Skip to main content

WhatsApp Vulnerability Allows Python, PHP Script Execution

A security flaw in WhatsApp for Windows allows Python and PHP scripts to execute without warning when opened by recipients. This vulnerability, affecting users with Python installed on their systems, could pose a risk to software developers, researchers, and power users.

The flaw enables the execution of Python (.PYZ, .PYZW) and PHP (.PHP) scripts directly within the WhatsApp client, bypassing any security prompts. Users who click "Open" on these file types will inadvertently execute the scripts, potentially exposing their systems to malicious code. The issue was discovered by IT security expert Saumyajeet Das, who found that these file types are not blocked by WhatsApp's current security measures.

This vulnerability is reminiscent of a similar issue that affected Telegram for Windows in April this year, where attackers could bypass security warnings and execute remote code by sending Python scripts. Telegram addressed the issue after it was reported, but WhatsApp has not taken similar action.

WhatsApp for Windows does block several high-risk file types, such as .EXE, .COM, .SCR, .BAT, .DLL, .HTA, and VBS, requiring these files to be saved to disk before execution. However, Python and PHP scripts are not included in this blocklist, allowing them to be executed directly from the application.

Meta, the parent company of WhatsApp, was informed of the vulnerability on June 3. Despite acknowledging the issue on July 15, Meta has not implemented a fix. In a statement to BleepingComputer, Meta indicated that they consider it the users' responsibility to avoid opening unknown files.

"We've read what the researcher has proposed and appreciate their submission. Malware can take many different forms, including through downloadable files meant to trick a user," said a Meta spokesperson. "It's why we warn users to never click on or open a file from somebody they don't know, regardless of how they received it — whether over WhatsApp or any other app."

The vulnerability's impact could be substantial, particularly if malicious attachments are posted in public or private WhatsApp chat groups, potentially affecting multiple recipients. Das expressed concern about the risk of malicious code transfer in such scenarios and suggested that Meta could mitigate the issue by adding .PYZ and .PYZW to their blocklist.

As of the latest reports, the vulnerability remains unaddressed in the current version of WhatsApp for Windows. Users are advised to exercise caution and avoid opening files from unknown sources to protect their systems from potential threats.



See TessMore Internet Business Must-Reads
Labels:

Comments

Post a Comment

Popular posts from this blog

Only 1 in 10 NFT Owners Have Never Experienced a Scam

A new survey from PrivacyHQ reveals 90% or nine out of 10 respondents experienced an NFT scam. This level of uncertainty is cause for concern for a relatively new marketplace that is generating billions of dollars. Only 1 in 10 NFT Owners Have Never Experienced a Scam The PrivacyHQ survey spoke to 1,008 people in the U.S. who are actively investing in and own NFTs. And according to the report, there are some horror stories and great lessons to be learned. The key takeaways from the survey are: Less than half of NFT owners feel their NFTs are secure Two out of 3 respondents said they had panic-sold NFTs in the past Nine out of 10 respondents had experienced an NFT scam Half of the respondents had lost access to their NFTs at some point When it comes to NFT scams there were multiple ways in which buyers were scammed. Topping the list of the most common scams experienced by these respondents starts out with the NFT provider shutting down or changing their URL at 44.8%. Next is...
1 comment
Read more

Thousands Still Available in COVID Relief with These Small Business Grants

Building improvements can be a major expense for small businesses. And many had to make certain changes to navigate the past few years. Restaurants set up outdoor patios. Historic properties restored their storefronts. And offices added energy efficient features. Many businesses also have improvement projects planned for 2022. Luckily, many small business grant programs across the country make these projects more attainable, thus improving the customer experience and the community at large. Here are some current small business grant opportunities for building improvements, pandemic recovery, and more. Raleigh Building-Up Fit Grant Raleigh’s Small Business Development department is launching a new grant opportunity for local businesses. The Building-Up Fit Grant offers matching reimbursement funds up to $25,000 for eligible renovation projects. Businesses with 50 employees or less can apply for grants to cover projects that significantly improve the appearance and value of the pro...
Post a Comment
Read more

openSNP Shutters Over Privacy and Authoritarianism Concerns

OpenSNP, a long-running open-source genetic data platform, is shutting down after citing growing concerns over data privacy, the misuse of genetic information by law enforcement, and the rise of authoritarian governments. The decision comes as 23andMe, a major source of user-submitted genetic data for openSNP, faces bankruptcy and a potential selloff of user data . Founded in 2011, openSNP allowed users to upload genetic data from services like 23andMe to make it freely available for scientific research. Co-founder Bastian Greshake Tzovaras said the closure was triggered in part by the collapse of 23andMe and the broader political climate. Speaking to TechCrunch, he stated : “The risk/benefit calculus of providing free and open access to individual genetic data in 2025 is very different compared to 14 years ago.” The database has collected roughly 7,500 genomes and supported academic work across biomedical research, information security, and more. But its founder now questions the ...
Post a Comment
Read more