Researchers at CISPA Helmholtz Center for Information Security have disclosed six vulnerabilities spanning Apple AirDrop and Android Quick Share — a combined attack surface covering more than five billion active devices across every major consumer device ecosystem.
Pre-Authentication Wireless Bugs That Require No User Interaction
The six vulnerabilities expose the file-sharing protocols built into Apple’s macOS and iOS devices alongside Samsung and Google’s Quick Share implementations for Android and Windows. Three flaws target Apple AirDrop, two affect Samsung Quick Share, and one is a heap use-after-free in Google Quick Share for Windows.
The attack proximity is within 10 to 30 meters of Wi-Fi range. Exploitation requires no pairing between attacker and victim, no shared network, no contact exchange, and no user approval. Apple devices with AirDrop configured to “Everyone” will respond to incoming connection attempts before any prompt appears on the user’s screen — giving an attacker within physical range a window to trigger any of the three AirDrop vulnerabilities without the target taking any action.
Three AirDrop Bugs That Crash the Entire File Sharing Subsystem
The three pre-authentication vulnerabilities in Apple AirDrop target distinct components of the macOS and iOS implementation. The first is a Swift fatalError condition in AirDrop’s HTTP path router, which crashes the process when the router receives unexpected input. The second is unbounded XML plist recursion in Foundation — a crafted plist document triggers a recursive parsing loop that exhausts system resources until the subsystem fails. The third is a NULL dereference in Network.framework’s HTTP/1.1 parser.
A critical design consequence follows from these three bugs: a crash in any one AirDrop subsystem takes down AirDrop entirely. An attacker within Wi-Fi range can send pre-authentication packets that repeatedly crash the feature, denying AirDrop access on nearby Apple devices without establishing a connection or presenting any credentials. Any device set to “Everyone” visibility is reachable before the operating system can prompt the user to accept or reject the transfer.
Samsung Quick Share OfflineFrame Flaw and D2D Encryption Bypass
Two protocol-layer vulnerabilities affect Samsung Quick Share. The first is a pre-authentication vulnerability in how the implementation dispatches OfflineFrame protocol messages — incoming frames can trigger unintended behavior before any authentication step completes. The second is a D2D encryption bypass covering three specific frame types, potentially exposing the content of those frames to a nearby attacker despite the encryption layer designed to protect them.
The Google Quick Share for Windows vulnerability is a heap use-after-free condition. Unlike the AirDrop and Samsung bugs, this one was reported through Google’s vulnerability reward program, received a bounty payment, and has a code fix that has since landed in the codebase.
Partial Fixes Across Apple, Google, and Samsung Leave Gap in Coverage
Remediation is incomplete across all three vendors as of the time of CISPA’s public disclosure. Apple has fixed one of the three AirDrop vulnerabilities and assigned it a CVE number; the other two AirDrop flaws remain unpatched in the public release. Google Quick Share for Windows has a code fix in place. Samsung Quick Share’s patch status was not confirmed at time of disclosure, leaving both the OfflineFrame dispatch flaw and the D2D encryption bypass without a publicly confirmed fix.
The combined exposure across these platforms is unusually broad. AirDrop ships as a default feature on every iPhone and Mac sold worldwide. Quick Share is the file-transfer default across the Android ecosystem and on Windows devices from Samsung and Google. A five-billion-device attack surface — spanning mobile, laptop, and desktop hardware from multiple vendors — means that physical proximity to a public place is, for these bugs, sufficient attack staging ground.
CISPA’s research also documented that internet-connected Apple devices in “Everyone” mode are reachable before the user can intervene, adding a passive-exposure dimension to the proximity risk. Apple, Samsung, and Google had not issued coordinated public advisories at the time of the CISPA disclosure announcement.
