WhatsApp for Windows Security Flaw Allows Executing Python, PHP Files Without Warning: Report

WhatsApp was reportedly highlighted about the issue but the company did not see it as an issue at their end.

Advertisement
Written by Akash Dutta, Edited by Siddharth Suvarna | Updated: 31 July 2024 14:29 IST
Highlights
  • Security researcher Saumyajeet Das from Zeron found this vulnerability
  • WhatsApp is said to not block .PYZ, .PYZW, and .EVTX files from launching
  • WhatsApp reportedly dismissed the researcher’s report
WhatsApp for Windows Security Flaw Allows Executing Python, PHP Files Without Warning: Report

For an attack using Python or PHP files to be successful, a user must have Python installed

Photo Credit: Reuters

WhatsApp for Windows reportedly has a vulnerability that can be exploited by bad actors. The security flaw exploits executable files of Python and PHP for which the app does not send a warning, claimed the report. As a result, an unsuspecting user might accidentally save and run the file, allowing the attacker to deploy the payload. WhatsApp reportedly has refused to take any action citing the problem is not at their end, and that it already warns users to not download files from unknown senders.

WhatsApp for Windows Reportedly Has a Security Flaw

According to a report by Bleeping Computer, the vulnerability was found in the latest version of the WhatsApp for Windows app. It is said to allow users to send Python and PHP attachments in executable format. The files, when being downloaded at the recipient's end, does not result in a warning notification from the instant messaging platform.

The security flaw was discovered by cybersecurity firm Zeron's security researcher Saumyajeet Das. As per the report, WhatsApp in most cases does not allow launching potentially harmful files such as .EXE. While the user may see options of Open or Save As, clicking on Open generates an error. The user may still save the file on the device and launch it, but the warning acts as a reminder of the malicious nature of the file. This behaviour is said to be consistent for file formats such as .EXE, .COM, .SCR, .BAT, and Perl.

However, the researcher reportedly found that three file types — .PYZ (Python ZIP app), .PYZW (PyInstaller program), and .EVTX (Windows event Log file) — did not trigger the error warning and users can open the file and launch them directly from within the app. Further, the publication found the same exception existed for PHP files.

Advertisement

Notably, an attack conducted using these file types will not be successful unless the user has Python installed in their system. This reduces vulnerable users to software developers, researchers, and others who code on their system.

The publication claims that Das reported the issue via Meta's bug bounty programme on June 3. But on July 15, the company replied that the same issue was previously reported by another researcher. The issue is still not fixed, as per the report, and it was said to be present in the latest WhatsApp for Windows 11 version v2.2428.10.0.

Advertisement

A WhatsApp spokesperson told the publication, “We've read what the researcher has proposed and appreciate their submission. Malware can take many different forms, including through downloadable files meant to trick a user. It's why we warn users to never click on or open a file from somebody they don't know, regardless of how they received it — whether over WhatsApp or any other app.”

 
Post your comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Further reading: WhatsApp, Cybersecurity, App
Google Pixel Watch 3 Leaked Promo Images Hint at New Features, Specifications of Two Upcoming Variants
Advertisement

Related Stories

Tech News in Hindi »

More Technology News in Hindi »
Popular on Gadgets
Latest Gadgets
Popular Mobile Brands
#Trending Stories
  1. OTT Releases This Week: Pattth, Stolen, Jaat, Bhool Chuk Maaf, and More
  2. iQOO Z10 Lite 5G India Launch Date, Design and Battery Size Confirmed
  3. Huawei Band 10 With Up to 14 Days Battery Life Launched in India: See Price
  4. Realme GT 7 and GT 7T Review
  5. iPhone 17 May Support 50W Wireless Charging With New MagSafe Chargers
  6. Huawei Mate XT 2 Could Arrive Later This Year With These Upgrades
  7. Redmi Pad 2 With 9,000mAh Battery Launched in Global Markets: See Price
  8. Motorola Edge 60 Will Launch in India on This Date
  9. PhonePe Will Soon Let You Make UPI Payments on Your Feature Phone
  10. Razer Launches Phantom Collection With Chroma RGB for Gamers in India
#Latest Stories
  1. Vivo Y-Series Smartphone With Curved Display Said to Launch in India; Colour Options Leaked
  2. Uber Reportedly Exploring Stablecoin Adoption to Cut Cross-Border Transfer Costs
  3. Tecno Pova 7 Neo 4G Design Spotted in Leaked Hands-On Images; Key Features Surface Online
  4. PhonePe to Launch UPI Payments App for Feature Phones With P2P Transfers, Offline QR Payments
  5. Huawei Mate XT 2 Tipped to Launch in H2 2025 With Upgraded Chipset, Cameras
  6. EA Sports FC 25, FBC: Firebreak and More Join Xbox Game Pass in June
  7. Razer Phantom Collection with Chroma RGB, Dynamic Lighting Support Launched in India: Check Price, Features
  8. Huawei Band 10 With Up to 14 Days of Battery Life Launched in India: Price, Features
  9. Google’s Gemini Live Is Reportedly Getting a Real-Time Captions Feature
  10. iPhone 17 Could Support Up to 50W Wireless Charging With New Qi2.2 MagSafe Chargers: Report
Gadgets 360 is available in
Follow Us
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2025. All rights reserved.