WhatsApp for Windows does not block execution when opening Python, PHP scripts sent as attachments

A security vulnerability in the latest version of WhatsApp for Windows allows Python and PHP attachments to be sent and executed without any warning when the recipient opens them. The issue, discovered by security researcher Saumyajeet Das, enables arbitrary code execution, which could be exploited by attackers to run malicious scripts on the recipient's system.

The vulnerability affects users who have Python/PHP installed on their systems, such as software developers, researchers, and power users, as Python is required for the execution of these scripts.

WhatsApp allows Python (.PYZ, .PYZW) and PHP (.PHP) files to be executed when opened from the WhatsApp interface (clicking on Open after receiving). But the same program prevents other file types like .EXE, .COM, .SCR, .BAT, .DLL, .HTA, and VBS, from being executed when opened in WhatsApp interface. The issue is reported to Meta on June 3. Meta responded on July 15, stating the issue had already been reported by another researcher and dismissed it as not applicable for fix:

"We've read what the researcher has proposed and appreciate their submission. Malware can take many different forms, including through downloadable files meant to trick a user."

"It's why we warn users to never click on or open a file from somebody they don't know, regardless of how they received it — whether over WhatsApp or any other app."

The flaw allows attackers to send malicious Python or PHP scripts that execute upon opening, potentially leading to data theft or further malware infection. If a user's account is compromised, attackers can send malicious scripts to all contacts, exploiting the trust within the user's network.

Until Meta changes their mind about this issue, users can configure WhatsApp to not accept files automatically, and never open the files directly from WhatsApp.