Google Fixes Quick Share Flaw That Allowed Stealth File Transfers

Security researchers have uncovered a new vulnerability in Google's Quick Share for Windows. This flaw could allow attackers to trigger a denial-of-service (DoS) attack or even sneak files onto your device without you knowing!

This isn't just any bug. Tracked as CVE-2024-10668 (rated 5.9 in severity), it turns out to be a bypass for fixes that were supposed to address vulnerabilities disclosed earlier this year. Remember QuickShell? Yeah, it's related.

Good news, Google has released Quick Share for Windows version 1.0.2002.2 to address the problem. But, is it really fixed?

These vulnerabilities, known as CVE-2024-38271 (CVSS score: 5.9) and CVE-2024-38272 (CVSS score: 7.1), could have allowed attackers to remotely run code on Windows machines. That's a big deal.

So, what is Quick Share anyway? Think of it like Apple's AirDrop, but for Android, Chromebooks, and Windows. It's a handy tool for quickly sharing files with people nearby.

But here's the catch: a follow-up investigation revealed that the initial patches didn't completely solve the problem. It turns out that the application could still crash or, even worse, bypass the need for your approval before transferring a file.

How does this work? Apparently, triggering the DoS required using specific, malformed filenames.

And that unauthorized file write vulnerability? The "fix" initially just marked the files as "unknown" and deleted them after the transfer. Clever attackers found a way around this by sending two files with the same "payload ID." The app would only delete one, leaving the other lurking in your Downloads folder.

SafeBreach researcher Or Yair sums it up: "While this research is specific to the Quick Share utility, we believe the implications are relevant to the software industry as a whole and suggest that even when code is complex, vendors should always address the real root cause of vulnerabilities that they fix."