WhatsApp allows Python, PHP script execution on Windows without warnings!

Meta’s WhatsApp chat platform exhibits a weird feature that raises security concerns. According to the researcher Saumyajeet Das, WhatsApp for Windows does not generate security warnings when downloading Python files from WhatsApp chats. Thus, it becomes possible for an adversary to send malicious scripts to a target WhatsApp Windows user. 

While WhatsApp usually blocks most file types, such as .exe and .bat files, generating warning prompts to prevent security risks, it does not include three file types: .PYZ (Python ZIP app), .PYZW (PyInstaller program) and .EVTX (Windows event Log file). 

Following Das’s report, Bleeping Computer further investigated the matter and confirmed the researchers’ findings. In fact, Bleeping Computer also observed similar leniency from WhatsApp for PHP scripts.

Upon discovering this security issue, Das responsibly disclosed the vulnerability to Meta via their bug bounty program. However, the tech giant refused to acknowledge it as a flaw. 

According to their statement to Bleeping Computer, Meta officials do not consider this WhatsApp behavior a security flaw. Instead, they seem content with WhatsApp’s existing alert system.

Moreover, they also put the onus of safety on the users, reiterating how they warn users not to open or interact with files received from untrusted sources.

Read all about it on https://latesthackingnews.com/2024/07/31/whatsapp-allows-python-php-script-execution-on-windows-without-warnings/

#whatsapp #windows #script #security #meta