A major security hole has been discovered in WhatsApp’s Windows client that allows malicious attacks. It reportedly allows attachments in Python and PHP to be sent that open on the recipient’s system without warning. On the plus side, this security hole will not affect most users.
WhatsApp is the most widely used messaging app in the world for users to communicate. It allows users to send photos and videos, as well as other types of files, offering users great versatility.
It is not particularly rare for a security breach to occur in one of the distributions of the messaging application. The curious thing about this breach is that it affects very specific types of files and, luckily, they are not used by the majority of users, making this breach in WhatsApp very limited.
WhatsApp for Windows has a major vulnerability
Security researchers have detected that WhatsApp for Windows allows files sent through the Python and PHP application to be executed without warning. For the attack to be successful, the recipient must have software installed that allows opening programs in Python.
This condition makes the number of systems vulnerable to attack minimal. Those most likely to be affected are software developers, engineers and advanced users.
This is not the first time we have seen something like this. In April, Telegram for Windows already had a similar breach. It allowed users to bypass security warnings and remotely execute code sent in a Python “.pyzw” file via the messaging client. Initially, the problem was denied, but in the end Telegram had to admit it.
You should know that WhatsApp has a list of risky file types for users, which does not include Python. Also not on the list are PHP files (.php), which would be the other type of file that puts the user at risk.
This means that neither of these two file types are blocked by the messaging app or verified. This poses a security risk, as malicious scripts could be sent without detection.
The vulnerability was discovered while researcher Saumyajeet Das was exploring what types of files could be sent. He wanted to know which ones were not on the list of potentially dangerous ones. Das found that he can send an “.EXE” file without any problems, allowing the recipient to open or save it.
An interesting thing is that if we simply want to open it, WhatsApp for Windows will display an error and will not run it. On the other hand, if we save the file, we will be able to run it without any problems.
BleepingComputer has replicated the experiment and there is a long list of formats supported by WhatsApp for Windows. You can send “.EXE”, “.COM”, “.SCR”, “.BAT” and Perl files without any problems. However, it blocks the execution of “.DLL”, “.HTA” and “.VBS” files.
It also does not block “.PYZ” (Python ZIP application), “.PYZW” (PyInstaller program) and “.EVTX” (Windows event log file) files. None of the files it allows to be sent can be opened directly from the application. They must first be downloaded to the storage drive.
Saumyajeet reportedly informed Meta on June 3, and the company responded on July 15, indicating that they had already been informed by another researcher. To our knowledge, the company has not corrected the problem and there is no date for a solution.
