WhatsApp for Windows had a potentially serious security flaw — but good news, you should be safe

In this photo illustration, the WhatsApp logo is displayed on a smartphone screen.
(Image credit: Photo Illustration by Rafael Henrique/SOPA Images/LightRocket via Getty Images)

The Windows client for popular instant messaging platform WhatsApp has a rather worrying flaw, but owner Meta apparently doesn’t think it should be the one addressing it.

Instead, it believes that it falls upon the user to be careful not to get infected - but fortunately, the attack surface seems to be rather small, so you should be safe.

Security researcher Saumyajeet Das analyzed WhatsApp for Windows, to see which file types the client can run natively. The majority of risky ones, such as .EXE, .COM, .SCR., or .BAT were blocked, and can only be run if first saved to the computer’s hard drive. However, there are a few that the client runs directly - .PYZ (Python ZIP app), .PYZW (PyInstaller program), and .EVTX (Windows event Log file).

Negative response

In other words, if the victim clicks “Open” on any of these files in WhatsApp, they will execute the script (including malicious code) instantly. The caveat here is that the victim first needs to have Python installed which, apparently, not many people do.

 According to BleepingComputer, this prerequisite limits the targets to software developers, researchers, and power users. 

Das reported the problem to Meta in early June 2024, and got a response a month and a half later, saying that the issue was already reported. Apparently, Meta will not be addressing it, at all. In a statement given to BleepingComputer, the company basically said it’s up to the users to make sure they don’t open malicious files:

"We've read what the researcher has proposed and appreciate their submission. Malware can take many different forms, including through downloadable files meant to trick a user,” the statement reads. "It's why we warn users to never click on or open a file from somebody they don't know, regardless of how they received it — whether over WhatsApp or any other app."

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

TOPICS