Researchers Discover AirDrop Security Flaw That Could Expose Personal Data to Strangers

by

AirDrop is a feature that allows Apple devices to securely and conveniently transfer files, photos, and more between each other wirelessly. Users can share items with their own devices, friends, family, or even strangers. The convenience and ease of use, however, may be undermined by a newly discovered security flaw.

airdrop logo
Researchers at TU Darmstadt have discovered that the process which AirDrop uses to find and verify someone is a contact on a receiver's phone can expose private information. AirDrop includes three modes; Receiving Off, Contacts Only, Everyone. The default setting is Contacts Only, which means only people within your address book can AirDrop photos, files, and more to your device.

The researchers discovered that the mutual authentication mechanism that confirms both the receiver and sender are on each other's address book could be used to expose private information. The researchers claim that a stranger can use the mechanism and its process within the range of an iOS or macOS device with the share panel open to obtain private information. As the researchers explain:

As an attacker, it is possible to learn the phone numbers and email addresses of AirDrop users – even as a complete stranger. All they require is a Wi-Fi-capable device and physical proximity to a target that initiates the discovery process by opening the sharing pane on an iOS or macOS device.

The discovered problems are rooted in Apple's use of hash functions for "obfuscating" the exchanged phone numbers and email addresses during the discovery process. However, researchers from TU Darmstadt already showed that hashing fails to provide privacy-preserving contact discovery as so-called hash values can be quickly reversed using simple techniques such as brute-force attacks.

To determine whether the other party is a contact, AirDrop uses a mutual authentication mechanism that compares a user's phone number and email address with entries in the other user's address book.

According to the researchers, Apple was informed of the flaw in May of 2019, and despite several software updates since then, the flaw remains.

Tag: AirDrop

Popular Stories

Apple Wallet ID Illinois

Apple Plans to Expand iPhone Driver's Licenses to These 7 U.S. States

Wednesday December 24, 2025 8:40 am PST by
In select U.S. states, residents can add their driver's license or state ID to the Apple Wallet app on the iPhone and Apple Watch, and then use it to display proof of identity or age at select airports and businesses, and in select apps. The feature is currently available in 13 U.S. states and Puerto Rico, and it is expected to launch in at least seven more in the future. To set up the...
Read Full Article50 comments
iPhone Top Left Hole Punch Face ID Feature Purple

iPhone 18 Pro Launching Next Year With These 12 New Features

Tuesday December 23, 2025 8:36 am PST by
While the iPhone 18 Pro and iPhone 18 Pro Max are not expected to launch for another nine months, there are already plenty of rumors about the devices. Below, we have recapped 12 features rumored for the iPhone 18 Pro models. The same overall design is expected, with 6.3-inch and 6.9-inch display sizes, and a "plateau" housing three rear cameras Under-screen Face ID Front camera in...
Read Full Article98 comments
maxresdefault

Where's the New Apple TV?

Monday December 22, 2025 11:30 am PST by
Apple hasn't updated the Apple TV 4K since 2022, and 2025 was supposed to be the year that we got a refresh. There were rumors suggesting Apple would release the new Apple TV before the end of 2025, but it looks like that's not going to happen now. Subscribe to the MacRumors YouTube channel for more videos. Bloomberg's Mark Gurman said several times across 2024 and 2025 that Apple would...
Read Full Article176 comments
maxresdefault

10 Mac Apps Worth Trying in 2026

Wednesday December 24, 2025 9:27 am PST by
2026 is almost upon us, and a new year is a good time to try out some new apps. We've rounded up 10 excellent Mac apps that are worth checking out. Subscribe to the MacRumors YouTube channel for more videos. Alt-Tab (Free) - Alt-Tab brings a Windows-style alt + tab thumbnail preview option to the Mac. You can see a full window preview of open apps and app windows. One Thing (Free) -...
Read Full Article97 comments
iOS 26

iOS 26.2 Adds These 8 New Features to Your iPhone

Monday December 22, 2025 8:47 am PST by
Earlier this month, Apple released iOS 26.2, following more than a month of beta testing. It is a big update, with many new features and changes for iPhones. iOS 26.2 adds a Liquid Glass slider for the Lock Screen's clock, offline lyrics in Apple Music, and more. Below, we have highlighted a total of eight new features. Liquid Glass Slider on Lock Screen A new slider in the Lock...
Read Full Article
airpods color prototypes

Apple Tested AirPods in Bright Colors

Saturday December 27, 2025 6:06 am PST by
Apple reportedly tested a version of the first-generation AirPods with bright, iPhone 5c-like colored charging cases. The images, shared by the Apple leaker and prototype collector known as "Kosutami," claim to show first-generation AirPods prototypes with pink and yellow exterior casings. The interior of the charging case and the earbuds themselves remain white. They seem close to some...
Read Full Article61 comments
iPhone Fold Vertical Feature

Why Apple's Foldable iPhone May Be Smaller Than Expected

Tuesday December 23, 2025 5:21 am PST by
Apple's first foldable iPhone, rumored for release next year, may turn out to be smaller than most people imagine, if a recent report is anything to go by. According to The Information, the outer display on the book-style device will measure just 5.3 inches – that's smaller than the 5.4-inch screen on the ‌iPhone‌ mini, a line Apple discontinued in 2022 due to poor sales. The report has led ...
Read Full Article204 comments
Foldable iPhone 2023 Feature Iridescent Search

Samsung Developing 'Wide Fold' With iPhone Fold-Like Design Ahead of Apple's 2026 Launch

Tuesday December 23, 2025 11:55 am PST by
Samsung is working on a new foldable smartphone that's wider and shorter than the models that it's released before, according to Korean news site ETNews. The "Wide Fold" will compete with Apple's iPhone Fold that's set to launch in September 2026. Samsung's existing Galaxy Z Fold7 display is 6.5 inches when closed, and 8 inches when open, with a 21:9 aspect ratio when folded and a 20:18...
Read Full Article92 comments
iPhone SE Cosmopolitan Clean

Apple Discontinued These 25 Products This Year

Wednesday December 24, 2025 7:24 am PST by
With the end of 2025 near, the time has come to look back at the devices and accessories that Apple discontinued throughout the year. Most of the products that were discontinued this year were simply replaced by a new model with an updated chip. However, the iPhone SE line was entirely discontinued when the iPhone 16e launched, and the iPhone Plus line is being phased out. Below, we have...
Read Full Article13 comments

Top Rated Comments

Apple_Robert Avatar
Apple_Robert
61 months ago
This is not good. If Apple was in fact informed specifically about this vulnerability in 2019, I take umbrage with Apple not having taken the proper steps to secure AirDrop.
Score: 12 Votes (Like | Disagree)
dannyyankou Avatar
dannyyankou
61 months ago

According to the researchers, Apple was informed of the flaw in May of 2019, and despite several software updates since then, the flaw remains. We've reached out to Apple for comment and will update this article if we hear back.
I’m sure now that they made this public, Apple will move with more urgency. Apple is usually better fixing security flaws, I’m disappointed.
Score: 9 Votes (Like | Disagree)
Unregistered 4U Avatar
Unregistered 4U
61 months ago

And that is the SIMPLE process. Why is this even news?
Because there’s really very little “security” news that’s even worth reporting, but the researchers still need attention and validation. But, their reports are of the sort that remind me my home has a security hole in that my chimney provides access to my house once you tear down the external facing wall. However, very few people are concerned by or will do anything about this vulnerability. My garage door? COMPLETELY vulnerable to a brute force attack by a tank. Why won’t garage door manufacturers DO anything about this?
Score: 8 Votes (Like | Disagree)
Unregistered 4U Avatar
Unregistered 4U
61 months ago

Yeah that doesn’t sound great. I wonder how many bad actors there actually are out there taking advantage of this loophole though?

Even though this obviously needs to be patched, does anyone seriously believe that any "bad actor" is going to go through this much work so he can sit in a Starbucks and steal someone's phone number? :)
No :) Folks need to remember that their life REALLY isn’t actually all that interesting, anyone interested IN their information is not going to waste time on an AirDrop brute force hack. If they are THAT close and REAAAAAALLLLY want your information, they can readily get access to it using one of the devices below.


Attachment Image
Score: 8 Votes (Like | Disagree)
13astion Avatar
13astion
61 months ago

This is not good. If Apple was in fact informed specifically about this vulnerability in 2019, I take umbrage with Apple not having taken the proper steps to secure Handoff.
It’s AirDrop, not Handoff. The latter is used by ONE user to transfer control or data between multiple devices that are already in their control (and logged into).

AirDrop allows TWO different users logged into TWO devices under their own control to share data. Hence the need for authentication.

And the attack vector is super specific... a black hat *physically nearby* has to try to grab your data while you initiate the AirDrops (and I would guess most AirDrops are small things: a contact card, a photo, a doc... all which take seconds to transfer), and THEN brute force the hashes... for what? A bit of stolen PII?

Yes, it’s *possible* for someone to do this... but *probable*? Naahh. Which is why Apple hasn’t prioritized it. In risk management you have to prioritize the risks by probability and impact... this one is pretty low on both counts.
Score: 7 Votes (Like | Disagree)
ikramerica Avatar
ikramerica
61 months ago

Namely, their email address and telephone number. Not their bank account data, not their social security number. Notice how they obfuscate “PRIVATE DATA OOOH SCARY” from what’s actually shared.

There is a VERY VERY good chance that your “private data” in this case is already on a list some ne’er do well purchased last month… and they didn’t even have to be within AirDrop range to get it! Next they’ll be reporting that
“Folks can gain access to your email address by ASKING you for it. If you fall for the exploit and provide them with your email address THEY WILL HAVE IT!! We reached out to Apple asking if they plan to stop providing email addresses so that people aren’t able to leak them and they looked at us funny and shooed us away.”
I am pretty sure you can get all that juicy data by putting a name in a google search. Plus home address, previous addresses, criminal record, etc.

I do think the odds of someone brute forcing an airdrop in close
proximity to you in order to discover your phone number and email is pretty remote. One assumes that if they are going to all that effort to target you, they already know your name.

One question for the researchers: does this mean turning on “everyone” is more secure as no matching is attempted?
Score: 7 Votes (Like | Disagree)
Read All Comments