Apple built AirDrop to make nearby sharing feel invisible; researchers found that same invisibility can let a nearby attacker crash parts of Apple’s cross-device stack before a user ever approves anything.
Three AirDrop vulnerabilities affecting iPhone and Mac have been disclosed, with Apple fixing one and still working on the other two, according to 9to5Mac. The reported impact is not data theft. It is denial of service: AirDrop, AirPlay, Handoff, Universal Clipboard, and Continuity Camera can be knocked offline and kept unavailable while the attack continues.
That distinction matters. This is not being described as a remote takeover. But it does expose a harder truth about proximity features: when one background service handles several “it just works” experiences, one crash can ripple across the whole convenience layer.
AirDrop’s Convenience Layer Becomes a Shared Failure Point
The expected model is simple: nearby Apple devices discover each other, negotiate a transfer, and wait for the user to accept. The reality described by researchers is messier. On Apple devices set to receive from “Everyone,” early protocol phases respond before any user prompt appears.
Help Net Security reports that a proximity attacker needs only a laptop with Wi-Fi and a position within range, often 10 to 30 meters. No pairing is required. No contact exchange. No shared network.
The affected Apple component is sharingd, the macOS and iOS daemon tied not just to AirDrop, but also to other continuity features. That design is efficient. It also concentrates risk.
A single crash in that daemon can disrupt:
- AirDrop: nearby file sharing
- AirPlay: media streaming
- Handoff: app continuity between devices
- Universal Clipboard: shared copy-paste across Apple hardware
- Continuity Camera: using nearby Apple devices as camera inputs
MLXIO analysis: the meaningful issue is blast radius. Apple’s integration makes cross-device workflows feel tightly stitched together, as we’ve also seen in broader Apple platform coverage such as iOS 27 Indexing Stuck? Your Mac Reveals the Truth. But when shared plumbing fails, the failure is not neatly contained to one user-facing feature.
The Three AirDrop Bugs All End in Crashes
Researchers at the CISPA Helmholtz Center for Information Security examined AirDrop and Quick Share and found six vulnerabilities across macOS, iOS, Android, and Windows, according to Help Net Security. Three were in AirDrop.
The simplest AirDrop flaw comes from a Swift fatalError call in code that routes incoming web requests by path. A request to an unrecognized path reaches that call and aborts the process. Sent repeatedly every couple of seconds, it can keep the service down.
The second sits in Foundation, Apple’s base framework. An XML property list parser recurses without a depth limit, and a document with about 200 nested elements can exhaust the thread stack. Help Net Security says the reach extends to any Apple app that decodes untrusted XML property lists across macOS, iOS, watchOS, tvOS, and visionOS.
The third is a null pointer dereference in the system HTTP parser, reachable through malformed length and chunk headers.
The practical before-and-after is stark:
- Before: AirDrop-style features appear to wait for trust or user action.
- After: early protocol handling can still process attacker-controlled inputs.
- Before: one feature looks like one feature.
- After: a crash in shared infrastructure can take multiple Apple services down together.
- Before: proximity limits the attacker.
- After: proximity still matters, but dense wireless environments create more potential targets within range.
During one test, legitimate connection attempts failed under attack and succeeded again once the attack stopped. That is the availability story in one sentence.
Quick Share Shows This Is Not Just an Apple Problem
The same research found related weaknesses in Android’s Quick Share, including protocol-layer flaws in Samsung’s implementation and a heap use-after-free in Google’s Quick Share for Windows. The authors’ arXiv paper describes the work as the first cross-platform reverse engineering and protocol-aware fuzzing study of both stacks, covering protocols used by more than five billion devices.
| System | Reported findings | Main issue described |
|---|---|---|
| Apple AirDrop | 3 vulnerabilities | Pre-authentication crashes affecting shared Apple services |
| Samsung Quick Share | 2 vulnerabilities | Protocol-layer authentication and encryption bypass issues |
| Google Quick Share for Windows | 1 vulnerability | Heap use-after-free; Google awarded a bounty |
The shared theme is not shared code. It is shared design pressure.
“I don’t think the overlap is unique to Apple or Google,” Arash Ale Ebrahim said. “Instead, it reflects common engineering challenges in proximity-based protocols. These services are designed to provide a seamless user experience, which means privileged daemons have to process complex, attacker-controlled inputs before authentication or user approval has taken place. That inevitably creates a large pre-authentication attack surface.”
That quote gets to the center of the story. Proximity-sharing tools must react quickly to unknown nearby devices. That speed creates pre-authentication parsing. Pre-authentication parsing creates room for malformed inputs. The user never sees most of it.
Apple Has Fixed One Bug, but the Advisory Is Still Private
Apple has fixed one of the AirDrop vulnerabilities in a software update and assigned it a CVE identifier, according to Ale Ebrahim. The public advisory has not yet been released.
“The corresponding security advisory and CVE have not yet been published publicly, so I cannot share additional details at this stage,” he said, adding that “the remaining Apple reports are still under coordinated disclosure and have not yet received public CVE assignments.”
That leaves users and IT teams with partial visibility. The strongest immediate advice is also the least glamorous: keep iPhone, iPad, and Mac software current, and avoid leaving AirDrop broadly discoverable when it is not needed.
For managed fleets, MLXIO analysis points to a narrower question: should AirDrop-like settings stay permissive by default in sensitive environments before Apple publishes full advisories and fixes? The source material supports the risk model — nearby attack, no pairing, repeated service crashes — but does not yet provide field exploitation data or evidence of data compromise.
Apple’s broader device strategy depends on continuity features feeling dependable. That is why this cuts deeper than a niche AirDrop bug. The company sells integration as a core advantage, a theme that also runs through MLXIO’s coverage of Apple’s platform reach in Apple Grabs Record Market Share as Rivals Crack. Reliability is part of that pitch.
Patch Pressure Now Moves to the Architecture
The next evidence to watch is specific: Apple’s public CVE advisory for the fixed bug, software updates for the remaining two AirDrop reports, and whether those fixes isolate failures so one malformed interaction cannot degrade several services at once.
A narrow patch would reduce immediate crash paths. A stronger architectural response would shrink the pre-authentication attack surface and separate feature failures more cleanly inside the continuity stack.
The cross-platform finding raises the stakes for Quick Share as well. If Apple, Google, and Samsung all arrived at similar weaknesses through different implementations, the problem is not just a bad parser or one unsafe code path. It is the product bargain behind proximity sharing: instant discovery first, hard trust boundaries later.
The test for the next generation of these features will be whether they can stay invisible to users without staying too exposed to nearby attackers.
Impact Analysis
- Nearby attackers may be able to disrupt Apple sharing features without user approval or pairing.
- The issue affects more than AirDrop because the shared sharingd service also supports AirPlay, Handoff, Universal Clipboard, and Continuity Camera.
- Apple has patched one vulnerability, but two remaining flaws mean users may still face denial-of-service risks until a full fix ships.
