• Home
  • Apps
  • Apps News
  • WhatsApp for Windows Security Flaw Allows Executing Python, PHP Files Without Warning: Report

WhatsApp for Windows Security Flaw Allows Executing Python, PHP Files Without Warning: Report

WhatsApp was reportedly highlighted about the issue but the company did not see it as an issue at their end.

WhatsApp for Windows Security Flaw Allows Executing Python, PHP Files Without Warning: Report

Photo Credit: Reuters

For an attack using Python or PHP files to be successful, a user must have Python installed

Highlights
  • Security researcher Saumyajeet Das from Zeron found this vulnerability
  • WhatsApp is said to not block .PYZ, .PYZW, and .EVTX files from launching
  • WhatsApp reportedly dismissed the researcher’s report
Advertisement

WhatsApp for Windows reportedly has a vulnerability that can be exploited by bad actors. The security flaw exploits executable files of Python and PHP for which the app does not send a warning, claimed the report. As a result, an unsuspecting user might accidentally save and run the file, allowing the attacker to deploy the payload. WhatsApp reportedly has refused to take any action citing the problem is not at their end, and that it already warns users to not download files from unknown senders.

WhatsApp for Windows Reportedly Has a Security Flaw

According to a report by Bleeping Computer, the vulnerability was found in the latest version of the WhatsApp for Windows app. It is said to allow users to send Python and PHP attachments in executable format. The files, when being downloaded at the recipient's end, does not result in a warning notification from the instant messaging platform.

The security flaw was discovered by cybersecurity firm Zeron's security researcher Saumyajeet Das. As per the report, WhatsApp in most cases does not allow launching potentially harmful files such as .EXE. While the user may see options of Open or Save As, clicking on Open generates an error. The user may still save the file on the device and launch it, but the warning acts as a reminder of the malicious nature of the file. This behaviour is said to be consistent for file formats such as .EXE, .COM, .SCR, .BAT, and Perl.

However, the researcher reportedly found that three file types — .PYZ (Python ZIP app), .PYZW (PyInstaller program), and .EVTX (Windows event Log file) — did not trigger the error warning and users can open the file and launch them directly from within the app. Further, the publication found the same exception existed for PHP files.

Notably, an attack conducted using these file types will not be successful unless the user has Python installed in their system. This reduces vulnerable users to software developers, researchers, and others who code on their system.

The publication claims that Das reported the issue via Meta's bug bounty programme on June 3. But on July 15, the company replied that the same issue was previously reported by another researcher. The issue is still not fixed, as per the report, and it was said to be present in the latest WhatsApp for Windows 11 version v2.2428.10.0.

A WhatsApp spokesperson told the publication, “We've read what the researcher has proposed and appreciate their submission. Malware can take many different forms, including through downloadable files meant to trick a user. It's why we warn users to never click on or open a file from somebody they don't know, regardless of how they received it — whether over WhatsApp or any other app.”

Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Further reading: WhatsApp, Cybersecurity, App
Akash Dutta
Akash Dutta is a Senior Sub Editor at Gadgets 360. He is particularly interested in the social impact of technological developments and loves reading about emerging fields such as AI, metaverse, and fediverse. In his free time, he can be seen supporting his favourite football club - Chelsea, watching movies and anime, and sharing passionate opinions on food. More
Google Pixel Watch 3 Leaked Promo Images Hint at New Features, Specifications of Two Upcoming Variants
Facebook Gadgets360 Twitter Share Tweet Snapchat LinkedIn Reddit Comment google-newsGoogle News

Advertisement

Follow Us
© Copyright Red Pixels Ventures Limited 2024. All rights reserved.
Trending Products »
Latest Tech News »