Cybersecurity researchers have uncovered a new vulnerability in Google’s Quick Share data transfer tool for Windows, potentially allowing attackers to crash the application or send files to a user’s device without their consent.
The vulnerability, tracked as CVE-2024-10668 with a CVSS score of 5.9, is a partial bypass of two previously disclosed flaws first identified by SafeBreach Labs in their August 2024 report titled QuickShell. According to the researchers, Google has patched the issue in Quick Share for Windows version 1.0.2002.2.
From Bypass to Exploitation: Revisiting Old Bugs
The original disclosure by SafeBreach highlighted 10 security issues, collectively tracked as CVE-2024-38271 (CVSS 5.9) and CVE-2024-38272 (CVSS 7.1), which could be chained together to enable arbitrary code execution on Windows devices. Although Google issued a patch following responsible disclosure, researchers later discovered that two of the vulnerabilities remained improperly fixed.
According to the new analysis, an attacker can trigger a denial-of-service (DoS) condition by sending a file with a malformed UTF-8 filename. Unlike the original exploit, which used a NULL byte (\x00), this new attack uses a filename starting with an invalid UTF-8 continuation byte like \xc5\xff to crash the app.
Bypassing File Transfer Approval
More alarmingly, the second flaw allows unauthorized file transfers to proceed without user approval. The original mitigation marked unknown files for deletion after a session ended. However, researchers found a way to circumvent this by sending two files with the same payload ID during a single session. This caused the app to delete only one file, leaving the second undeleted—and fully accessible—in the Downloads folder.
The follow-up research showed that these flaws could still be abused in subtle ways, suggesting the original patch didn’t fully resolve the root causes, explained Or Yair, the lead researcher at SafeBreach Labs. He emphasized the broader implications for software vendors, by adding that even when code is complex, it’s crucial to fix the underlying vulnerability, not just its symptoms.
Quick Share: A Cross-Platform Tool with Security Challenges
Quick Share (formerly Nearby Share) is Google’s answer to Apple’s AirDrop—a peer-to-peer file-sharing utility that enables quick file transfers between Android devices, Chromebooks, and Windows PCs in close physical proximity. Its cross-platform capability is widely used, making any vulnerability in the tool a potential vector for abuse.
While the patched version addresses the bypass identified as CVE-2024-10668, researchers warn that this case underscores the importance of rigorous follow-up testing after patches are issued.
Final Thoughts
This discovery serves as a reminder that even post-patch, vulnerabilities can resurface if the root cause isn’t properly addressed. It also reinforces the need for transparent communication and thorough security assessments in high-use utilities like Quick Share.
For a full technical breakdown, refer to the official report by SafeBreach Labs.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: