Skip to main content

WhatsApp Vulnerability Allows Python, PHP Script Execution

A security flaw in WhatsApp for Windows allows Python and PHP scripts to execute without warning when opened by recipients. This vulnerability, affecting users with Python installed on their systems, could pose a risk to software developers, researchers, and power users.

The flaw enables the execution of Python (.PYZ, .PYZW) and PHP (.PHP) scripts directly within the WhatsApp client, bypassing any security prompts. Users who click "Open" on these file types will inadvertently execute the scripts, potentially exposing their systems to malicious code. The issue was discovered by IT security expert Saumyajeet Das, who found that these file types are not blocked by WhatsApp's current security measures.

This vulnerability is reminiscent of a similar issue that affected Telegram for Windows in April this year, where attackers could bypass security warnings and execute remote code by sending Python scripts. Telegram addressed the issue after it was reported, but WhatsApp has not taken similar action.

WhatsApp for Windows does block several high-risk file types, such as .EXE, .COM, .SCR, .BAT, .DLL, .HTA, and VBS, requiring these files to be saved to disk before execution. However, Python and PHP scripts are not included in this blocklist, allowing them to be executed directly from the application.

Meta, the parent company of WhatsApp, was informed of the vulnerability on June 3. Despite acknowledging the issue on July 15, Meta has not implemented a fix. In a statement to BleepingComputer, Meta indicated that they consider it the users' responsibility to avoid opening unknown files.

"We've read what the researcher has proposed and appreciate their submission. Malware can take many different forms, including through downloadable files meant to trick a user," said a Meta spokesperson. "It's why we warn users to never click on or open a file from somebody they don't know, regardless of how they received it — whether over WhatsApp or any other app."

The vulnerability's impact could be substantial, particularly if malicious attachments are posted in public or private WhatsApp chat groups, potentially affecting multiple recipients. Das expressed concern about the risk of malicious code transfer in such scenarios and suggested that Meta could mitigate the issue by adding .PYZ and .PYZW to their blocklist.

As of the latest reports, the vulnerability remains unaddressed in the current version of WhatsApp for Windows. Users are advised to exercise caution and avoid opening files from unknown sources to protect their systems from potential threats.



See TessMore Internet Business Must-Reads
Labels:

Comments

Post a Comment

Popular posts from this blog

13 Best Cheap Web Hosting Services of 2022 (Ranked)

  Let’s face it: there are a ton of different   web hosting options   on the market with great features. A lot of the time, it comes down to price.  I ranked and reviewed the best cheap web hosting options to try this year.  These reviews are based on pricing, hosting features, integrations, security, speed, and more. Let’s get started. Disclaimer:  This article contains affiliate links that I receive a small commission for at no cost to you. However, these are merely the tools I fully recommend when it comes to hosting a website. You can read my full affiliate disclosure in my  privacy policy . What is the Best Cheap Web Hosting? Here are my top picks for the best cheap web hosting: 1.  Bluehost . Bluehost  is a web hosting company that hosts over 2 million domains collectively. Their initial plan starts at $2.95 per month, and you get a 30-days money-back guarantee with all the plans. Recommended web host by WordPress.org for more than a de...
2 comments
Read more

Only 1 in 10 NFT Owners Have Never Experienced a Scam

A new survey from PrivacyHQ reveals 90% or nine out of 10 respondents experienced an NFT scam. This level of uncertainty is cause for concern for a relatively new marketplace that is generating billions of dollars. Only 1 in 10 NFT Owners Have Never Experienced a Scam The PrivacyHQ survey spoke to 1,008 people in the U.S. who are actively investing in and own NFTs. And according to the report, there are some horror stories and great lessons to be learned. The key takeaways from the survey are: Less than half of NFT owners feel their NFTs are secure Two out of 3 respondents said they had panic-sold NFTs in the past Nine out of 10 respondents had experienced an NFT scam Half of the respondents had lost access to their NFTs at some point When it comes to NFT scams there were multiple ways in which buyers were scammed. Topping the list of the most common scams experienced by these respondents starts out with the NFT provider shutting down or changing their URL at 44.8%. Next is...
Post a Comment
Read more

How to Safely Change Your WordPress Theme (Beginner’s Guide)

Learning how to change your WordPress theme seems like a very basic thing. Simply go to Appearance > Themes , hover over any of the available WordPress themes, and click Activate , right? While that is correct in principle and works well for a site that is basically empty, it gets a bit more complicated for an established website with a lot of content. In that case, it becomes more of a case of how to change your WordPress theme safely and without losing anything. And that’s exactly what will talk about here. In the following, you will learn what risks there are to changing your WordPress theme. We will talk about how to prepare for the switch, different ways of performing it, and how to check your site after you are done. Changing Your WordPress Theme: Potential Risks Before going over the how-to part, let’s first discuss why you need to be cautious when changing your WordPress theme and what things can break. First of all, you can generally relax. WordPress is built in a way ...
Post a Comment
Read more