SecTor 2025 | Sharing Is Caring About an RCE Attack Chain on Quick Share

At SecTor 2025, SafeReach researchers Orya and Cohen unveiled a sophisticated remote‑code‑execution (RCE) attack chain targeting Google’s Quick Share, now available on Windows. The talk detailed how the team reverse‑engineered the Nearby Connections protocol, built a custom "QuickSniff" logger, and leveraged both fuzzing and manual analysis to expose critical flaws in the newly released Windows client.

The investigators identified eight vulnerabilities, the most impactful being a file‑acceptance bypass that writes arbitrary files to the victim’s Downloads folder without any user interaction, and a Wi‑Fi hotspot‑upgrade flaw that forces the Windows client to connect to a rogue access point, granting the attacker a short window to sniff internet traffic. Although initial fuzzing only produced crashes, a shift to logical code review uncovered these exploitable bugs, demonstrating the limits of automated testing for complex, multi‑threaded applications.

Live demos showed a file appearing instantly on an Android device despite strict visibility settings, and a Windows machine automatically joining the attacker‑controlled Wi‑Fi network, exposing its traffic for up to thirty seconds. The researchers also released the "quick‑sniff" and exploit scripts on GitHub, emphasizing the ease with which the chain can be assembled from the discovered primitives.

The findings underscore the heightened risk of cross‑platform apps that reuse mobile‑centric APIs on desktop environments. Google must patch the acceptance bypass and Wi‑Fi upgrade logic, while enterprises should monitor Quick Share traffic and enforce strict network segmentation. The work serves as a cautionary tale that open‑source components and rapid feature rollouts can inadvertently expand the attack surface.