WhatsApp for Windows lets Python, PHP scripts execute with no warning
A security vulnerability in WhatsApp for Windows allows execution of Python and PHP scripts without warnings. Discovered by researcher Saumyajeet Das, it poses risks for users, especially developers.
Read original article
A security vulnerability in the latest version of WhatsApp for Windows allows the execution of Python and PHP scripts without any warning when received by users. This issue requires Python to be installed on the recipient's system, which may limit the potential targets to developers and power users. The flaw is reminiscent of a similar issue with Telegram for Windows, where security warnings could be bypassed, enabling remote code execution. Despite WhatsApp's existing measures to block certain risky file types, it does not plan to add Python scripts to its blocklist. Security researcher Saumyajeet Das discovered this vulnerability while testing file attachments and reported it to Meta, WhatsApp's parent company, on June 3. Meta acknowledged the report but later dismissed it as not a problem on their side, stating that users should be cautious about opening files from unknown sources. Das expressed disappointment with this response, suggesting that simply adding Python file extensions to the blocklist could mitigate the risk. The vulnerability poses a significant threat, as malicious scripts could be sent through hijacked accounts or shared in group chats, making it easier for attackers to exploit unsuspecting users. BleepingComputer confirmed that WhatsApp does not block the execution of these scripts, raising concerns about user security and the platform's commitment to addressing such vulnerabilities.
Related
Universal Code Execution by Chaining Messages in Browser Extensions
Researchers demonstrate universal code execution in browser extensions by exploiting messaging APIs, bypassing security measures. Vulnerabilities in extensions can compromise millions of users, allowing access to sensitive data and enabling arbitrary command execution.
Exim vulnerability affecting 1.5M servers lets attackers attach malicious files
A critical vulnerability in Exim mail transfer agent (CVE-2024-39929) exposes 1.5 million email servers to attacks delivering malicious attachments. No active exploits reported, but admins urged to update Exim to version 4.98 RC3 for protection.
Telegram zero-day allowed sending malicious Android APKs as videos
A zero-day vulnerability in Telegram for Android, named 'EvilVideo,' allowed attackers to send malicious APK payloads disguised as videos. The flaw was patched in version 10.14.5 after responsible disclosure. Users should update their app.
Telegram zero-day for Android allowed malicious files to masquerade as videos
Researchers found a zero-day exploit in Telegram for Android, named EvilVideo. Telegram fixed it in versions 10.14.5+. Attackers could send malicious files as videos. Exploit sold on forum. Patched version prevents automatic downloads. Threat actor unknown.
Hackers bypass Windows SmartScreen flaw to launch malware
Cybercriminals are exploiting a Microsoft Defender vulnerability (CVE-2024-21412) to install malware undetected. Many systems remain unpatched, making them vulnerable. Users should update Windows and be cautious with email attachments.
2 commentsRelated
Universal Code Execution by Chaining Messages in Browser Extensions
Researchers demonstrate universal code execution in browser extensions by exploiting messaging APIs, bypassing security measures. Vulnerabilities in extensions can compromise millions of users, allowing access to sensitive data and enabling arbitrary command execution.
Exim vulnerability affecting 1.5M servers lets attackers attach malicious files
A critical vulnerability in Exim mail transfer agent (CVE-2024-39929) exposes 1.5 million email servers to attacks delivering malicious attachments. No active exploits reported, but admins urged to update Exim to version 4.98 RC3 for protection.
Telegram zero-day allowed sending malicious Android APKs as videos
A zero-day vulnerability in Telegram for Android, named 'EvilVideo,' allowed attackers to send malicious APK payloads disguised as videos. The flaw was patched in version 10.14.5 after responsible disclosure. Users should update their app.
Telegram zero-day for Android allowed malicious files to masquerade as videos
Researchers found a zero-day exploit in Telegram for Android, named EvilVideo. Telegram fixed it in versions 10.14.5+. Attackers could send malicious files as videos. Exploit sold on forum. Patched version prevents automatic downloads. Threat actor unknown.
Hackers bypass Windows SmartScreen flaw to launch malware
Cybercriminals are exploiting a Microsoft Defender vulnerability (CVE-2024-21412) to install malware undetected. Many systems remain unpatched, making them vulnerable. Users should update Windows and be cautious with email attachments.