Whatsapp vulnerability allows script execution
A security vulnerability in WhatsApp for Windows allows program attachments to be sent that start immediately without warning when opened.
(Image: Erzeugt mit Dall-E durch heise online)
A security vulnerability in the current version of WhatsApp for Windows allows Python and PHP attachments to be sent. When the recipient opens these, the scripts start automatically without any warning message or further information. However, Python must be installed on the target device for the attack to succeed. Therefore, software developers and power users are primarily susceptible to this vulnerability.
As the news portal BleepingComputer reports, this vulnerability is similar to the problem with Telegram for Windows that occurred in April of this year. Back then, attackers were able to bypass security warnings and execute remote code by sending Python scripts via the messaging client. WhatsApp currently blocks several file types when selecting file attachments. PHP and Python scripts are not included.
Meta is aware of the vulnerability
The vulnerability was discovered by IT security expert Saumyajeet Das. The cyber security researcher had experimented with different file types, which he attached to WhatsApp chat histories to see which file types were allowed and how the attachments behaved when opened.
Usually, trying to open an attached file directly results in an error message from WhatsApp for Windows. Users then only have the option of saving the attachments. BleepingComputer checked these results and was able to confirm the behavior with .EXE, .COM, .SCR, .BAT and Perl files. It also blocked the execution of .DLL, .HTA and VBS file types.
Saumyajeet Das found that the file types .PHP (PHP script), PYZ (Python ZIP executable), .PYZW (PyInstaller program) and EVTX (Windows event log file) are opened directly without prompting when called and executed directly via the application or shell linked in Windows. Saumyajeet sees a particularly high risk when attachments are posted in public and private Whatsapp chat groups, which would reach several recipients with the vulnerable system requirements and the risk of a possible malicious code transfer is correspondingly high.
Meta was already informed about the error on June 3 and replied on July 15 that the problem was known and should have been fixed in the meantime. However, when Saumyajeet Das sent its findings to BleepingComputer, the bug still existed in the WhatsApp version for Windows. BleepingComputer was then also able to reproduce the bug under Windows 11, version v2.2428.10.0.
So far, Meta has not commented on this new report about the known bug.
(anw)
