A security researcher recently unveiled a significant vulnerability in the WhatsApp Windows client that could let threat actors execute arbitrary Python and PHP scripts without warning.
Saumyajeet Das, who made the startling discovery, identified the flaw while experimenting with file types that could be appended to WhatsApp conversations. The researcher conducted routine security checks to see if the Windows client allowed users to send risky file types.
While WhatsApp for Windows has a built-in blacklist that restricts users from sending certain types of documents to prevent attacks, the client doesn’t restrict Python scripts and PHP files.
And, according to BleepingComputer, the company doesn’t plan to add Python scripts to the list of restricted extensions any time soon.
Typically, when attempting to send potentially dangerous files such as COM, BAT, SCR, or EXE files, WhatsApp for Windows shows the recipients the options of saving the file locally or opening it.
However, upon trying to launch the file directly, the Windows client returns an error prompt, forcing the user to save the file locally and execute it from its destination. However, although potentially hazardous, certain file types are not blocked by WhatsApp for Windows. These include PYZ, PYZW, EVTX and PHP files.
Das reported the vulnerability to Meta, WhatsApp’s parent company, through its bug bounty program. However, the company closed the issue without addressing it, stating that the client has a warning system that notifies users if they’re being messaged by someone not in their contact lists, or contacts who have registered their numbers in different countries.
Furthermore, a company representative said users shouldn’t interact with files from someone they don’t know, regardless of how they receive them.
However, a malicious actor could hijack an account and disseminate malicious scripts to all its contacts directly through the app.
The client’s inability to restrict these file types could spell disaster in many scenarios, including individual conversations, but also public and private chat groups.
Dedicated software like Bitdefender Ultimate Security can help you deter malicious scripts and other forms of digital intrusion, including viruses, worms, Trojans, ransomware, spyware, rootkits, and zero-day exploits. It has a wide range of advanced features, including complete real-time data protection, network threat prevention, behavioral detection technology, and a vulnerability assessment module.
tags
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.
View all postsDecember 19, 2024
November 14, 2024