As observed, WhatsApp for Windows does not block Python or PHP script execution on Windows systems. This behavior threatens users as it potentially allows malicious scripts.
WhatsApp Lets Script Execution On Windows Devices Go Without Warnings
Meta’s WhatsApp chat platform exhibits a weird feature that raises security concerns. According to the researcher Saumyajeet Das, WhatsApp for Windows does not generate security warnings when downloading Python files from WhatsApp chats. Thus, it becomes possible for an adversary to send malicious scripts to a target WhatsApp Windows user.
While WhatsApp usually blocks most file types, such as .exe and .bat files, generating warning prompts to prevent security risks, it does not include three file types: .PYZ (Python ZIP app), .PYZW (PyInstaller program) and .EVTX (Windows event Log file).
Following Das’s report, Bleeping Computer further investigated the matter and confirmed the researchers’ findings. In fact, Bleeping Computer also observed similar leniency from WhatsApp for PHP scripts, demonstrating their findings in a video.
Meta Doesn’t Deem It A Security Issue
Upon discovering this security issue, Das responsibly disclosed the vulnerability to Meta via their bug bounty program. However, the tech giant refused to acknowledge it as a flaw.
According to their statement to Bleeping Computer, Meta officials do not consider this WhatsApp behavior a security flaw. Instead, they seem content with WhatsApp’s existing alert system. Moreover, they also put the onus of safety on the users, reiterating how they warn users not to open or interact with files received from untrusted sources.
We’ve read what the researcher has proposed and appreciate their submission. Malware can take many different forms, including through downloadable files meant to trick a user… It’s why we warn users to never click on or open a file from somebody they don’t know, regardless of how they received it — whether over WhatsApp or any other app.
Nonetheless, this issue is alarming because of its malicious exploitation following a WhatsApp account hijack. Numerous reports have surfaced online in the past, highlighting WhatsApp vulnerabilities that allow account hijacking via WhatsApp calls or data theft.
If an adversary chains one or more WhatsApp vulnerabilities, the subsequent malicious script execution may devastate the users. Still, Meta does not seem willing to add Python and PHP files to its block list to prevent malicious exploitation. Therefore, users must remain cautious when interacting with WhatsApp files, particularly on Windows.
Let us know your thoughts in the comments.