A safety situation within the newest model of WhatsApp for Home windows permits sending Python and PHP attachments which might be executed with none warning when the recipient opens them.
For the assault to achieve success, Python must be put in, a prerequisite which will restrict the targets to software program builders, researchers, and energy customers.
The issue is just like the one affecting Telegram for Home windows in April, which was initially rejected however fastened later, the place attackers may bypass safety warnings and carry out distant code execution when sending a Python .pyzw file via the messaging consumer.
WhatsApp blocks a number of file varieties thought-about to hold a threat to customers however the firm tells BleepingComputer that it doesn’t plan so as to add Python scripts to the listing.
Additional testing by BleepingComputer reveals that PHP recordsdata (.php) are additionally not included in WhatsApp’s blocklist.
Python, PHP scripts not blocked
Safety researcher Saumyajeet Das discovered the vulnerability whereas experimenting with file varieties that may very well be hooked up to WhatsApp conversations to see if the applying permits any of the dangerous ones.
When sending a probably harmful file, resembling .EXE, WhatsApp reveals it and provides the recipient two choices: Open or Save As.
supply: BleepingComputer.com
Nonetheless, when making an attempt to open the file, WhatsApp for Home windows generates an error, leaving customers solely the choice to avoid wasting the file to disk and launch it from there.
In BleepingComputer assessments, this habits was per .EXE, .COM, .SCR, .BAT, and Perl file varieties utilizing the WhatsApp consumer for Home windows. Das discovered that WhatsApp additionally blocks the execution of .DLL, .HTA, and VBS.
For all of them, an error occurred when making an attempt to launch them instantly from the app by clicking “Open.” Executing them was potential solely after saving to disk first.
supply: BleepingComputer
Speaking to BleepingComputer, Das stated that he discovered three file varieties that the WhatsApp consumer doesn’t block from launching: .PYZÂ (Python ZIP app), .PYZW (PyInstaller program), and .EVTX (Home windows occasion Log file).
BleepingComputer’s assessments confirmed that WhatsApp doesn’t block the execution of Python recordsdata and found that the identical occurs with PHP scripts.
If all of the assets are current, all of the recipient must do is to click on the “Open” button on the obtained file, and the script executes.
Das reported the issue to Meta on June 3 and the corporate replied on July 15 saying that the difficulty had already been reported by one other researcher and may have already been fastened.
When the researcher contacted BleepingComputer, the bug was nonetheless current within the newest WhatsApp launch for Home windows, and we may reproduce it on Home windows 11, v2.2428.10.0.
“I’ve reported this situation to Meta via their bug bounty program, however sadly, they closed it as N/A. It is disappointing, as it is a simple flaw that may very well be simply mitigated,” defined the researcher.
BleepingComputer reached out to WhatsApp for clarification in regards to the cause for dismissing the researcher’s report, and a spokesperson defined that they did not see it as an issue on their facet, so there have been no plans for a repair:
“We have learn what the researcher has proposed and admire their submission. Malware can take many alternative varieties, together with via downloadable recordsdata meant to trick a consumer.”
“It is why we warn customers to by no means click on on or open a file from any individual they do not know, no matter how they obtained it — whether or not over WhatsApp or some other app.”
The corporate consultant additionally defined that WhatsApp has a system in place to warn customers once they’re messaged by customers not of their contact lists, or whom have cellphone numbers registered in a special nation.
However, if a consumer’s account is hijacked, the attacker can ship to everybody within the contact listing malicious scripts which might be simpler to execute straight from the messaging app.
Moreover, some of these attachments may very well be posted to private and non-private discussion groups, which may very well be abused by risk actors to unfold malicious recordsdata.
Responding to WhatsApp rejecting the report, Das expressed disappointment with how the venture dealt with the state of affairs.
“By merely including the .pyz and .pyzw extensions to their blocklist, Meta can forestall potential exploitation via these Pythonic zip recordsdata,” the researcher stated.
He added that by addressing the difficulty WhatsApp “wouldn’t solely improve the safety of their customers but in addition reveal their dedication to promptly resolving safety considerations.
BleepingComputer contacted WhatsApp to alert them that the PHP extension can be not blocked however has not obtained a response presently.
