Six vulnerabilities in AirDrop and Quick Share: remote crashes, but no data theft
Two researchers from the CISPA Helmholtz Center for Information Security published six vulnerabilities on June 30 in the proximity transfer protocols of Apple and Google, three in AirDrop and three in Quick Share from Google and Samsung. The most concrete outcome for users is a denial-of-service attack: from a Wi-Fi laptop within a few meters, it is possible to crash AirDrop on a nearby iPhone or Mac. None of the six vulnerabilities, it is worth clarifying, allow for file theft, arbitrary code execution, or circumventing the security protections of the involved systems.
The work of Arash Ale Ebrahim and Nils Ole Tippenhauer, detailed in the paper Protocol Prying, is the first study comparing the two stacks above the radio layer. To do this, the researchers had to reconstruct, through reverse engineering of proprietary binary code, the seven-layer state machine of AirDrop and its adaptive compression DVZip, both undocumented.
What happens when sharingd crashes
The three AirDrop vulnerabilities (V1, V2, V3) affect the sharingd daemon on macOS and iOS. The interesting point is that this process does not only manage AirDrop: its crash also brings down AirPlay, Handoff, Universal Clipboard, Continuity Camera, and NameDrop all at once. A single malicious packet, therefore, can shut down a significant portion of the continuity functions between devices intrinsic to the Apple ecosystem.
The attacks do not require pairing, shared contacts, or a common network: just a laptop with Wi-Fi within 10-30 meters of the target. However, there is a condition that limits their reach: they only work on devices set to Anyone for receiving, as the initial phases of the protocol respond before any user confirmation request.
In detail, V1 exploits a fatalError call in Swift in the HTTP path router: a request to an unrecognized path crashes the entire process, and sent in a loop every two seconds or so keeps the services out of order indefinitely. During tests, no legitimate AirDrop transfer succeeded while the attack was ongoing.
V2 is a stack overflow in the XML parser of Foundation’s property lists, triggered by a document with about 200 levels of nesting, and affects any Apple app that parses untrusted plist files across macOS, iOS, watchOS, tvOS, and visionOS.
V3 is a null pointer dereference in the HTTP/1.1 parser of Network.framework. Crashes were reproduced on macOS 15.7.4 and 26.3 and on iOS 18.x and 26.3; an older iOS 16-based build was not affected.
Samsung and Windows: the other three bugs
On the Android front, the two issues affect Samsung’s Quick Share. With V4, an unauthenticated device can manipulate the state machine of the connection before the UKEY2 key exchange. With V5, tested on a Galaxy S23 Ultra, some frames are processed even if sent in plaintext after the encrypted session is already active: an attacker on the same Wi-Fi network can force a connection in the accepted state and have the server return IP addresses and ports it controls. Again, no file theft occurs.
The sixth bug, V6, affects Google’s Quick Share for Windows: an after-free heap use caused by a race condition between two concurrent connections on the same identifier. Google paid a bounty and released a fix in the code, while the CVE is still awaiting public assignment; the researchers confirmed the crash but did not develop a working exploit. An interesting detail: in the source code, there was a comment acknowledging a previous bug in the same spot, "We had a bug here, caused by a race with EncryptionRunner", and the fix applied at the time reintroduced the same type of defect.
Different codebases, same root
The study goes beyond listing vulnerabilities and identifies a shared architectural pattern: critical security checks are not applied at a single centralized boundary but distributed across individual protocol handlers. Two completely different codebases, the researcher argues, ended up with the same classes of weakness precisely because neither enforces the invariants at a single point. Hence, the three principles the paper proposes for future proximity protocols: apply authentication and encryption only once at the framework boundary rather than within individual handlers, minimize privileged code reachable before authentication, and integrate fuzzing and state machine testing into standard development.
On the correction side, Apple informed researchers that it has fixed one of the three vulnerabilities in a software update and assigned a CVE, though the advisory is not yet public; the other two remain in coordinated disclosure without public CVEs, while the two Samsung bugs are under investigation by Google. The fuzzer used for the research, called AirFuzz, along with the crash scripts and protocol notes, is publicly available on Zenodo.