Quick Share for Windows Vulnerability Reopens File Transfer Exploit Risks

Cybersecurity experts have uncovered a new vulnerability in Google’s Quick Share utility for Windows, which could be leveraged to cause denial-of-service (DoS) attacks or send unauthorized files to a recipient’s device without their consent.

  Vulnerability Alerts   Apr 4, 2025  Add to Reading List
 Quick Share for Windows Vulnerability Reopens File Transfer Exploit Risks

Cybersecurity experts have uncovered a new vulnerability in Google’s Quick Share utility for Windows, which could be leveraged to cause denial-of-service (DoS) attacks or send unauthorized files to a recipient’s device without their consent.

The flaw, identified as CVE-2024-10668 with a CVSS score of 5.9, is a bypass of two previously reported vulnerabilities that were part of a broader group dubbed QuickShell, originally disclosed by SafeBreach Labs in August 2024. Google released a patch in Quick Share for Windows version 1.0.2002.2 after a responsible disclosure process.

Recurring Security Gaps

Quick Share (formerly Nearby Share) is Google’s alternative to Apple’s AirDrop, enabling peer-to-peer file transfers between Android, Chromebook, and Windows devices in physical proximity. In August 2024, researchers identified 10 vulnerabilities (tracked as CVE-2024-38271 and CVE-2024-38272) in the tool, some of which could be chained together to execute arbitrary code on Windows systems.

Upon further investigation, researchers found that two of those flaws were not fully resolved. The DoS issue was still reproducible by submitting files with names beginning with invalid UTF-8 byte sequences (e.g., "\xc5\xff"), rather than using a null byte ("\x00") as in the original exploit.

File Transfer Without Consent

The second unresolved flaw involves unauthorized file delivery. While the initial fix marked these files as "unknown" and deleted them after the session, it could be bypassed by sending two files with the same payload ID during a single transfer. The application would delete just one, leaving the other intact in the Downloads folder, effectively sidestepping the fix.

Lessons Beyond Quick Share

SafeBreach researcher Or Yair emphasized the broader impact of this finding:

“While this research targets Quick Share, it highlights a recurring challenge in the software industry — superficial patches that fail to address the root cause of vulnerabilities. Developers must dig deeper, especially when dealing with complex systems.”

The latest disclosure underscores the importance of thorough patching and comprehensive security validation, particularly for widely used file-sharing utilities that interact with multiple operating systems and devices.