Security researchers have disclosed six vulnerabilities in Apple's AirDrop and Google's Quick Share that allow nearby attackers to crash file-sharing services and potentially bypass security checks on target devices.
The flaws enable an attacker within wireless range to send malicious packets that trigger denial-of-service conditions on macOS and iOS devices configured to receive files from anyone. No prior connection, authentication, or user interaction is required. An attacker needs only a laptop to launch the attack.
AirDrop, which operates over Bluetooth and Wi-Fi Direct, accepts incoming file transfers from nearby devices when set to "Everyone" mode. The vulnerability chain allows attackers to craft specially formed packets that crash the sharing daemon without requiring the target user to accept or tap any prompt. This creates a direct denial-of-service vector against devices in public spaces like cafes or transit hubs.
Quick Share, Google's equivalent functionality on Android and Chrome OS devices, contains similar flaws. The research indicates these vulnerabilities can also bypass certain security checks, though specifics on the bypass mechanism were not detailed in available reports.
The researchers demonstrated the attack requires minimal resources. An attacker with standard laptop hardware and basic wireless capability can reliably trigger crashes on multiple devices simultaneously within broadcast range. The attack surface expands in crowded environments where many devices operate AirDrop or Quick Share in permissive configurations.
Apple and Google have not yet released patches. Users can immediately reduce risk by changing AirDrop settings from "Everyone" to "Contacts Only" or disabling the feature entirely when not actively transferring files. Chrome OS and Android users should similarly disable Quick Share or restrict it to known contacts.
The research highlights a fundamental challenge in proximity-based file sharing. The design prioritizes user convenience over strict authentication, creating inherent risks when operating in untrusted network environments. Widespread adoption of these features in their default permiss
