As many as 10 security flaws have been found in Google’s Quick Share data transfer utility for Android and Windows, which could be exploited to trigger remote code execution (RCE) on systems with the software installed.
The vulnerabilities were discovered by SafeBreach Labs researchers Or Yair and Shmuel Cohen, who stated that the flaws could be combined to create an RCE attack chain, codenamed QuickShell.
The flaws have been patched in Quick Share version 1.0.1724.0 and later. Google has assigned the vulnerabilities CVE-2024-38271 and CVE-2024-38272 to collectively track the issues.
Quick Share, formerly known as Nearby Share, is a file-sharing utility that enables users to transfer files between Android devices, Chromebooks, and Windows devices in close proximity.
The identified vulnerabilities could allow remote file writing, crashing the Windows app, redirecting traffic to a malicious Wi-Fi network, and traversing paths to access user folders.
Researchers demonstrated how forcing a target device to connect to a different Wi-Fi network and creating files in the Downloads folder could lead to remote code execution.
The research, presented at DEF CON 32, highlights the security risks posed by chaining multiple vulnerabilities together and the importance of addressing seemingly low-risk issues.
Follow us on Twitter and LinkedIn for more exclusive content.