Google Quick Share vulnerability makes file sharing even easier - for everyone, including attackers!
Security vulnerability allows files to be sent without permission. Update available.
A security vulnerability in Google's Quick Share, also known as Nearby Share, can allow attackers to send data to Windows computers without permission.
Google's letting us know about not one, but two delightful security vulnerabilities. Both Android and Windows versions are affected. The first issue lets anyone send files to your computer without permission. The second lets malicious actors sneak into the middle of your connections. But there's an update available!
A vulnerability in Quick Share/Nearby Share allows attackers to bypass the file acceptance dialog in Quick Share for Windows. Normally, it is not possible to send a file without user confirmation if the visibility is set to the "Receive from all" or "Receive from contacts" modes (CVE-2024-38272, CVSS 7.1, risk high), Google writes in the associated CVE entry.
Two security vulnerabilities endanger Quick Share/Nearby Share
Quick Share tries, among other things, to set up a temporary Wi-Fi hotspot for fast data transfer. A vulnerability allows malicious actors to provoke victims into remaining connected to the temporary hotspot. Read more in the accortding security warning. Attackers can thus put themselves in a man-in-the-middle position and explore network traffic (CVE-2024-38271, CVSS 5.9, medium).
Google states that version 1.0.1724.0 of Quick Share closes the security gaps. This version also appears in the list of changes in the individual versions from Google. An online installer can be downloaded from the download page for Quick Share. It is apparently not possible to force an update to the new version with the security fixes.
Until the update has been automatically installed on the computer and smartphones, Quick Share users should therefore exercise caution and at least check after file transfers whether they are still in the intended WLAN. It also doesn't hurt to take a look in the set download folder to see if there are any unexpected files there - these should be deleted without looking, as they could contain malware if the attack is successful. In addition, changing the allowed senders to "Nobody" when not in use helps prevent attacks, since according to Google only the options "Everyone" or "Contacts" open the loophole.
Google's Quick Share, which was initially called Nearby Share, left the beta phase for the Windows app in July last year and is a variant of what Apple offers with Airdrop: a simple and high-performance way to exchange data between devices such as smartphones and computers.