WhatsApp for Windows Flaw Allows Python and PHP Execution Without Warning Users

Published on July 29, 2024
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer

The latest version of WhatsApp for Windows has a significant security vulnerability that allows arbitrary code execution by bypassing existing security mitigations, according to cybersecurity researcher Saumyajeet Das, who also provided a Proof of Concept (PoC) video.

The flaw allows sending Python and PHP attachments, which WhatsApp for Windows executes without warning the user when opened. A potential attack would target software developers, researchers, and power users, as Python needs to be installed on the user’s device.

Of course, the popular Meta-owned messaging app blocks multiple file types that present risks to users, such as .EXE, .COM, .SCR, .BAT, Perl, .DLL, .HTA, and VBS, for which the Windows client displayed an error if the user tried to open them directly, allowing execution only after saving to disk first.

However, PHP files are not included, and Python scripts may not be added to the list anytime soon. The security researcher reported this security issue to Meta.

Telegram for Windows had a similar, initially rejected issue in April, which permitted circumventing security warnings and performing remote code execution when opening a sent Python .pyzw file.

Recently, a cybercriminal was seen selling a Telegram zero-day exploit on a Russian-speaking hacking forum. The exploit allowed attackers to send hidden malicious APK payloads that look like multimedia files via Android Telegram channels, groups, and chat in v10.14.4 and older. Also, Telegram’s versatility as a messaging app has attracted cybercriminals who use it for nefarious purposes.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: