Write
OneWriteup
  • Login
  • Register
  • Trending
  • Articles
  • Blog
  • Tutorials
  • News
  • Research
  • Top 10 Lists
  • Case Studies
  • Writeup
  • Interviews
  • Personal Stories
  • Infographics
No Result
View All Result
  • Trending
  • Articles
  • Blog
  • Tutorials
  • News
  • Research
  • Top 10 Lists
  • Case Studies
  • Writeup
  • Interviews
  • Personal Stories
  • Infographics
No Result
View All Result
OneWriteup
No Result
View All Result

WhatsApp For Windows Runs Arbitrary Python Code

FOUNDER by FOUNDER
August 10, 2024
Reading Time: 4 mins read
13
0
Share on FacebookShare on Twitter

 

In recent discoveries in the latest version of WhatsApp’s desktop application for Windows suggest that some file types might pose a potential security risk. This issue is intriguing, as it highlights a gap in WhatsApp’s file-handling security protocols—one that could allow certain scripts to execute without any warning to the user. Let’s dive into what this means, and why it might be more concerning than it first appears.

 

Understanding the Issue: The Latest WhatsApp Version

First, let’s set the stage. The version of WhatsApp in question is 2.24.29.10.19, the latest at the time of this exploration. The application, designed to connect seamlessly with your mobile WhatsApp via QR code, typically blocks the opening of executable files directly. For instance, if you try to send a standard .exe file, WhatsApp will prevent it from running, instead prompting you to save it to your device first. This safeguard is in place to protect users from inadvertently executing harmful software.

However, this protective measure seems to have some significant loopholes.

 

Testing the Limits: What WhatsApp Blocks and What It Doesn’t

To understand the vulnerability, a few simple tests were conducted. Normally, you’d expect that WhatsApp would treat all potentially executable files with the same level of caution. Files like .exe, .bat (batch scripts), and even .ps1 (PowerShell scripts) are commonly blocked or at least come with a warning. But what happens when we try something different, like a Python script or a PHP file?

Here’s where things get interesting. By renaming an executable file to a less obvious extension, such as .hta (Hypertext Application), the file is still blocked. This suggests that WhatsApp is relying on a deny list based on file extensions to determine what’s safe and what isn’t. But when we moved on to testing with a Python file (.pyz or .pyw), the results were unexpected: these files were not blocked. Even more concerning, they could be opened directly, allowing any code within to execute.

 

ADVERTISEMENT
https://onewriteup.com/wp-content/uploads/2024/08/whatsapp-python-code-execution.mp4

 

A Real-World Example: The Python Script Test

To demonstrate, a simple Python script was crafted. This script was designed to open the calculator on a Windows machine—a harmless action for testing purposes but indicative of what more malicious code could do. The file was sent through WhatsApp, and when clicked, the calculator opened without any warnings from WhatsApp.

 

 

This scenario, while seemingly benign, raises red flags. If a user with malicious intent sent a Python script with harmful code, the same process would apply. The user clicks the file, and suddenly, without realizing it, they could be running a script that compromises their machine.

 

 

This is not just theoretical. A researcher discovered this vulnerability and reported it to Meta (the parent company of WhatsApp) through their bug bounty program. Unfortunately, the response was underwhelming. Meta acknowledged that the issue had been reported but decided it wasn’t a high-priority concern, as they claimed to have already addressed it in earlier versions. However, as of the most recent tests, the issue persists.

 

The Broader Implications: What File Types Could Be Dangerous?

Beyond Python, this vulnerability could extend to other scripting languages and file types. PHP scripts, for instance, have also been found to bypass WhatsApp’s block list. Imagine the potential for a malicious script to be delivered via WhatsApp to an unsuspecting user. The victim, believing they are opening a benign file, could be enabling a backdoor into their system or executing a ransomware attack.

Security professionals and developers understand that even if a file type is less common or requires specific software to execute (like Python needing to be installed), it doesn’t diminish the risk. Many power users and developers have environments set up on their machines that could make these vulnerabilities more exploitable.

 

Meta’s Response and the Need for Caution

Meta’s response to this discovery is that users should be wary of files sent from unknown sources, which is sound advice in general. However, the fact that WhatsApp already blocks certain executable files suggests that they recognize the potential risk of code execution through their platform. Extending this block to other file types, like Python scripts and PHP files, would be a straightforward and effective way to close this security gap.

Security researchers, like the one who discovered this issue, have expressed disappointment in Meta’s handling of the situation. The request is simple: add these potentially harmful file types to WhatsApp’s existing deny list. This would demonstrate a commitment to user safety and a proactive approach to security vulnerabilities.

 

Should You Be Concerned?

The question remains: should you be worried? While it’s true that a user must still actively open the file for it to execute, the fact that WhatsApp allows certain scripts to run without any warning is a cause for concern. As users, we rely on platforms like WhatsApp to help safeguard our interactions, and when those safeguards are incomplete, it opens the door to potential exploitation.

If you’re using WhatsApp on Windows, particularly if you’re a developer or someone who has environments like Python or PHP set up on your machine, it’s wise to exercise additional caution. Be wary of any files sent through the platform, especially those with unfamiliar extensions. It might also be worth considering alternate communication methods for sending files that could be potentially executable.

 

Conclusion: A Call for Better Security Practices

This situation with WhatsApp is a reminder of the ever-present need for vigilance in digital security. Even widely used and trusted applications can have gaps in their defenses. As users, we should remain informed and cautious, but developers and companies like Meta must also take responsibility for ensuring their platforms are as secure as possible.

Adding these file types to WhatsApp’s deny list is a simple fix that could prevent potentially serious security breaches. Let’s hope that this issue is resolved soon, and until then, stay alert and be mindful of the files you open.

ADVERTISEMENT
FOUNDER

FOUNDER

Cybersecurity aficionado committed to disseminating expertise, crafting articles that empower others to resolve errors and fortify online defenses with ease.

Recently Posted

HOW To BECOME AN ETHICAL HACKER ROADMAP

Free Cybersecurity Roadmap for Ethical Hacking Career in 2025

November 15, 2024
705
Top 4 Cyber attacks Commonly used for Hacking Websites!

Top 4 Cyber attacks Commonly used for Hacking Websites!

November 9, 2024
164
How to use bloodhound tool for pentesting

How to use Bloodhound / Sharphound for Pentesting Active Directory?

November 6, 2024
459
Pass The Hash

How to perform Pass The Hash Attack on Active Directory in 2024?

November 2, 2024
147
Load More

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

ADVERTISEMENT

Recommended

Whoami II – From Duplicates to $680 directly [as a Beginner]

Whoami II – From Duplicates to $680 directly [as a Beginner]

September 25, 2024
143
How Wazirx Was Hacked?

How WazirX Was Hacked by Lazarus Group? – Complete Case Study

July 25, 2024
108

Popular Story

  • Download the Top 100 Free Cybersecurity Courses, Resources, and Study Materials for 2024

    Download the Top 100 Free Cybersecurity Courses, Resources, and Study Materials for 2024

    740 shares
    Share 296 Tweet 185
  • How to use Bloodhound / Sharphound for Pentesting Active Directory?

    83 shares
    Share 33 Tweet 21
  • Termux Top 10 Most Powerful Tools in 2024

    271 shares
    Share 108 Tweet 68
  • Top Cyber Security VAPT Interview Preparation Questions in 2024

    83 shares
    Share 33 Tweet 21
  • Merklemap: The Best Subdomain Search Engine for Comprehensive Online Discovery

    39 shares
    Share 16 Tweet 10
ADVERTISEMENT
OneWriteup

Discover expert cybersecurity articles, tutorials, and the latest trends to protect your digital world.

  • OneWriteup Labs
  • About Us
  • Feedback
  • Contact Us
  • Report
  • Privacy Policy
  • Community Guidelines
  • Terms Of Service

© 2024 OneWriteup

No Result
View All Result
  • Trending
  • Articles
  • News
  • Blog
  • Tutorials
  • Research
  • Top 10 Lists
  • Case Studies
  • Interviews
  • Login
  • Sign Up

© 2024 OneWriteup

Welcome Back!

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In