As one of the most popular and widely used instant messaging platforms on the Internet, WhatsApp has strong security measures in place to block the most potentially dangerous files, thereby protecting users’ privacy and data.
However, a recently discovered security vulnerability in the latest version of WhatsApp for Windows allows attackers to execute Python and PHP attachments on a computer without any warning when the recipient opens them.
This WhatsApp vulnerability poses a significant risk to users, as it allows threat actors to execute malicious code directly on the recipient’s computer.
Security researcher Saumyajeet Dasย found the vulnerability in the current version of WhatsApp for Windows while testing different file types that could be connected to WhatsApp chats to see if the app allows any of the more complicated ones (via BleepingComputer).
โWhen sending a potentially dangerous file, such as .EXE, WhatsApp shows it and gives the recipient two options: Open or Save As,โ BleepingComputer wrote in its report.
โHowever, when trying to open the file, WhatsApp for Windows generates an error, leaving users only the option to save the file to disk and launch it from there.โ
Das found three file types that the WhatsApp client doesnโt block from launching, which are .PYZ (Python ZIP app), .PYZW (PyInstaller program) and .EVTX (Windows event Log file).
When BleepingComputer carried out its own tests, it found that WhatsApp did not block the execution of Python files or PHP scripts.
If all the features are present, the recipient just needs to click the โOpenโ button on the received file and run the script.
Das says that the security vulnerability in the latest version of WhatsApp for Windows allows arbitrary code execution by bypassing existing security mitigations.
However, for the flaw to be exploited, Python must be installed on the computer, which means that this could limit targets to software developers, researchers, and advanced users.
The security vulnerability found on WhatsApp for Windows was reported to Meta on June 3, 2024.
However, the company responded on July 15, 2024, saying that another researcher had already reported the issue and that it should have been fixed.
When the researcher contacted BleepingComputer, the flaw was still active in the latest WhatsApp release for Windows, v2.2428.10.0, which was reproduced by the publication on Windows 11.
“I have reported this issue to Meta through their bug bounty program, but unfortunately, they closed it as N/A. It’s disappointing, as this is a straightforward flaw that could be easily mitigated,” explained the researcher.
When BleepingComputer contacted WhatsApp for an explanation regarding the issue, WhatsApp dismissed the researcherโs report and said that they saw no security risk and were not planning a fix.
“We’ve read what the researcher has proposed and appreciate their submission. Malware can take many different forms, including through downloadable files meant to trick a user,โ a WhatsApp spokesperson told BleepingComputer in a statement.
“It’s why we warn users to never click on or open a file from somebody they don’t know, regardless of how they received it โ whether over WhatsApp or any other app.”
The company representative also explained that WhatsApp has a system for notifying users when they receive messages from people who are not in their contacts or whose phone numbers are registered in a different country.
Das expressed displeasure at how Meta ignored his vulnerability report and the WhatsApp security issue. “By simply adding the .pyz and .pyzw extensions to their blocklist, Meta can prevent potential exploitation through these Pythonic zip files,” the researcher said.
However, by addressing the issue, WhatsApp “would not only enhance the security of their users but also demonstrate their commitment to promptly resolving security concerns,โ he added.
BleepingComputer, too, contacted WhatsApp to notify them that the PHP extension is also not blocked, but it has yet to receive a response.
Until then, WhatsApp users should remain vigilant, not open suspicious files, especially those from unknown sources, and always keep software up-to-date.