WhatsApp for Windows Security Flaw Allows Executing Python, PHP Files Without Warning: Report

WhatsApp for Windows reportedly has a vulnerability that may be exploited by dangerous actors. The safety flaw exploits executable information of Python and PHP for which the app doesn’t ship a warning, claimed the report. As a end result, an unsuspecting consumer would possibly by accident save and run the file, permitting the attacker to deploy the payload. WhatsApp reportedly has refused to take any motion citing the issue will not be at their finish, and that it already warns customers to not obtain information from unknown senders.

WhatsApp for Windows Reportedly Has a Security Flaw

According to a report by Bleeping Computer, the vulnerability was discovered within the newest model of the WhatsApp for Windows app. It is alleged to permit customers to ship Python and PHP attachments in executable format. The information, when being downloaded on the recipient’s finish, doesn’t lead to a warning notification from the moment messaging platform.

The safety flaw was found by cybersecurity agency Zeron’s safety researcher Saumyajeet Das. As per the report, WhatsApp typically doesn’t enable launching probably dangerous information akin to .EXE. While the consumer may even see choices of Open or Save As, clicking on Open generates an error. The consumer should save the file on the machine and launch it, however the warning acts as a reminder of the malicious nature of the file. This behaviour is alleged to be constant for file codecs akin to .EXE, .COM, .SCR, .BAT, and Perl.

However, the researcher reportedly discovered that three file sorts — .PYZ (Python ZIP app), .PYZW (PyInstaller program), and .EVTX (Windows occasion Log file) — didn’t set off the error warning and customers can open the file and launch them immediately from inside the app. Further, the publication discovered the identical exception existed for PHP information.

Notably, an assault performed utilizing these file sorts is not going to achieve success until the consumer has Python put in of their system. This reduces weak customers to software program builders, researchers, and others who code on their system.

The publication claims that Das reported the problem through Meta’s bug bounty programme on June 3. But on July 15, the corporate replied that the identical problem was beforehand reported by one other researcher. The problem continues to be not fastened, as per the report, and it was mentioned to be current within the newest WhatsApp for Windows 11 model v2.2428.10.0.

A WhatsApp spokesperson informed the publication, “We’ve learn what the researcher has proposed and recognize their submission. Malware can take many various kinds, together with by downloadable information meant to trick a consumer. It’s why we warn customers to by no means click on on or open a file from anyone they do not know, no matter how they obtained it — whether or not over WhatsApp or another app.”