WhatsApp for Windows lets Python, PHP scripts execute with no warning

A security issue in the latest version of WhatsApp for Windows allows sending Python and PHP attachments that are executed without any warning when the recipient opens them.

For the attack to be successful, Python needs to be installed, a prerequisite that may limit the targets to software developers, researchers, and power users.

The problem is similar to the one affecting Telegram for Windows in April, which was initially rejected but fixed later, where attackers could bypass security warnings and perform remote code execution when sending a Python .pyzw file through the messaging client.

WhatsApp blocks multiple file types considered to carry a risk to users but the company tells BleepingComputer that it does not plan to add Python scripts to the list.

Further testing by BleepingComputer shows that PHP files (.php) are also not included in WhatsApp's blocklist.

Python, PHP scripts not blocked

Security researcher Saumyajeet Das found the vulnerability while experimenting with file types that could be attached to WhatsApp conversations to see if the application allows any of the risky ones.

When sending a potentially dangerous file, such as .EXE, WhatsApp shows it and gives the recipient two options: Open or Save As.

WhatsApp options for executable files
WhatsApp options for executable files
source: BleepingComputer.com

However, when trying to open the file, WhatsApp for Windows generates an error, leaving users only the option to save the file to disk and launch it from there.

In BleepingComputer tests, this behavior was consistent with .EXE, .COM, .SCR, .BAT, and Perl file types using the WhatsApp client for Windows. Das found that WhatsApp also blocks the execution of .DLL, .HTA, and VBS.

For all of them, an error occurred when trying to launch them directly from the app by clicking "Open." Executing them was possible only after saving to disk first.

Failed .EXE launch from WhatsApp client
Launching .EXE from WhatsApp client fails
source: BleepingComputer

Talking to BleepingComputer, Das said that he found three file types that the WhatsApp client does not block from launching: .PYZ (Python ZIP app), .PYZW (PyInstaller program), and .EVTX (Windows event Log file).

BleepingComputer's tests confirmed that WhatsApp does not block the execution of Python files and discovered that the same happens with PHP scripts.

If all the resources are present, all the recipient needs to do is to click the "Open" button on the received file, and the script executes.

Das reported the problem to Meta on June 3 and the company replied on July 15 saying that the issue had already been reported by another researcher.

When the researcher contacted BleepingComputer, the bug was still present in the latest WhatsApp release for Windows, and we could reproduce it on Windows 11, v2.2428.10.0.

"I have reported this issue to Meta through their bug bounty program, but unfortunately, they closed it as N/A. It's disappointing, as this is a straightforward flaw that could be easily mitigated," explained the researcher.

BleepingComputer reached out to WhatsApp for clarification about the reason for dismissing the researcher's report, and a spokesperson explained that they didn't see it as a problem on their side, so there were no plans for a fix:

"We've read what the researcher has proposed and appreciate their submission. Malware can take many different forms, including through downloadable files meant to trick a user."

"It's why we warn users to never click on or open a file from somebody they don't know, regardless of how they received it — whether over WhatsApp or any other app."

The company representative also explained that WhatsApp has a system in place to warn users when they're messaged by users not in their contact lists, or whom have phone numbers registered in a different country.

Nevertheless, if a user's account is hijacked, the attacker can send to everyone in the contact list malicious scripts that are easier to execute straight from the messaging app.

Furthermore, these types of attachments could be posted to public and private chat groups, which could be abused by threat actors to spread malicious files.

Responding to WhatsApp rejecting the report, Das expressed disappointment with how the project handled the situation.

"By simply adding the .pyz and .pyzw extensions to their blocklist, Meta can prevent potential exploitation through these Pythonic zip files," the researcher said.

He added that by addressing the issue WhatsApp "would not only enhance the security of their users but also demonstrate their commitment to promptly resolving security concerns.

BleepingComputer contacted WhatsApp to alert them that the PHP extension is also not blocked but has not received a response at this time.

Related Articles:

Zero-Day Bug in KDE 4/5 Executes Commands by Opening a Folder

Ivanti warns of three more CSA zero-days exploited in attacks

Microsoft patches Windows zero-day exploited in attacks on Ukraine

Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws

Microsoft October 2024 Patch Tuesday fixes 5 zero-days, 118 flaws