Vulnerability in WhatsApp for Windows Could Let Attackers Run Python, PHP Scripts

A security researcher recently unveiled a significant vulnerability in the WhatsApp Windows client that could let threat actors execute arbitrary Python and PHP scripts without warning.

Attackers could Exploit WhatsApp for Windows to Run Malicious Scripts

Saumyajeet Das, who made the startling discovery, identified the flaw while experimenting with file types that could be appended to WhatsApp conversations. The researcher conducted routine security checks to see if the Windows client allowed users to send risky file types.

While WhatsApp for Windows has a built-in blacklist that restricts users from sending certain types of documents to prevent attacks, the client doesn’t restrict Python scripts and PHP files.

And, according to BleepingComputer, the company doesn’t plan to add Python scripts to the list of restricted extensions any time soon.

WhatsApp Windows Client Allows Potentially Malicious File Types

Typically, when attempting to send potentially dangerous files such as COM, BAT, SCR, or EXE files, WhatsApp for Windows shows the recipients the options of saving the file locally or opening it.

However, upon trying to launch the file directly, the Windows client returns an error prompt, forcing the user to save the file locally and execute it from its destination. However, although potentially hazardous, certain file types are not blocked by WhatsApp for Windows. These include PYZ, PYZW, EVTX and PHP files.

Meta Doesn’t Plan to Release a Fix

Das reported the vulnerability to Meta, WhatsApp’s parent company, through its bug bounty program. However, the company closed the issue without addressing it, stating that the client has a warning system that notifies users if they’re being messaged by someone not in their contact lists, or contacts who have registered their numbers in different countries.

Furthermore, a company representative said users shouldn’t interact with files from someone they don’t know, regardless of how they receive them.

Cybersecurity Implications

However, a malicious actor could hijack an account and disseminate malicious scripts to all its contacts directly through the app.

The client’s inability to restrict these file types could spell disaster in many scenarios, including individual conversations, but also public and private chat groups.

Using Dedicated Software Against Malicious Scripts

Dedicated software like Bitdefender Ultimate Security can help you deter malicious scripts and other forms of digital intrusion, including viruses, worms, Trojans, ransomware, spyware, rootkits, and zero-day exploits. It has a wide range of advanced features, including complete real-time data protection, network threat prevention, behavioral detection technology, and a vulnerability assessment module.