New AirDrop security flaws let attackers crash Apple features


Nearby attackers can crash Apple’s AirDrop before users see a file transfer request, temporarily disabling AirPlay, Handoff, Universal Clipboard, and other Continuity features. They’re no threat, assuming you’re configured properly.

The findings, published on June 30, also identify security flaws in Google and Samsung Quick Share. The CISPA Helmholtz Center for Information Security conducted the research.

Researchers Arash Ale Ebrahim and Nils Ole Tippenhauer analyzed the network protocols behind AirDrop and Quick Share. Their research identified three vulnerabilities affecting Apple’s AirDrop implementation.

The team also found three additional vulnerabilities affecting Quick Share on Android and Windows. These attacks require an attacker to be within wireless range of a target device, typically between 10 and 30 meters, without prior pairing, an existing contact relationship, or a shared Wi-Fi network.

On Apple devices configured to receive AirDrop from “Everyone,” AirDrop begins handling some incoming network requests before displaying a transfer prompt. The disclosed vulnerabilities primarily disrupt service availability instead of exposing user data.

The researchers didn’t identify a way to steal files, bypass Apple’s security protections, or execute arbitrary code on affected devices. Instead, the vulnerabilities repeatedly crash the background service that powers AirDrop and several other Continuity features until the service restarts.

One crash can disable multiple Apple features

The Apple vulnerabilities affect a background service called sharingd, which powers AirDrop, AirPlay, Handoff, Universal Clipboard, and Continuity Camera. A crash in sharingd can temporarily disable all of those features.

Small table summarizing six software vulnerabilities, listing ID, target component, vulnerability class, preconditions, and impact, including denial of service, remote code execution, information disclosure, and man-in-the-middle scenariosApple has fixed one reported AirDrop vulnerability and assigned it a CVE identifier

One vulnerability causes “sharingd” to immediately shut down when it receives an unexpected web request. An attacker can repeatedly trigger the crash by sending the malformed request every few seconds, according to the research.

Repeated malformed requests kept sharingd unavailable for as long as the attack continued. Legitimate AirDrop connections couldn’t be established until the attack stopped.

A second vulnerability affects Foundation, Apple’s core software framework.

The research found that deeply nested XML property list files could cause part of Foundation to run out of stack space. The bug could affect apps on macOS, iOS, watchOS, tvOS, and visionOS that parse untrusted XML property lists.

A third vulnerability uses malformed request headers to crash Apple’s system HTTP parser. The flaw also causes a denial-of-service crash.

Quick Share findings extend beyond denial of service

The Quick Share vulnerabilities came from how the protocol enforced authentication and encryption instead of parser crashes. Samsung’s implementation processed some protocol messages before authentication finished.

Samsung’s version continued accepting certain message types without encryption after the devices had already established an encrypted connection. The flaws allowed some protocol messages to bypass expected authentication or encryption checks.

The team also identified a memory management bug known as a use-after-free vulnerability in Google’s Quick Share client for Windows that stems from a race condition between competing connections. Testing showed the flaw could reliably crash the application.

The researchers didn’t develop an exploit capable of arbitrary code execution. Google later awarded a bug bounty for the finding.

Apple confirmed that it fixed one reported AirDrop vulnerability and assigned it a CVE identifier, though it hasn’t yet published the corresponding security advisory or disclosed the CVE number. The remaining Apple vulnerabilities are still under ongoing disclosure.

Google has fixed the Windows Quick Share use-after-free vulnerability, though a public CVE assignment is still pending. The Samsung-related protocol issues remain under investigation, according to the researchers.

Researchers found similar design challenges across both ecosystems

AirDrop and Quick Share share little underlying code, though the researchers found both platforms expose similar architectural challenges. Both platforms must process incoming network traffic before user interaction, creating a larger opportunity for attackers than many traditional network services.

Ale Ebrahim said the similarities didn’t result from shared implementations. Apple’s vulnerabilities mostly involved software crashing after receiving unexpected data.

Quick Share’s vulnerabilities centered on inconsistent enforcement of authentication checks and concurrency management. The researchers concluded that consistently enforcing security-critical validation at a single boundary can reduce vulnerabilities in complex network protocols.

Additional security advisories could follow as vendors complete their investigations.

How to stay safe

These attacks require an attacker to be nearby and a device configured to accept AirDrop requests from people who aren’t already contacts. Most Apple users aren’t exposed to that combination during normal day-to-day use.

Users who don’t need to receive files from strangers can further reduce exposure by leaving AirDrop set to “Contacts Only” or turning it off when it’s not in use.



Source link

Leave a Reply

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

Recent Reviews


More than $18.4 Million Available to Expand HealthySteps, an Early Childhood Mental Health Initiative that Screened 108,000 New Yorkers for Maternal Depression in 2025

Office of Mental Health Awards $350,000 in ‘Collaborative Care’ Grants to Help OBGYN and Family Medicine Practices Provide Behavioral Health Support to Patients

New York State Announces Efforts to Bolster Maternal Mental Wellbeing

The New York State Office of Mental Health recently announced the availability of more than $18.4 million to expand HealthySteps, a successful early childhood mental health initiative that provides tens of thousands of critical depression screenings for new mothers annually. The agency also announced $350,000 in awards through the Collaborative Care program to help OBGYN and family medicine practices provide behavioral health support to their patients.

“It is critical that we focus on maternal mental health and develop the preventative services and supports for families in our state that address the long-standing inequities in care,” Office of Mental Health Commissioner Dr. Ann Sullivan said. “Initiatives like HealthySteps, Collaborative Care, Project TEACH and others are providing often life-saving screenings that are also connecting New Yorkers to both prenatal and postpartum supports. Under Governor Kathy Hochul’s leadership, we are increasing prevention services to improve outcomes and eliminating disparities in care.”

“I am grateful to Governor Hochul for her leadership in advancing maternal mental health initiatives in New York State that expand access to critical screenings and services,” Health Commissioner Dr. James McDonald said. “In recognition of Maternal Mental Health Awareness Week, we are reminded that every mother deserves compassion, support, and quality care. We remain committed to ensuring that all mothers feel supported, heard, and empowered.”

The state Office of Mental Health made available more than $18.4 million to continue expanding HealthySteps, an innovative program integrating behavioral health professionals with pediatric practices to provide early childhood mental and physical health care. The additional funding will provide 38 new awards to the 152 sites now funded, increasing statewide capacity of the program by about 25 percent once all are fully implemented.

HealthySteps pairs behavioral health specialists with pediatricians, who are often the first point-of-contact new caregivers have with the health care system. These specialists then serve as part of the primary care team during well visits, screening children and parents for a variety of concerns including behavioral health, developmental concerns and social determinants of health and family needs and then linking them to supports.

In 2025 alone, HealthySteps sites completed more than 108,000 screenings for perinatal depression, identifying cases and connecting parents to support when needed. Altogether, these sites conducted more than 500,000 screenings, helping to track food insecurity, housing instability, substance misuse, tobacco use, transportation, utility, and interpersonal safety.

In addition to the funding availability, OMH also awarded seven $50,000 one-time Collaborative Care grants to help OBGYN and family medicine practices implement evidence-based integrated healthcare for their patients and decrease racial disparities. Award recipients by region include:

Hudson Valley

New York City

  • Jamaica Hospital in Queens
  • Montefiore Medical Center in the Bronx
  • William F. Ryan Community Health Center, Inc., in Manhattan

Western New York

  • Jericho Road Ministries, Inc., in Buffalo
  • Neighborhood Health Center of WNY in Buffalo
  • Niagara Falls Memorial Medical Center in Niagara Falls

This funding will expand the psychiatric collaborative care model at these practices so they can increase perinatal depression and anxiety screenings and integrated treatment — a recommendation included in the state’s first-ever maternal mental health report. Directed by Governor Hochul and released by OMH in November, this report detailed the challenges pregnant and postpartum individuals are facing and made recommendations for improvements statewide.

Previously, Governor Hochul secured a $2.9 million increase to expand Project TEACH, an initiative that assists maternal health providers with screening and treatment of maternal depression and related mood and anxiety disorders during pregnancy and the postpartum period within their scope of practice. Adopted as part of the FY 2026 State Budget, the expansion has allowed a wider range of front-line practitioners – including doulas, midwives, therapists, WIC staff, home visiting nurses, lactation consultants, caseworkers and others working directly with the perinatal population – to obtain professional training and support in assessment for consultations with a reproductive psychiatrist or psychologist, and accessing resources.

Every year, an estimated 500,000 – about one in five – mothers in the United States experience perinatal mood and anxiety disorders during pregnancy or in the first year postpartum. About 75 percent of these individuals are not diagnosed or treated, which can lead to high-risk pregnancies, poor childhood cognitive development due to substance use, self-harm, or suicide.

View the original source here.



Source link