WhatsApp for Windows allows Python and PHP scripts to run without warning when opened. This security issue permits sending these attachments, which execute immediately if all necessary resources are present, bypassing any warnings or blocks. However, Python’s prerequisite is the installation of the software, limiting potential targets to developers, researchers, and power users.
Similar vulnerabilities affected Telegram for Windows earlier this year, where attackers could perform remote code execution using Python .pyzw files. WhatsApp only blocks certain file types from executing but does not include Python or PHP scripts in their list.
Security researcher Saumyajeet Das discovered the vulnerability by testing risky file types for attachment to WhatsApp conversations, observing that the application allows .PYZ (Python ZIP app), .PYZW (PyInstaller program), and .EVTX (Windows event Log file) files to launch directly without any warnings.
BleepingComputer’s tests confirmed Python scripts are not blocked, and discovered PHP scripts share the same issue. To execute these scripts, recipients only need to click the “Open” button on the received file.
Das reported this issue to Meta on June 3, but they dismissed it as ‘not an issue.’ WhatsApp argues that users should not open files from unknown sources and have a system in place to warn against messages from unverified senders or foreign numbers. However, if a user’s account is compromised, attackers can easily distribute malicious scripts through contact lists, chat groups, or public/private messaging apps.
Das expressed disappointment with Meta’s handling of the situation and suggested they add .pyz and .pyzw extensions to their blocklist to prevent potential exploitation. BleepingComputer reached out to WhatsApp regarding the PHP extension but has not yet received a response.
Source: https://www.bleepingcomputer.com/news/security/whatsapp-for-windows-lets-python-php-scripts-execute-with-no-warning/