WhatsApp for Windows Allows Python and PHP Scripts to Run Without Warning
A security researcher has discovered a vulnerability in the latest version of WhatsApp for Windows that allows users to send Python and PHP attachments, which will execute without any warning if the recipient opens them. This issue in WhatsApp is similar to a bug found in Telegram for Windows earlier this year, where attackers managed to bypass the messenger’s warnings and achieve remote code execution by sending victims Python files (.pyzw).
The similar vulnerability in WhatsApp was found by security researcher Saumyajeet Das, who experimented with different file types that can be attached to WhatsApp chats to see if the app would allow anything dangerous. When sending a potentially dangerous file (such as .exe), WhatsApp gives the recipient two options: “Open” or “Save As.” However, when trying to open certain files, the messenger displays an error, leaving the user only the option to save the file to disk and run it from there.
According to Bleeping Computer, this behavior is typical for .EXE, .COM, .SCR, .BAT, and Perl files in the WhatsApp client for Windows. Das also found that WhatsApp blocks the execution of .DLL, .HTA, and VBS files, which can only be run after saving them to disk.
However, the researcher discovered that there are three file types that WhatsApp does not block from running: .PYZ (Python ZIP), .PYZW (PyInstaller), and .EVTX (Windows event log files). Journalists also found that the messenger does not block PHP scripts (.PHP).
It’s important to note that for a successful attack, the victim’s system must have Python installed, which limits the potential targets to software developers, researchers, and advanced users. Nevertheless, if all conditions are met, the recipient only needs to click the “Open” button, and the received script will execute automatically.
Das reported the issue to Meta through their bug bounty program on June 3, 2024, and on July 15, the company responded that other researchers had already reported it and that it should have been fixed. However, the vulnerability still works in the latest version of WhatsApp for Windows and was reproduced on a Windows 11 machine (version 2.2428.10.0).
WhatsApp developers told Bleeping Computer that they do not plan to add Python scripts to the list of files blocked by default. Company representatives explained that they do not see this as a problem and therefore do not plan to release a fix.
“We have reviewed the researcher’s suggestion and appreciate their work. Malware can take many forms, including downloadable files designed to trick users. That’s why we warn users never to click or open files from unknown people, regardless of how they received them—through WhatsApp or any other app,” the company stated.
They also added that WhatsApp has a system that warns users when they are contacted by people not in their contact list or by phone numbers registered in another country.
Das told journalists he is disappointed with how the developers are responding to the situation. “By simply adding the .pyz and .pyzw extensions to the blacklist, Meta could have prevented potential exploitation through these files,” the researcher lamented.