WhatsApp for Windows Flaw Allows Python and PHP Execution Without Warning Users

• The latest version of WhatsApp for Windows allows arbitrary code execution without warning the user.
• This flaw permitting Python and PHP execution targets users who have Python already installed, such as software developers.
• WhatsApp reportedly does not plan to block Python scripts from being shared or downloaded. 

The latest version of WhatsApp for Windows has a significant security vulnerability that allows arbitrary code execution by bypassing existing security mitigations, according to cybersecurity researcher Saumyajeet Das, who also provided a Proof of Concept (PoC) video.

The flaw allows sending Python and PHP attachments, which WhatsApp for Windows executes without warning the user when opened. A potential attack would target software developers, researchers, and power users, as Python needs to be installed on the user’s device.

Of course, the popular Meta-owned messaging app blocks multiple file types that present risks to users, such as .EXE, .COM, .SCR, .BAT, Perl, .DLL, .HTA, and VBS, for which the Windows client displayed an error if the user tried to open them directly, allowing execution only after saving to disk first.

However, PHP files are not included, and Python scripts may not be added to the list anytime soon. The security researcher reported this security issue to Meta.

Telegram for Windows had a similar, initially rejected issue in April, which permitted circumventing security warnings and performing remote code execution when opening a sent Python .pyzw file.

Recently, a cybercriminal was seen selling a Telegram zero-day exploit on a Russian-speaking hacking forum. The exploit allowed attackers to send hidden malicious APK payloads that look like multimedia files via Android Telegram channels, groups, and chat in v10.14.4 and older. Also, Telegram’s versatility as a messaging app has attracted cybercriminals who use it for nefarious purposes.