Google Quickshare: Security vulnerability allows unsolicited sending of files
Google's Quickshare, also known as Nearby Share, can allow attackers to send unsolicited data to Windows computers.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Google warns of two security vulnerabilities in Quickshare/Nearby Share. Both the Android and Windows versions of the software are affected. This allows attackers to send data without prompting, while the second vulnerability allows malicious actors to get into a man-in-the-middle position. Updated software is available, but the update cannot be forced.
A vulnerability in Quickshare/Nearby Share allows attackers to bypass the file acceptance dialog in Quickshare for Windows. Normally, it is not possible to send a file without user confirmation if the visibility is set to "Receive from all" or "Receive from contacts" mode (CVE-2024-38272, CVSS 7.1, risk"high"), writes Google in the corresponding CVE entry.
Two vulnerabilities jeopardize Quickshare/Nearby Share
Among other things, Quickshare attempts to set up a temporary WLAN hotspot for fast data transfer. A vulnerability allows malicious actors to provoke victims to stay connected to the temporary hotspot. "As part of the packet sequence of a Quickshare connection via Bluetooth, attackers force victims to connect to the attacker's Wi-Fi network. They then send an offline frame that causes Quickshare to crash," Google's developers explain the attack in the security warning. This keeps the connection to the attackers' Wi-Fi network instead of returning to the previous network. Attackers can thus put themselves in a man-in-the-middle position and sniff the network traffic (CVE-2024-38271, CVSS 5.9, medium).
In the CVE entries, Google states that version 1.0.1724.0 of Quickshare closes the vulnerabilities. The version also appears in the list of changes in the individual versions of Google. An online installer can be downloaded from the Quickshare download page. This replaces the currently installed version under Windows - in our test, however, it remains at the vulnerable version 1.0.1637.0. An update to the new version with the security corrections can apparently not be forced.
Until the update is automatically installed on the computer and smartphones, Quickshare users should therefore exercise caution and at least check after file transfers whether they are still in the intended WLAN. In addition, it can't hurt to check the download folder to see if there are any unexpected files there - these should be deleted immediately, as they could contain malware if the attack is successful. In addition, changing the permitted senders to "Nobody" when not in use helps to prevent attacks, as according to Google, only the "All" or "Contacts" options open up the gap.
Google's Quickshare, which was initially called Nearby Share, left the beta phase for the Windows app in July last year and is a variant of what Apple offers with Airdrop: A simple and high-performance way to share data between devices such as smartphones and computers.
(dmk)
