A recently patched remote code execution (RCE) vulnerability chain in Google Quick Share tool had to be resecured after researchers discovered that attackers could still bypass the original fixes with minimal effort. The flaw allowed malicious actors to silently push malware to nearby devices. Highlighting how seemingly minor bugs can escalate into serious security threats when combined.
Speaking at Black Hat Asia in Singapore, Or Yair, security research team lead at SafeBreach. Revealed that two previously disclosed vulnerabilities in Quick Share—CVE-2024-38272 and CVE-2024-38271—were not fully resolved. Along with senior researcher Shmuel Cohen, Yair had initially uncovered 10 vulnerabilities in Quick Share last year at DEFCON. Although Google promptly released patches at the time. The researchers have now demonstrated that at least two of the issues could still be exploited.
“We only spent a few days testing and managed to bypass the fixes,” said Yair. He warned that with more time, attackers could likely uncover new ways to recreate the exploit flow.
Quick Share, Google’s alternative to Apple’s AirDrop, allows peer-to-peer file transfers across Android, Windows, and Chrome OS devices using technologies like Wi-Fi Direct, Bluetooth, WebRTC, and NFC. The service includes basic protections, such as limiting who can send files and requiring user approval for each transfer. But researchers found a way around both safeguards in what they called the “QuickShell” exploit chain.
Using a custom-built tool named QuickSniffer, SafeBreach’s team reverse-engineered Quick Share’s communication protocol, which relies on the Nearby Connections API. This API facilitates encrypted file sharing between devices designated as the Initiator and Responder. But the researchers discovered that they could skip the introductory handshake and directly send a payload packet. Bypassing the need for user acceptance entirely.
Even worse, this method worked across all privacy settings. Including when devices were set to accept files only from trusted contacts. The core vulnerability, CVE-2024-38272, was rated a CVSS score of 7.1 due to its ability to deliver malware silently to a user’s device. The second bug, CVE-2024-38271 (CVSS 5.9), exploited Quick Share’s Bandwidth Upgrade Negotiation process, enabling attackers to force a device onto a rogue Wi-Fi network. This gave them a brief window—about 30 seconds—to snoop on a user’s internet activity using a man-in-the-middle (MitM) attack.
Individually, these bugs may not seem catastrophic. But when chained together with other lesser-known flaws, they formed a reliable and dangerous RCE attack that required no user interaction.
The full attack process was as complex as it was clever. It started by forcing a Windows computer with Quick Share enabled to connect to a malicious Wi-Fi hotspot. The attacker then used a denial-of-service (DoS) flaw to crash the app, establishing a persistent connection. Next, they monitored the victim’s downloads and silently replaced a legitimate executable file with a trojanized version using CVE-2024-38272. Once the file was run, attackers gained remote code execution access to the system.
To make this overwriting process work, the researchers leveraged another overlooked bug. It caused Quick Share to enter a loop where it constantly opened and closed files in the Downloads folder—tricking Chrome into accepting the replaced file as legitimate. As Yair put it, “The real power of this attack came from chaining small flaws into a much larger exploit.”
The demonstration served as a warning to the broader security community: dismissing “minor” bugs can be dangerous. These lower-severity issues are often ignored in patching cycles, but when combined, they can become critical.
“You never know what a small security hole can help an attacker achieve,” said Yair. “Security teams often focus only on high-severity vulnerabilities, but we believe it’s essential to look at the bigger picture. A simple logic flaw or a low-risk bug can be the key to unlocking a major exploit when paired with others.”
Although Google has now re-patched the affected vulnerabilities, the findings show how persistent and creative attackers can be—especially when basic safeguards are left unchecked. As this case proves, sometimes it’s the quiet flaws that make the loudest impact.
