Google Fixes Critical Quick Share Vulnerability Allowing Silent File Transfers Without User Consent

 

Google has rolled out a security patch addressing a newly uncovered vulnerability in Quick Share for Windows — its peer-to-peer file-sharing feature formerly known as Nearby Share. This flaw could allow unauthorized file transfers or trigger a denial-of-service (DoS) attack on targeted devices without the user's knowledge or permission.

📌 CVE-2024-10668: File Transfer Exploit Resurfaces

Tracked as CVE-2024-10668 with a CVSS score of 5.9, this vulnerability is a bypass for two previously disclosed flaws by SafeBreach Labs in August 2024 under the research name "QuickShell." Despite earlier patches, further analysis revealed that not all issues were properly resolved.

Google has since fixed the flaw in Quick Share for Windows version 1.0.2002.2, following responsible disclosure procedures.

🛡️ Root Cause & Exploit Chain Potential

The broader security concerns relate to two sets of vulnerabilities:

• CVE-2024-38271 (CVSS 5.9)

• CVE-2024-38272 (CVSS 7.1)

When chained together, these flaws had the potential to enable arbitrary code execution on Windows systems — posing a serious cyber threat.

Quick Share, which enables seamless file transfers across Android devices, Chromebooks, and Windows PCs, was found to be vulnerable to silent file delivery, effectively bypassing user consent in specific attack scenarios.

⚠️ Technical Breakdown: How Attackers Could Exploit It

Cybersecurity experts at SafeBreach discovered:

• The DoS condition could be triggered using a filename with an invalid UTF-8 continuation byte (like "\xc5\xff"), instead of the previously known null terminator ("\x00").

• The unauthorized file write vulnerability could be exploited by sending two files with the same "payload ID" during a single transfer session. This tricked the app into deleting only one file while leaving the second intact in the user's Downloads folder — without consent.

Originally, Google's patch attempted to mitigate this by marking unknown files and deleting them after a session ended. However, this workaround was found to be insufficient.

🔍 Industry-Wide Implications

According to Or Yair, the lead researcher behind the findings:

“While this research is specific to Google’s Quick Share, the implications extend to the entire software development industry. Vendors must address the underlying root causes of vulnerabilities — not just surface-level symptoms.”

✅ Key Takeaways for Users and Developers

• Update Immediately: Windows users relying on Quick Share should upgrade to version 1.0.2002.2.

• Security-First Development: Developers are urged to conduct thorough code reviews and ensure patch completeness.

• User Awareness: Individuals should stay informed about file transfer vulnerabilities that could lead to data leaks or unauthorized access.