In a nutshell: Attackers within the same network or at 10–30 meters range can disrupt Apple background services or bypass security checks in Samsung and Google Quick Share through three AirDrop and three Quick Share flaws.
CISPA researchers have identified six critical vulnerabilities in the file-sharing protocols AirDrop and Quick Share. Attackers within radio range can use them to disable services or circumvent security checks.
Arash Ale Ebrahim and Nils Ole Tippenhauer from CISPA Helmholtz Centre for Information Security have disclosed six security vulnerabilities in AirDrop (Apple) and Quick Share (Google/Samsung). An attacker within radio range of approximately 10 to 30 meters or on the same local network can exploit these flaws without requiring prior device pairing or user confirmation. The affected services are installed on more than five billion active Apple and Android devices.
In AirDrop, all three discovered vulnerabilities lead to crashes of the background service sharingd on iOS and macOS. Since sharingd is also responsible for AirPlay, Handoff, the universal clipboard, Continuity Camera, and NameDrop, a single flaw disables multiple functions simultaneously. The simplest attack requires repeatedly sending manipulated requests every two seconds to devices with publicly visible AirDrop; this blocks legitimate transfers. Another vulnerability is based on a stack overflow in the XML property list parser of the Foundation Framework, triggered by roughly 200 nested levels in a file. Apple patched one of the three AirDrop vulnerabilities with updates released on June 29 for iOS and macOS 26.5.2; two others remain under coordinated disclosure.
In Quick Share on Samsung devices, two implementation flaws allow bypassing the mandatory handshake. An unverified device can control the connection before encryption is established; furthermore, control messages can be transmitted unencrypted to force a connection into the “Accepted” status. Testing was conducted on the Galaxy S23 Ultra.
The most critical vulnerability affects Google’s Quick Share for Windows: a use-after-free memory flaw in colliding connections. In the source code, a developer comment already existed regarding the original race condition bug with EncryptionRunner; the repair led to the new vulnerability. Google closed this flaw via code fix and paid a bounty; CVE assignment is still pending. The Samsung flaws are still under investigation. To date, there are no reports of active exploitation.
As temporary protective measures, the researchers recommend restricting the visibility of AirDrop and Quick Share to contacts only, or disabling them completely if file sharing is not required.
Source: www.it-daily.net · Published July 4, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.7.3.