Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

WhatsApp for Windows had a potentially serious security flaw — but good news, you should be safe

In this photo illustration, the WhatsApp logo is displayed on a smartphone screen.

The Windows client for popular instant messaging platform WhatsApp has a rather worrying flaw, but owner Meta apparently doesn’t think it should be the one addressing it.

Instead, it believes that it falls upon the user to be careful not to get infected - but fortunately, the attack surface seems to be rather small, so you should be safe.

Security researcher Saumyajeet Das analyzed WhatsApp for Windows, to see which file types the client can run natively. The majority of risky ones, such as .EXE, .COM, .SCR., or .BAT were blocked, and can only be run if first saved to the computer’s hard drive. However, there are a few that the client runs directly - .PYZ (Python ZIP app), .PYZW (PyInstaller program), and .EVTX (Windows event Log file).

Negative response

In other words, if the victim clicks “Open” on any of these files in WhatsApp, they will execute the script (including malicious code) instantly. The caveat here is that the victim first needs to have Python installed which, apparently, not many people do.

 According to BleepingComputer, this prerequisite limits the targets to software developers, researchers, and power users. 

Das reported the problem to Meta in early June 2024, and got a response a month and a half later, saying that the issue was already reported. Apparently, Meta will not be addressing it, at all. In a statement given to BleepingComputer, the company basically said it’s up to the users to make sure they don’t open malicious files:

"We've read what the researcher has proposed and appreciate their submission. Malware can take many different forms, including through downloadable files meant to trick a user,” the statement reads. "It's why we warn users to never click on or open a file from somebody they don't know, regardless of how they received it — whether over WhatsApp or any other app."

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.