024-38272—and released patches addressing the identified flaws.
Follow-Up Research: Fix Bypasses
Despite Google’s fixes, SafeBreach researchers discovered that two vulnerabilities were not adequately resolved:
- Remote DoS Vulnerability: The initial fix targeted invalid UTF-8 continuation bytes in file names but failed to address other invalid byte sequences. Attackers could exploit this oversight by crafting malicious file names with alternative invalid bytes to crash the application.
- Remote Unauthorized File Write Vulnerability: The original flaw allowed attackers to bypass user approval for file transfers. Google’s fix ensured files sent via this exploit were written temporarily but deleted after the session ended. However, researchers found that sending multiple files with identical payload IDs confused Quick Share into deleting only one file while leaving another on the disk. This bypassed the fix entirely and reintroduced the vulnerability.
Vendor Response and Implications
SafeBreach reported these findings to Google in August 2024.
Google issued a new CVE—CVE-2024-10668—and implemented additional fixes.
Users are strongly advised to update their Quick Share application to version 1.0.2002.2 to mitigate risks.
This research highlights broader industry challenges in addressing software vulnerabilities effectively.
Researchers emphasized that vendors must tackle root causes rather than implement superficial fixes that leave room for exploitation.
Users should ensure their Quick Share utility is updated to the latest version and remain vigilant about software updates from Google.
For enterprises relying on Quick Share, consulting cybersecurity experts may help mitigate risks associated with such vulnerabilities.
As software complexity increases, thorough testing and robust security measures are essential to protect users from emerging threats like remote code execution attacks.
Also Read:
.webp?w=1200&resize=1200,0&ssl=1&description=The vulnerability was initially identified by researchers Or Yair and Shmuel Cohen from SafeBreach Labs, who presented their findings at DEF CON 32 in 2024.){kind=link}