WhatsApp for Windows Security Flaw Allows Executing Python, PHP Files Without Warning: Report

WhatsApp was reportedly highlighted about the issue but the company did not see it as an issue at their end.

WhatsApp for Windows reportedly has a vulnerability that can be exploited by bad actors. The security flaw exploits executable files of Python and PHP for which the app does not send a warning, claimed the report.

As a result, an unsuspecting user might accidentally save and run the file, allowing the attacker to deploy the payload. WhatsApp reportedly has refused to take any action citing the problem is not at their end, and that it already warns users to not download files from unknown senders.

WhatsApp for Windows Reportedly Has a Security Flaw

According to a report by Bleeping Computer, the vulnerability was found in the latest version of the WhatsApp for Windows app. It is said to allow users to send Python and PHP attachments in executable format.

The files, when being downloaded at the recipient’s end, does not result in a warning notification from the instant messaging platform.

The security flaw was discovered by cybersecurity firm Zeron’s security researcher Saumyajeet Das. As per the report, WhatsApp in most cases does not allow launching potentially harmful files such as .EXE.

While the user may see options of Open or Save As, clicking on Open generates an error. The user may still save the file on the device and launch it, but the warning acts as a reminder of the malicious nature of the file. This behaviour is said to be consistent for file formats such as .EXE, .COM, .SCR, .BAT, and Perl.

However, the researcher reportedly found that three file types — .PYZ (Python ZIP app), .PYZW (PyInstaller program), and .EVTX (Windows event Log file) — did not trigger the error warning and users can open the file and launch them directly from within the app. Further, the publication found the same exception existed for PHP files.

Notably, an attack conducted using these file types will not be successful unless the user has Python installed in their system. This reduces vulnerable users to software developers, researchers, and others who code on their system.

The publication claims that Das reported the issue via Meta’s bug bounty programme on June 3. But on July 15, the company replied that the same issue was previously reported by another researcher. The issue is still not fixed, as per the report, and it was said to be present in the latest WhatsApp for Windows 11 version v2.2428.10.0.

A WhatsApp spokesperson told the publication, “We’ve read what the researcher has proposed and appreciate their submission. Malware can take many different forms, including through downloadable files meant to trick a user.

It’s why we warn users to never click on or open a file from somebody they don’t know, regardless of how they received it — whether over WhatsApp or any other app.”

Leave a Comment