WhatsApp Desktop customers who’ve Python put in on their Home windows PCs are susceptible to arbitrary code execution resulting from a flaw in how the appliance handles Python archive recordsdata.
A maliciously crafted .pyz file might be executed with a single click on, granting attackers full management over the sufferer’s system. Meta has but to categorise this conduct as a safety vulnerability, leaving hundreds of thousands of customers probably uncovered.
Key Takeaways1. WhatsApp Desktop auto-executes .pyz recordsdata on Home windows if Python is put in.2. Meta hasn’t deemed this a safety flaw.3. Customers ought to unregister .pyz or disable Python; Meta wants file checks or warnings.
Malicious .pyz Archive
In response to the H4x0r.DZ publish on X, a Python archive (.pyz) bundles Python modules and scripts right into a single executable file.
On Home windows, double-clicking a .pyz file mechanically launches the embedded Python interpreter if Python is put in and registered within the system’s PATHEXT.
Malicious.pyz is created by the attacker and despatched to the sufferer utilizing WhatsApp Desktop. The file is previewed by WhatsApp Desktop, which then permits “Open” with out warning. To run the payload and execute the archive, Home windows runs Python.
This sequence bypasses typical person safeguards as a result of WhatsApp Desktop doesn’t validate or sandbox file sorts primarily based on extensions past widespread media and doc codecs.
Customers who’ve Python put in on their PCs and use WhatsApp Desktop could also be uncovered to a safety danger. A specifically crafted .pyz (Python archive) file can be utilized to execute malicious code upon a single click on, probably compromising the system.An identical vulnerability was… pic.twitter.com/Vs6th104OD— H4x0r.DZ (@h4x0r_dz) August 25, 2025
An identical vulnerability in Telegram Desktop was found earlier this 12 months, the place .pyz recordsdata additionally executed mechanically, resulting in distant code execution.
New AI Telegram Module To Analyze Hacking Associated Content material In TelegramTelegram patched the difficulty by implementing strict file-extension checks and warning dialogs earlier than execution.
In distinction, Meta maintains that WhatsApp Desktop solely handles “secure” desktop artifacts and doesn’t deal with Python archives as executable content material.
Because of this, no mitigation reminiscent of blocking .pyz previews or prompting for affirmation is presently in place.
Safety specialists advocate fast measures for each customers and Meta:
Customers ought to unregister the .pyz extension
Alternatively, uninstall or disable Python if not required.
Meta should replace WhatsApp Desktop to detect .pyz recordsdata, immediate customers earlier than opening, or sandbox file dealing with routines.
Till Meta acknowledges and addresses this flaw, any Home windows person with Python put in stays susceptible to unsolicited code execution via WhatsApp Desktop. Vigilance and well timed patching are important to safeguard in opposition to potential exploitation.
Discover this Story Fascinating! Observe us on LinkedIn and X to Get Extra Immediate Updates.
