WhatsApp for Windows may allow execution of malicious files
WhatsApp for Windows reportedly has a vulnerability that could be exploited by malicious actors. The vulnerability uses Python and PHP executable files for which the app does not send warnings, the report claimed. As a result, an unsuspecting user could accidentally save and execute the file, allowing the attacker to deploy the payload. WhatsApp has reportedly declined to take action, saying the issue does not lie with them and already warns users not to download files from unknown senders.
WhatsApp for Windows reportedly has a security hole
According to a report by Bleeping Computer, the vulnerability was found in the latest version of the WhatsApp for Windows app. It would allow users to send Python and PHP attachments in executable format. The files, when downloaded on the recipient’s side, do not result in any warning notification from the instant messaging platform.
The vulnerability was discovered by cybersecurity firm Zeron’s security researcher Saumyajeet Das. According to the report, WhatsApp in most cases does not allow the launch of potentially malicious files such as .EXE. While the user is presented with the Open or Save As options, clicking Open generates an error message. The user can still save the file to the device and launch it, but the warning acts as a reminder of the malicious nature of the file. This behavior is said to be consistent for file formats such as .EXE, .COM, .SCR, .BAT, and Perl.
However, the researcher reportedly found that three file types — .PYZ (Python ZIP app), .PYZW (PyInstaller program), and .EVTX (Windows Event Log file) — did not trigger the error, and users could open and launch the file directly from within the app. Furthermore, the publication found that the same exception existed for PHP files.
Notably, an attack using these file types will not be successful unless the user has Python installed on their system. This limits vulnerable users to software developers, researchers, and others who code on their systems.
The publication claims that Das reported the issue through Meta’s bug bounty program on June 3. However, on July 15, the company responded that the same issue had previously been reported by a different researcher. The issue has still not been fixed, according to the report, and it is said to be present in the latest WhatsApp for Windows 11 version v2.2428.10.0.
A WhatsApp spokesperson told the publication: “We’ve read what the researcher has proposed and appreciate their submission. Malware can take many different forms, including downloadable files that are intended to trick a user. That’s why we warn users to never click on or open a file from someone they don’t know, regardless of how they received it – via WhatsApp or another app.”
