WhatsApp It has more than 2 billion users worldwide, a base so broad that it forces Goal to offer maximum security against cyberattacks on its messaging platform. Recently, a researcher discovered a major bug or failure in the Windows version of WhatsApp which he reported to Meta, but which it has, for the moment, no intention of solving and which allows run certain types of files from the application without the recipient receiving any warning when opening themwhich is a potential entry route for malware into the computer.
The discovery was made by cybersecurity researcher Saumyajeet Das who was testing different types of potentially dangerous files that could be attached to a WhatsApp chat. For example, if a message is sent .EXE -self-executable file- WhatsApp shows it to the recipient and gives them two options: Open either Save as. If you choose the first, WhatsApp will prevent it from being run from the application and the only option left to the user is to download it to his computer to start it from there and under his own responsibility. Das found Three types of files that could be executed from WhatsApp without the app blocking them: .PYZ -Python ZIP application-, .PYZW -PyInstaller program- and .EVTX -Windows event log file-.
For an attack using any of these types of files to be successful The user must have Python installed on their computerwhich limits the vulnerability primarily to software developers and other advanced users. Python It is a high-level, general-purpose programming language used in applications for web development, data analysis, artificial intelligence, task automation, software development, and other purposes.
Later, the media Bleeping Computer confirmed that WhatsApp does not block the execution of Python files and They found that the same thing happens with PHP scripts. PHP It is another general-purpose programming language that is used in a wide range of web applications, from simple websites and blogs to complex web applications and content management systems such as WordPressthe most used to build websites, Joomla and Drupal.
Meta’s response
Das reported the issue to Meta on June 3, and the company responded on July 15, saying the issue had already been reported by another researcher. ‘I have reported this issue to Meta through their bug bounty program, but unfortunately they closed it as not applicable“It’s disappointing, as it’s a simple bug that could easily be mitigated,” the researcher told the outlet.
A WhatsApp spokesperson told Bleeping Computer that They didn’t see it as a problemso there were no plans to block the execution of Python files, without reference to the case of PHP scripts.
‘We have read what the researcher has proposed and appreciate his presentation. Malware can take many different forms, including through downloadable files intended to trick a user. That is why We warn users to never click or open a file from someone they don’t know.regardless of how they received it, whether through WhatsApp or any other application,’ he explained.
Das believes that by adding the .pyz and .pyzw extensions to your block listMeta would fix the issue with Python and that ‘it would not only improve the security of its users, but would also demonstrate its commitment to promptly addressing security concerns.’