Skip to main content

WhatsApp Vulnerability Allows Python, PHP Script Execution

A security flaw in WhatsApp for Windows allows Python and PHP scripts to execute without warning when opened by recipients. This vulnerability, affecting users with Python installed on their systems, could pose a risk to software developers, researchers, and power users.

The flaw enables the execution of Python (.PYZ, .PYZW) and PHP (.PHP) scripts directly within the WhatsApp client, bypassing any security prompts. Users who click "Open" on these file types will inadvertently execute the scripts, potentially exposing their systems to malicious code. The issue was discovered by IT security expert Saumyajeet Das, who found that these file types are not blocked by WhatsApp's current security measures.

This vulnerability is reminiscent of a similar issue that affected Telegram for Windows in April this year, where attackers could bypass security warnings and execute remote code by sending Python scripts. Telegram addressed the issue after it was reported, but WhatsApp has not taken similar action.

WhatsApp for Windows does block several high-risk file types, such as .EXE, .COM, .SCR, .BAT, .DLL, .HTA, and VBS, requiring these files to be saved to disk before execution. However, Python and PHP scripts are not included in this blocklist, allowing them to be executed directly from the application.

Meta, the parent company of WhatsApp, was informed of the vulnerability on June 3. Despite acknowledging the issue on July 15, Meta has not implemented a fix. In a statement to BleepingComputer, Meta indicated that they consider it the users' responsibility to avoid opening unknown files.

"We've read what the researcher has proposed and appreciate their submission. Malware can take many different forms, including through downloadable files meant to trick a user," said a Meta spokesperson. "It's why we warn users to never click on or open a file from somebody they don't know, regardless of how they received it — whether over WhatsApp or any other app."

The vulnerability's impact could be substantial, particularly if malicious attachments are posted in public or private WhatsApp chat groups, potentially affecting multiple recipients. Das expressed concern about the risk of malicious code transfer in such scenarios and suggested that Meta could mitigate the issue by adding .PYZ and .PYZW to their blocklist.

As of the latest reports, the vulnerability remains unaddressed in the current version of WhatsApp for Windows. Users are advised to exercise caution and avoid opening files from unknown sources to protect their systems from potential threats.



See TessMore Internet Business Must-Reads
Labels:

Comments

Post a Comment

Popular posts from this blog

13 Best Cheap Web Hosting Services of 2022 (Ranked)

  Let’s face it: there are a ton of different   web hosting options   on the market with great features. A lot of the time, it comes down to price.  I ranked and reviewed the best cheap web hosting options to try this year.  These reviews are based on pricing, hosting features, integrations, security, speed, and more. Let’s get started. Disclaimer:  This article contains affiliate links that I receive a small commission for at no cost to you. However, these are merely the tools I fully recommend when it comes to hosting a website. You can read my full affiliate disclosure in my  privacy policy . What is the Best Cheap Web Hosting? Here are my top picks for the best cheap web hosting: 1.  Bluehost . Bluehost  is a web hosting company that hosts over 2 million domains collectively. Their initial plan starts at $2.95 per month, and you get a 30-days money-back guarantee with all the plans. Recommended web host by WordPress.org for more than a de...
1 comment
Read more

How to Safely Change Your WordPress Theme (Beginner’s Guide)

Learning how to change your WordPress theme seems like a very basic thing. Simply go to Appearance > Themes , hover over any of the available WordPress themes, and click Activate , right? While that is correct in principle and works well for a site that is basically empty, it gets a bit more complicated for an established website with a lot of content. In that case, it becomes more of a case of how to change your WordPress theme safely and without losing anything. And that’s exactly what will talk about here. In the following, you will learn what risks there are to changing your WordPress theme. We will talk about how to prepare for the switch, different ways of performing it, and how to check your site after you are done. Changing Your WordPress Theme: Potential Risks Before going over the how-to part, let’s first discuss why you need to be cautious when changing your WordPress theme and what things can break. First of all, you can generally relax. WordPress is built in a way ...
Post a Comment
Read more

Five Common iPage Email Problems and Solutions

If you’re paying for some of the popular services offered by iPage – cheap web hosting , domain names , and dedicated servers  – you’re likely using iPage email as well.  iPage is well known for its affordable pricing and user-friendly solutions. However, its services have not always been 100% reliable.  Such is the case with iPage email, which often stops working. If your email is acting up, several possible reasons exist. Read on to find out why you can’t access your iPage webmail and what you can do about it. Reasons why iPage email isn’t working  If your iPage email is not working, that’s usually because you’ve typed in the wrong password or account name or your internet connection is not strong enough. Other suspects are a blocked IP address, a poorly set up email account, and an overloaded queue.  Your IP is blocked  When you enter a wrong password 6 times in a row in under 5 minutes, iPage blocks your IP address out of precaution. You have...
Post a Comment
Read more