A security hole in the current version of WhatsApp for Windows allows sending Python and PHP attachments. When the recipient opens them, the scripts start automatically without any warning message or further information. However, for the attack to be successful, Python must be installed on the target device. Therefore, software developers and power users are primarily vulnerable to this vulnerability.
Advertisement
Like a news portal Bleepingcomputer Reportedly, this vulnerability is similar to the problem that occurred in Telegram for Windows in April this year. At that time, attackers could bypass security warnings and execute remote code by sending Python scripts through the messaging client. WhatsApp currently blocks several file types when selecting file attachments. PHP and Python scripts are not included.
Meta is aware of the vulnerability
IT security expert discovered the vulnerability Soumyajit Das. The cybersecurity researcher experimented with different file types that he attached to WhatsApp chat histories to see which file types were allowed and how the attachments behaved when opened.
Typically, attempting to open an attached file directly results in an error message from WhatsApp for Windows. Users then only have the option to save the attachments. BleepingComputer reviewed these results and was able to confirm the behavior for .EXE, .COM, .SCR, .BAT and Perl files. Execution of .DLL, .HTA and VBS file types was also blocked.
Soumyajit Das found that file types .PHP (PHP script), PYZ (Python zip executable), .PYZW (PyInstaller program) and EVTX (Windows event log file) were opened directly upon calling and without prompting through a Windows linked application. The shell can be executed directly. Soumyajit sees a particularly high risk when attachments are posted in public and private WhatsApp chat groups, which will reach many recipients with vulnerable system requirements and the risk of potential malicious code transmission is accordingly high.
Meta was informed about the error on June 3 and responded on July 15 saying that the problem was known and should have been fixed in the meantime. However, when Soumyajit Das submitted his findings to BleepingComputer, the error was still present in the Windows version of WhatsApp. BleepingComputer was then able to reproduce the bug under Windows 11, version v2.2428.10.0.
So far, Meta has not commented on this new report about the known bug.
(USC)
