Thank you, John, for sharing my work! It's incredibly rewarding to see the impact of my research on a global scale. Knowing that it helps make software more secure and protects users is a great feeling. Thanks again.
It is appreciated, and this is 100% a security concern. The rationale in their response was bizarre, too. If you can easily mitigate a risk without effecting functionality it should be done
meta’s response makes one wonder how many times meta has said that the same bug has been reported by another user just to avoid paying them any bounty or giving them credit and without any way of the person reporting it to verify those claims.
Well they do not have an actual blicklist for filetypes. WhatsApp is actually UWP app and the blocking is done by windows. This is a neglect of the python installer which doesn’t mark python files "alwaysunsafe" then any UWP app would refuse to launch it, you could only save it and launch from a non-uwp app. For example on an xbox this wouldnt even be possible. UWP is basically its own OS put on top of windows desktop to seem like its just another app.
@氷語 I had a hunch that every program maintaining a list of prohibited extensions separately is not how things work and there should be better solution for this kind of stuff. Thanks for confirming my thoughts :) After all, messengers can not keep up with every program user might install. Python/php are one of the popular ones, but still, I can install an app that runs shell code from .jpeg file and call that Whatsapp's vulnerability.
I don't understand why big companies like that do the simple mistake of using a deny list instead of an allow list, 'cause you'll allways forget an entry, so it's better to forget an allow than forget a deny. I don't get it
They don't care. The equation basically is what option is the fastest and uses less resources. It's always just allow everything and deny what you don't want. Otherwise someone has to keep putting things in the white-list (it's black-list and white-list, those are just colors and I don't like corpo speak and pandering, I don't care the same way they don't care ) Except in the future there's guaranteed to be a breach of security, but thats the next quarter, the world might have ended or something. The future don't exist.
the problem is both have their pros and cons and fit differently well depending on the use case. but in regards to security, in almost all cases an allow list is safer. especially for a company the size of Meta, this is embarrassing. lol
@@owenswabimostly likely due to ignorance of the threats out there. The number of fellow network engineers Ive spoken to who arent allowed budget by non techie higher ups who dont understand networking at all is insane. Im just glad to work for an employer who takes cybersecurity very seriously.
As always companies don't want to pay the bounties so they say is not an issue but will then fix it afterwards. So basically what they are saying is: don't report issues to us, sell them instead on zerodium so at least you can get a "bounty".
but it didnt run, it just opened in notepad, right? (Im not a windows guy, im not sure whether there is a way to abuse this and make it execute instead or something?)
You could have changed the file associations to run all .ps1 files with powershell, again not by default but I think it'd be much more common than however many people have python installed
Bad response from Meta. They are knowingly allowing an attack surface to exist on their platform when the fix could have been included in an update that has already been pushed.
if they would block some types, and have a general warning, then i think it would be okay to say, its the users fault. but if you protect against some file types, you should respond in another way, and fix it. (i think it would be better to have a whitelist for filetypes/whitelist for applications to open with)
Even if it's not a security concern, it's definitely a design concern. If clicking "open" on an exe doesn't execute the program, clicking "open" on a pyz or php shouldn't execute the program. The current behavior is inconsistent and confusing.
One way to think about this issue is that if Python introduces a new extension in the future, like pyxyz, how will WhatsApp handle it? This could make all previous versions vulnerable. Ideally, they should have implemented an allowlist, but if they couldn't for a valid reason, it becomes a cat-and-mouse game with researchers constantly searching for extensions that could execute code on the host system. And that could be why they didn't consider this a valid bug.
If I send an email with calc.exe file as attachment; on Windows hosts, if you open it, it would open calculator. This doesn't mean Windows or Outlook has an ACE. OR: Say we download a program/setup/game/app using Chrome. You open it from Chrome. It opens! We can't call that an ACE, afterall, just because it runs on Windows. That's the whole point of a computer. It is designed to execute code. Meta's RCE is in the context of WhatsApp means the potential vulnerability that they are referring to alters 𝗵𝗼𝘄 WhatsApp works. If you send some code at their servers or through the app or send some media to a recipient and if it runs a piece of code on/within itself, then it's an issue. You need to understand the difference between "running on WhatsApp" and "running outside WhatsApp". It's an ACE if its executed in the context of WhatsApp. Just because user asked it to open the file and the file opens, it cannot be called an ACE at all. It's what it is designed to do.
Do remember that in security, the human is the weakest link. While this is twchnically not ACE or RCE because it reuqires a human action (clicking on the Open button), it's still a good attack vector if you can get the user to do it (which, through social engineering, can definitely happen). If you have to save the file first, then have to manually fetch it in the explorer to run it, that's as many more actions the user can ponder on the potential ramifications of his actions; or a way to make it harder to misclick in the first place. In fact, all of this is already understood by the developpers because they already implemented preventive measures for other executable file types, this means they already understand the implications; theyre just inconsistent on their application. TL:DR; something can still be an attack vector even if it is triggered by genuine user actions.
The .ps1 file opening in notepad is the new Windows 11 default. Now to execute a powershell script you either have to do so from within powershell already, or right click it and click "run with powershell".
Why even bother with a block list? Just compile an allow list with most popular file types from sent history. Nobody will complain if you forget to whitelist some rare file type.
@@_JohnHammond Theoretically, with Fourier transforms, blur is reversible. In practice, if the video was compressed AFTER being blurred, the inverse of the blur convolution will result in a jumbled mess, but there are ways around it (using AI to remove quantisation noise and then applying the sharpen convolution, especially given that QR codes have redundancy and a pretty big proportion of pixels can be wrong before the error correction algorithm is overwhelmed).
I know about reversibility of window convolution and stuff in mathematic model only. It would be an eye-opener if someone could recover the QR data from the video frame. And it would make a great UA-cam video too. So try it, if you can.
@@gotr00t0day it's like saying that Gmail allows you to download an exe from an attachment and run it so it has a 0day RCE... this is the user choosing to download and run a file it isn't anyone else's fauly
In the data storage option, automatic download, always keep it disabled, but it is also very useful to remove with adb the facebook services and applications that run in the background, such as: meta app installer, meta app manager and meta services (android phone). ☠️
I suggest that apps with file sharing functionality switch to safelists when opening files. All filetypes that don't fall under the safelist should instead be located and highlighted in the file manager for the user to have a closer look first. Denylists should be kept too, because they are very useful for showing the warning in case the filetype is potentially dangerous, but they can't be solely relied on.
This is something I investigated a bit recently. It's completely impossible to correctly filter files on windows, because file associations are completely arbitrary. You cannot know what is safe to open. You can *guess* that pdf, png, jpg, etc... are fine, but even there you better hope that the program the user has associated with it isn't something that might run arbitrary code (recall the zero-click iPhone exploit where different applications used different mechanisms to decide what type a file is).
Bruh- they leave it so they can use those extensions when developing over their end-to-end encrypted chat app. They know it can be a security issue, but they hope people know what they’re doing so they can benefit the same way they do. 😬
You can make the cmd window to open in the background with a launch option in the pyz script, you don't have to use a pyzw file to make it hidden as far as I know.
The human is the weakest layer of cybersecurity. Meta's reply "oh but we warn users to be careful" means meta relies on the weakest security layer. Voilà
It should not be the file extension that is solely used, but a combination on file extension and mime type. The mime type can't be changed without breaking functionality, unlike a file extension.
This is just WhatsApp telling windows to open the extension using the device’s default application installed in the current device (don’t forget it won’t work without python installed), & It is not WhatsApp’s fault, it’s basically WhatsApp calling Windows Library to run the extension. This is basically the same as you clicking on a python file / any other (can be .exe or any) downloaded from your chrome browser on the downloads page. The safeguard exists already within the OS, but it depends on Window’s UAC settings. The WhatsApp feature you’ve shown is just a feature within the App (upload, download, and open), and is listed under Privacy and Policy where some sort of feature abuse would lead to permanent suspension (correct me if i’m wrong). Just don’t open files that are suspicious from random people, in the end of the day, it’s the user that’s gotta be smart. Since WhatsApp only calls Windows Libraries to run extensions based on default app used, it’s not really a threat (from WhatsApp’s perspective), if you were to put it in your scenario, Window’s indirectly the problem here, because it should’ve detected the file as a threat before it even gets uploaded. But i agree! Flawed Design.
@@llunuk yep, but the difference with this Video is, this guy just stating that WhatsApp runs Arbitrary Python Code, unlike the LinkedIn guy that spreads misleading information ^^
When the PowerShell script opened, it clicked, and I immediately tested my theory. 😅 I tried the .ps1 method and discovered that whether the script opens depends on the default handler and how WhatsApp blocks execution. I created a test.ps1 that opens with a text editor but doesn’t when I set the default handler to PowerShell or terminal. I’ll post the screen recording ASAP. 😅
This is especially egregious on Windows. The Windows API allows applications to download files (be it to save or to put in a temporary directory to open) with a flag set to tell the shell that the file is from an untrusted source and that it should not be executed without user approval. This is what browsers do to downloaded files. Secondly, the Windows file type association registry allows for a few different "verbs" to be configured for any file type. This means that an application that wants to open a file in a third party application can use the verb in the API call to open/edit the file instead of using the verb to run/execute the file. Neither of these requires black or white listing file extensions or MIME types. It is also possible that the Windows Python and PHP installers improperly set the open/edit verb action in the registry to mirror the run/execute verb's action. If that is the case, this should be brought up with the Python and PHP developers.
I think this would better be fixed in Windows itself. Categorize file type handlers into "safe" ones (text editors, image viewers - those that should not be able to execute arbitrary code) - and those that can literally do everything (programming language interpreters, or the loader responsible for executing *.exe files). Then offer an API to only invoke a registered file type handler *if it is categorized as "safe"*. You're still vulnerable to exploits in these handlers of course, but there's really nothing you can do against that aside from fixing the bug in the respective program itself. (Or sandboxing/isolating applications from each other in a similar way as Android does it, but at that point you're better off re-writing the whole operating system...) Going by file extension (who even knows about these obscure python file extensions?), and on top putting the onus on the application developer to *know* which handlers are "safe" and which are not, is just asking for trouble. (Gotta yell at WhatsApp though for using a blacklist rather than a whitelist of course. Think about what you need - PNG, JPG, MP3 and the like - and disable the feature for everything else. If a new music file format comes up and is widely adopted - sure, add it to the whitelist to allow the "easy opening" of the file. But don't force youself to have to keep track what new programming languages and other arbitrary-code-executing programs arise to block each of them manually.)
The powershell script opened because it was set to notepad, if it was set to Powershell it would have said "Save failed" and even if it opened you'd still at least need to have the execution policy pre-set
My guess is they figured if you do use python, you know how to do your own security. Still a bit dangerous in my opinion though. Would probably still be a good idea to block them. Would actually be a better idea to not let users execute from the app at all.
For real, honestly it looks like you only need to fat finger it a single time? I misclick all the time on my phone and oh my god am I happy there's confirmation pop-ups on most things that actually matter.
I think you could embed a more plausible file into the python script (say, a non-malicious python script), write it as a file either in users temp or downloads directory and open it up with the users default text-editor. Chances are this is what the user expected to happen anyhow. I have been so spoiled by linux and software using plaintext that the loose separation between executables and scripts and actual files kind of frighten me. But you can’t embed a youtube video into a plaintext document (unless its emacs, where you can embed scripts into othervice plaintext documents) That said, there still are simple ways to actually check what a file does. Maybe display the systems default program for that MIME-type? Instead of saying ”open” say ”open in Word”, ”Open in VLC-player” or ”Execute with python3.11”. If the file has a PE header, then it is an executable, regardless of the file-extention. Maybe it wont behave like one if you double click it, but you still let a (hidden) executable to be passed through. I don’t expect the multi-billion company to embed its own malware protection software into their desktop app, but the least they could do is actually check the files meta-data (locally!!) and inform the user who receaves it about what exactly ”opening” the file means. If the check fails, raise a warning stating you don’t know what it is, and two warnings with a checkmark that needs to be toggled if the MIME-type doesn’t seem to match. Just dont try to maintain an excluding list of regexps to identify malicious or deceptice files. You will fail.
wonder how many extensions actually get through, perl, ruby, go? heck what about word docs with macros? also, what extensions will get through if you try to open the attachment on your phone
Let's be real, what average person who has either of these installed wouldn't be familiar with the .php or .py file extensions as well as be smart enough to know not to open random executables? Would be nice if it showed a warning before opening potentially executable files like browsers do but you can't really expect them to explicitly blacklist every executable file format in existence. Anyway, not much of an exploit. It literally only removes a step from what the user would have to do in order to execute the file and if an adversary were trying to socially engineer someone into executing an unknown file that extra step wouldn't present much of a barrier. I can understand that it's not exactly high on the priority list especially when making this change would not actually block all potentially executable files, just the ones people have discovered so far. That could be something they would have to repeat many times in order to get a **mostly** complete blacklist. And after all that some adversary could still RE and find the one file type they forgot about. Completely fixing the issue is not as simple as it first appears.
This should probably be dealt by the operating system. Maybe Windows should allow Python and other VMs to register as such, so that when any program tried to use them as a handler, Windows would tell the users about the risks. Then, Windows could also provide an API for applications to open file with a handler, but only if that handler wasn't a VM.
You look and sound so similar to LowLevelLearning I had to double check the channel name just to be sure it's not an old video. I can't be the only one that sees that. Anyway, nice content :)
I mean what so setting Priv required and User interaction to High shakes out like - CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H still rates at 6.8 Medium which should be accepted/fixed for any reasonable bug bounty program .-.
It’s an interesting vector for sure. It’s not great for sure. I think it’s a concern and I think it would be a bigger concern if say Powershell worked with it and could have a larger number of potential attacks.
We used to send each othér code asignments back in campus, we considered it a feature to quíckly test the code😊, could have used it a better way, guess no one had time for fooling around and the source was trustworthy
Step 1: Create vulnerability Step 2: Exploit vulnerability through backdoors as step 1 made it easier Step 3: Mine data on everyone and spy Step 4: Arrest somebody for wrong think Step 5: Big brother Step 6: $$$
The average computer user still won't have python installed on their computer, and since EXE files are on the denial list, I don't think there's much that can be done.
sure clicking open is on the user but if Meta knows its a risk for exe files or other potentially malicious files like python. PHP and possibly even powershell scripts then that's a huge failing for meta given its a 60 second hotfix, wont be long until someone releases the full list of none blocked file extensions and it won't surprise me if we start seeing botted accounts using leaks to mass spam people with this technique. EDIT: You don't even need to click open, just click the attachment and the file will be run so its now gone from clicking open to even a miss click can cause execution
I got a sneaky suspicion that this "vulnerability" is not about Whatsapp itself, but about the default software set to open said extension. See .ps1 that (like windows dictate as default) opens with notepad instead of powershell. What is the behavior of opening a PS1 file, if you change the default program to open ps1 files to "powershell"?
@@_JohnHammond Maybe something that doesn't misinform the viewer. WhatsApp isn't running the Python code. Also this isn't a security vulnerability at all. There is no "Arbitrary Code Execution".
Yes. Unless there is a "zero-click" vulnerability, an executable file must be "opened" by the user to be effective. In theory, even "zero-click" vulnerabilities triggered via some services "opening" it, but the meaning of zero-click is meant to be zero click "by the user".
most people you sent this too would click it just because they know the person sending it. This could easily be turned into self-replicating malware. SMH
Why use a denylist instead of an allowlist? Sounds like they make life harder for themselves as there might be only a couple of formats users should actually want to open directly but hundreds that could harm the system... Also interesting the just check extensions which is also somewhat unreliable
Meanwhile, the Pakistani government is launching their own secure comms app. I think the fact that this bug just...continues to be ignored is vile. I also think they can't mark an issue as resolved when it's demonstrably not. Never used WhatsApp, never will. Slowly but surely moving off of all of Meta's platforms. They're evil, straight up.
what i learned: never check your email, never read a text message, install no apps, don't visit any websites, and you might be safe
Don't use your computer and you might be safe!
Don't even look at your phone
No there is only one way is switch to Nokia 3310
You forgot to remove the network card (wifi and Bluetooth)... rookie mistake 😂
You just need to be cautious buddy
Thank you, John, for sharing my work! It's incredibly rewarding to see the impact of my research on a global scale. Knowing that it helps make software more secure and protects users is a great feeling. Thanks again.
good on you, Saumyajeet! +1
@@RK-gv7rcya yeet….
It is appreciated, and this is 100% a security concern. The rationale in their response was bizarre, too. If you can easily mitigate a risk without effecting functionality it should be done
+1
Bhadva whatsapp bounty nai diya...
meta’s response makes one wonder how many times meta has said that the same bug has been reported by another user just to avoid paying them any bounty or giving them credit and without any way of the person reporting it to verify those claims.
Well they do not have an actual blicklist for filetypes. WhatsApp is actually UWP app and the blocking is done by windows. This is a neglect of the python installer which doesn’t mark python files "alwaysunsafe" then any UWP app would refuse to launch it, you could only save it and launch from a non-uwp app. For example on an xbox this wouldnt even be possible. UWP is basically its own OS put on top of windows desktop to seem like its just another app.
@@氷語 the Xbox OS is amazing, they really should have made that into Windows11
@氷語 Has someone reported that security vulnerability to the python team?
@氷語 I had a hunch that every program maintaining a list of prohibited extensions separately is not how things work and there should be better solution for this kind of stuff. Thanks for confirming my thoughts :)
After all, messengers can not keep up with every program user might install. Python/php are one of the popular ones, but still, I can install an app that runs shell code from .jpeg file and call that Whatsapp's vulnerability.
I don't understand why big companies like that do the simple mistake of using a deny list instead of an allow list, 'cause you'll allways forget an entry, so it's better to forget an allow than forget a deny.
I don't get it
They don't care.
The equation basically is what option is the fastest and uses less resources.
It's always just allow everything and deny what you don't want. Otherwise someone has to keep putting things in the white-list (it's black-list and white-list, those are just colors and I don't like corpo speak and pandering, I don't care the same way they don't care )
Except in the future there's guaranteed to be a breach of security, but thats the next quarter, the world might have ended or something.
The future don't exist.
Because most of their codebase is pretty much written by whichever engineers they could pay the least
the problem is both have their pros and cons and fit differently well depending on the use case. but in regards to security, in almost all cases an allow list is safer. especially for a company the size of Meta, this is embarrassing. lol
It's not t an "error". It's a "feature". /joking
This year must be a record-breaker for cybersecurity vulnerabilities.
Coincidentally a year with a decrease in cybersec funding at the enterprise level
@@owenswabimostly likely due to ignorance of the threats out there. The number of fellow network engineers Ive spoken to who arent allowed budget by non techie higher ups who dont understand networking at all is insane. Im just glad to work for an employer who takes cybersecurity very seriously.
Ai revolution in action
That's what you get for thinking you can replace programmers with chatbots and glorified autocorrects.
True 😂
As always companies don't want to pay the bounties so they say is not an issue but will then fix it afterwards. So basically what they are saying is: don't report issues to us, sell them instead on zerodium so at least you can get a "bounty".
the .ps1 file running is even more scary than the python imho. Since Python require you to install python etc while Powershell is standard today.
but it didnt run, it just opened in notepad, right? (Im not a windows guy, im not sure whether there is a way to abuse this and make it execute instead or something?)
Ps1 doesn’t normally run just by opening the file you’d normally have to launch it *from* powershell
@@kirbykilledgodNormally yes but in a malicious context they run via hard links.
You could have changed the file associations to run all .ps1 files with powershell, again not by default but I think it'd be much more common than however many people have python installed
what can you run if the message is opened on a latest iphone or android phone? nothing right?
Bad response from Meta. They are knowingly allowing an attack surface to exist on their platform when the fix could have been included in an update that has already been pushed.
Especially when it is such a simple one to patch like this too.. no excuse not to just do it
maybe the NSA/FBI asked them to leave it "open" for couple days
if they would block some types, and have a general warning, then i think it would be okay to say, its the users fault. but if you protect against some file types, you should respond in another way, and fix it. (i think it would be better to have a whitelist for filetypes/whitelist for applications to open with)
They actively provide a surveillance platform to many states. You are the product.
@@amandamate9117 why would they leave an exploit open to act as backdoors they already have?
Even if it's not a security concern, it's definitely a design concern. If clicking "open" on an exe doesn't execute the program, clicking "open" on a pyz or php shouldn't execute the program. The current behavior is inconsistent and confusing.
Windows itself labels executing programs as "Opening" them too
This wasn't allowed in previous versions, I remember I couldn't share APKs in WhatsApp, now I can!
I remember doing that to share my crappy unity game to my classmates some years ago
You wrong, i always shared apks with my friends like cracked Spotify or other shady ass apks
I am speaking about 2018, you couldn't share APKs back then
@@addas4 2018? That's an eternity
for at least 5 years you could
It's called a 1-click ACE (arbitrary code execution) exploit. 0-click is even more vulnerable.. Nice demo John.
One way to think about this issue is that if Python introduces a new extension in the future, like pyxyz, how will WhatsApp handle it? This could make all previous versions vulnerable. Ideally, they should have implemented an allowlist, but if they couldn't for a valid reason, it becomes a cat-and-mouse game with researchers constantly searching for extensions that could execute code on the host system. And that could be why they didn't consider this a valid bug.
This is a webapp masquerading as a desktop app. There are no "previous versions". It's always on the latest version.
Come on John, everything is open source if you can reverse engineer! :D
Hot take: we’re too lazy to patch
If I send an email with calc.exe file as attachment; on Windows hosts, if you open it, it would open calculator. This doesn't mean Windows or Outlook has an ACE.
OR: Say we download a program/setup/game/app using Chrome. You open it from Chrome. It opens! We can't call that an ACE, afterall, just because it runs on Windows.
That's the whole point of a computer. It is designed to execute code.
Meta's RCE is in the context of WhatsApp means the potential vulnerability that they are referring to alters 𝗵𝗼𝘄 WhatsApp works.
If you send some code at their servers or through the app or send some media to a recipient and if it runs a piece of code on/within itself, then it's an issue.
You need to understand the difference between "running on WhatsApp" and "running outside WhatsApp". It's an ACE if its executed in the context of WhatsApp. Just because user asked it to open the file and the file opens, it cannot be called an ACE at all. It's what it is designed to do.
but calc.exe isn't arbitrary python code..?
Do remember that in security, the human is the weakest link. While this is twchnically not ACE or RCE because it reuqires a human action (clicking on the Open button), it's still a good attack vector if you can get the user to do it (which, through social engineering, can definitely happen). If you have to save the file first, then have to manually fetch it in the explorer to run it, that's as many more actions the user can ponder on the potential ramifications of his actions; or a way to make it harder to misclick in the first place.
In fact, all of this is already understood by the developpers because they already implemented preventive measures for other executable file types, this means they already understand the implications; theyre just inconsistent on their application.
TL:DR; something can still be an attack vector even if it is triggered by genuine user actions.
The .ps1 file opening in notepad is the new Windows 11 default. Now to execute a powershell script you either have to do so from within powershell already, or right click it and click "run with powershell".
Why even bother with a block list?
Just compile an allow list with most popular file types from sent history.
Nobody will complain if you forget to whitelist some rare file type.
Even better is if you run a virus check on it before it downloads, like Google Drive does
1:07 blur is not destructive
Can you unblur it? :)
@@_JohnHammond Theoretically, with Fourier transforms, blur is reversible. In practice, if the video was compressed AFTER being blurred, the inverse of the blur convolution will result in a jumbled mess, but there are ways around it (using AI to remove quantisation noise and then applying the sharpen convolution, especially given that QR codes have redundancy and a pretty big proportion of pixels can be wrong before the error correction algorithm is overwhelmed).
I know about reversibility of window convolution and stuff in mathematic model only. It would be an eye-opener if someone could recover the QR data from the video frame. And it would make a great UA-cam video too.
So try it, if you can.
I'm quite sure many things have been destroyed over the years when Blur - Song 2 kicked in.
why was telegram's considered a 0day and this is not considered a vulnerability ?
This is expected behavior 😂😂
maybe cheaping out on the bug bounty
@@rnts08RCE is an expected behavior lol
@@gotr00t0day Yeah, in WhatsApp it's a core feature!
@@gotr00t0day it's like saying that Gmail allows you to download an exe from an attachment and run it so it has a 0day RCE... this is the user choosing to download and run a file it isn't anyone else's fauly
In the data storage option, automatic download, always keep it disabled, but it is also very useful to remove with adb the facebook services and applications that run in the background, such as: meta app installer, meta app manager and meta services (android phone).
☠️
You added transparency to your WhatsApp QR code which you can undo with various techniques. Security issue!
Would love to see it if you successfully undo it! :)
You were right the first time with "pwd" don't hesitate yourself 💪🏼
I'm this close to setup a research team to un-blur this qr-code, only to get rick-rolled after months of work because John was trolling all along
I suggest that apps with file sharing functionality switch to safelists when opening files. All filetypes that don't fall under the safelist should instead be located and highlighted in the file manager for the user to have a closer look first. Denylists should be kept too, because they are very useful for showing the warning in case the filetype is potentially dangerous, but they can't be solely relied on.
This is something I investigated a bit recently. It's completely impossible to correctly filter files on windows, because file associations are completely arbitrary. You cannot know what is safe to open. You can *guess* that pdf, png, jpg, etc... are fine, but even there you better hope that the program the user has associated with it isn't something that might run arbitrary code (recall the zero-click iPhone exploit where different applications used different mechanisms to decide what type a file is).
Bruh- they leave it so they can use those extensions when developing over their end-to-end encrypted chat app. They know it can be a security issue, but they hope people know what they’re doing so they can benefit the same way they do. 😬
Instead of allowlist, having a denylist is wild.
You can make the cmd window to open in the background with a launch option in the pyz script, you don't have to use a pyzw file to make it hidden as far as I know.
The human is the weakest layer of cybersecurity. Meta's reply "oh but we warn users to be careful" means meta relies on the weakest security layer. Voilà
It should not be the file extension that is solely used, but a combination on file extension and mime type. The mime type can't be changed without breaking functionality, unlike a file extension.
This is just WhatsApp telling windows to open the extension using the device’s default application installed in the current device (don’t forget it won’t work without python installed), & It is not WhatsApp’s fault, it’s basically WhatsApp calling Windows Library to run the extension. This is basically the same as you clicking on a python file / any other (can be .exe or any) downloaded from your chrome browser on the downloads page. The safeguard exists already within the OS, but it depends on Window’s UAC settings. The WhatsApp feature you’ve shown is just a feature within the App (upload, download, and open), and is listed under Privacy and Policy where some sort of feature abuse would lead to permanent suspension (correct me if i’m wrong). Just don’t open files that are suspicious from random people, in the end of the day, it’s the user that’s gotta be smart. Since WhatsApp only calls Windows Libraries to run extensions based on default app used, it’s not really a threat (from WhatsApp’s perspective), if you were to put it in your scenario, Window’s indirectly the problem here, because it should’ve detected the file as a threat before it even gets uploaded. But i agree! Flawed Design.
I think I saw you comment on LinkedIn as well. Thank you for calling out misinformation and lies.
@@llunuk yep, but the difference with this Video is, this guy just stating that WhatsApp runs Arbitrary Python Code, unlike the LinkedIn guy that spreads misleading information ^^
@@12washere I believe saying that "WhatsApp runs Arbitrary Python code" is also misinformation. WhatsApp isn't really running the python script.
@@llunuk Ah yes, i probably misunderstood this video
Don't open random attachments.
John: "Hello Whatsapp
This is Ippsec"😰😰😰😰
When the PowerShell script opened, it clicked, and I immediately tested my theory. 😅
I tried the .ps1 method and discovered that whether the script opens depends on the default handler and how WhatsApp blocks execution. I created a test.ps1 that opens with a text editor but doesn’t when I set the default handler to PowerShell or terminal.
I’ll post the screen recording ASAP. 😅
This is especially egregious on Windows. The Windows API allows applications to download files (be it to save or to put in a temporary directory to open) with a flag set to tell the shell that the file is from an untrusted source and that it should not be executed without user approval. This is what browsers do to downloaded files. Secondly, the Windows file type association registry allows for a few different "verbs" to be configured for any file type. This means that an application that wants to open a file in a third party application can use the verb in the API call to open/edit the file instead of using the verb to run/execute the file. Neither of these requires black or white listing file extensions or MIME types. It is also possible that the Windows Python and PHP installers improperly set the open/edit verb action in the registry to mirror the run/execute verb's action. If that is the case, this should be brought up with the Python and PHP developers.
I think this would better be fixed in Windows itself. Categorize file type handlers into "safe" ones (text editors, image viewers - those that should not be able to execute arbitrary code) - and those that can literally do everything (programming language interpreters, or the loader responsible for executing *.exe files). Then offer an API to only invoke a registered file type handler *if it is categorized as "safe"*.
You're still vulnerable to exploits in these handlers of course, but there's really nothing you can do against that aside from fixing the bug in the respective program itself. (Or sandboxing/isolating applications from each other in a similar way as Android does it, but at that point you're better off re-writing the whole operating system...)
Going by file extension (who even knows about these obscure python file extensions?), and on top putting the onus on the application developer to *know* which handlers are "safe" and which are not, is just asking for trouble.
(Gotta yell at WhatsApp though for using a blacklist rather than a whitelist of course. Think about what you need - PNG, JPG, MP3 and the like - and disable the feature for everything else. If a new music file format comes up and is widely adopted - sure, add it to the whitelist to allow the "easy opening" of the file. But don't force youself to have to keep track what new programming languages and other arbitrary-code-executing programs arise to block each of them manually.)
Awesome hands-on and easily digestible! Thank you for that John.
The powershell script opened because it was set to notepad, if it was set to Powershell it would have said "Save failed" and even if it opened you'd still at least need to have the execution policy pre-set
My guess is they figured if you do use python, you know how to do your own security. Still a bit dangerous in my opinion though. Would probably still be a good idea to block them. Would actually be a better idea to not let users execute from the app at all.
If that was intended, a scary warning popup would be nice for kids who downloaded python to learn coding who have no idea what it is capable of
@@maxave7448exactly, while it may be "intended behavior" there still should be a warning
For real, honestly it looks like you only need to fat finger it a single time?
I misclick all the time on my phone and oh my god am I happy there's confirmation pop-ups on most things that actually matter.
Meta saying only trust numbers on your contact list is insane.
Reverse shell + persistent rickroll written to the bios is the worst thing you can give anyone.
ohh man this is so much underrated, thanks john for keeping the lazy asses like me on track
I think you could embed a more plausible file into the python script (say, a non-malicious python script), write it as a file either in users temp or downloads directory and open it up with the users default text-editor. Chances are this is what the user expected to happen anyhow.
I have been so spoiled by linux and software using plaintext that the loose separation between executables and scripts and actual files kind of frighten me. But you can’t embed a youtube video into a plaintext document (unless its emacs, where you can embed scripts into othervice plaintext documents)
That said, there still are simple ways to actually check what a file does. Maybe display the systems default program for that MIME-type? Instead of saying ”open” say ”open in Word”, ”Open in VLC-player” or ”Execute with python3.11”.
If the file has a PE header, then it is an executable, regardless of the file-extention. Maybe it wont behave like one if you double click it, but you still let a (hidden) executable to be passed through.
I don’t expect the multi-billion company to embed its own malware protection software into their desktop app, but the least they could do is actually check the files meta-data (locally!!) and inform the user who receaves it about what exactly ”opening” the file means. If the check fails, raise a warning stating you don’t know what it is, and two warnings with a checkmark that needs to be toggled if the MIME-type doesn’t seem to match.
Just dont try to maintain an excluding list of regexps to identify malicious or deceptice files. You will fail.
you always doing better bro thank you so much about all your research
I heard about this and thought nothing of it. It still being a thing is both hilarious and disturbing lol
Just add a whitelist of common document and image types that can usually be opened straight away on any modern operating system.
wonder how many extensions actually get through, perl, ruby, go? heck what about word docs with macros? also, what extensions will get through if you try to open the attachment on your phone
word does warn you when a file contains macros, even more so if it's from the internet
@@scezar8880 key word... warning
I don't see how this is noteworthy, any time you see the open button its going to open the program, same thing happens with a web browser...
Took me way too long to realize that the „Activate Windows“ text was not part of the whatsapp error message😂 this had me confused
Let's be real, what average person who has either of these installed wouldn't be familiar with the .php or .py file extensions as well as be smart enough to know not to open random executables?
Would be nice if it showed a warning before opening potentially executable files like browsers do but you can't really expect them to explicitly blacklist every executable file format in existence.
Anyway, not much of an exploit. It literally only removes a step from what the user would have to do in order to execute the file and if an adversary were trying to socially engineer someone into executing an unknown file that extra step wouldn't present much of a barrier. I can understand that it's not exactly high on the priority list especially when making this change would not actually block all potentially executable files, just the ones people have discovered so far. That could be something they would have to repeat many times in order to get a **mostly** complete blacklist. And after all that some adversary could still RE and find the one file type they forgot about. Completely fixing the issue is not as simple as it first appears.
knowing that there is ps1 ransomware that very easily runs as a file sent thru whatsapp is a SERIOUS flaw and needs addressed imo
It doesn’t, the default handler opens it in notepad
Bro literally found a weakness 💀
This should probably be dealt by the operating system. Maybe Windows should allow Python and other VMs to register as such, so that when any program tried to use them as a handler, Windows would tell the users about the risks. Then, Windows could also provide an API for applications to open file with a handler, but only if that handler wasn't a VM.
Honestly: just use WhatsApp web, at least that doesn't allow you to straight up execute files, they have to be downloaded at least beforehand
I remember reading about this a month ago, surprised that the issue is still not fixed.
You look and sound so similar to LowLevelLearning I had to double check the channel name just to be sure it's not an old video. I can't be the only one that sees that. Anyway, nice content :)
Come on whatsapp, this is security 101 for dummies: Use allowlists instead of blocklists
I mean what so setting Priv required and User interaction to High shakes out like - CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H still rates at 6.8 Medium which should be accepted/fixed for any reasonable bug bounty program .-.
Pity they found it: here in Europe, that could have been particularly useful when Chat Control will be fully rolled out xD
It’s an interesting vector for sure. It’s not great for sure. I think it’s a concern and I think it would be a bigger concern if say Powershell worked with it and could have a larger number of potential attacks.
You need the python interpreter to be installed to begin with
Many data analysts have it
We used to send each othér code asignments back in campus, we considered it a feature to quíckly test the code😊, could have used it a better way, guess no one had time for fooling around and the source was trustworthy
Dev in WhatsApp is like : uga bugs dum dum , we love banana
Damn first video where i can skip sponsor for premium users
One thing I knew and that has been confirmed in this video: never participate to any bug bounty from Meta, it will do anything to not pay. 😊
Someone who has python or an PHP-Interpreter installed, should have enough expertise to NOT run some random scripts on his mashine so..... 🤷♂
how about a lawsuit, meta?
Step 1: Create vulnerability
Step 2: Exploit vulnerability through backdoors as step 1 made it easier
Step 3: Mine data on everyone and spy
Step 4: Arrest somebody for wrong think
Step 5: Big brother
Step 6: $$$
Well dude until i see it for now they already blocked the pyz extension.. Good work
Only signal stays.. oh wait.. they too had some allegations of anti privacy behaviour didn't they?
The average computer user still won't have python installed on their computer, and since EXE files are on the denial list, I don't think there's much that can be done.
the open file button should be only available for a curated list of filetypes - not the other way around
aaaand it still works!
gonna prank a friend now >:)
sure clicking open is on the user but if Meta knows its a risk for exe files or other potentially malicious files like python. PHP and possibly even powershell scripts then that's a huge failing for meta given its a 60 second hotfix, wont be long until someone releases the full list of none blocked file extensions and it won't surprise me if we start seeing botted accounts using leaks to mass spam people with this technique. EDIT: You don't even need to click open, just click the attachment and the file will be run so its now gone from clicking open to even a miss click can cause execution
shouldn’t it be an allowlist instead of a denylist as a better security practice in this particular case?
that would be the logical course of action, but you know, corporate staff works in mysterious ways
Excellent content, John!
THANK YOU DANIEL 💙
HOPE I SEE YOU IN VEGAS NEXT WEEK
@@_JohnHammond Unfortunately I won't be able to make it out to Vegas this year, but I will be at Wild West Hackin' Fest.
Now you just need to find someone that has python and whatsapp installed and that they open random pyz files from random senders
The terms of service limited liability puts anything executed locally on the user.
I got a sneaky suspicion that this "vulnerability" is not about Whatsapp itself, but about the default software set to open said extension. See .ps1 that (like windows dictate as default) opens with notepad instead of powershell.
What is the behavior of opening a PS1 file, if you change the default program to open ps1 files to "powershell"?
Just didn't expect John Hammond to spread misinformation and use clickbait-y titles.
What title would you like instead?
@@_JohnHammond Maybe something that doesn't misinform the viewer. WhatsApp isn't running the Python code. Also this isn't a security vulnerability at all. There is no "Arbitrary Code Execution".
@@llunukExactly
Do you have a suggestion?
@@_JohnHammond Already gave my suggestion.
A+ on the video. Great video. Love the actual walk through.
I think they don't want to remove because their fellow NSA won't be happy if one of their tricks removed for just 1-2 researchers reports.
'Its not a bug, its a feature, Meta Inc.'
Why Windows Defender doesn't block the .pyz rce script on latest win 11 versions
NSA path
Huh? Why should .pyz files be blocked? Has it been deprecated? Abondoned? Discontinued?
he said in the video that he disabled defender in his vm
@@nelmatrix3942not just normal pyz but I'm talking about RCE
whatsapp for windows is the buggiest mess ever istg, sometimes shit dissapears and i can't call/send attachments, sometimes it just freeze...
So this only impacts those who open such files right? not if someone sends it and your device happens to automatically download it?
not an expert, but I would probably guess so
Yes. Unless there is a "zero-click" vulnerability, an executable file must be "opened" by the user to be effective. In theory, even "zero-click" vulnerabilities triggered via some services "opening" it, but the meaning of zero-click is meant to be zero click "by the user".
I tried this on discord too, it works. Although, discord gives you a "potentially dangerous" warning. Generic warning but eh atleast better than meta.
definitely a security risk they expose especially developers to
This Vulnerbility Just For Whatsapp Desktop (Windows).
most people you sent this too would click it just because they know the person sending it. This could easily be turned into self-replicating malware. SMH
Why use a denylist instead of an allowlist? Sounds like they make life harder for themselves as there might be only a couple of formats users should actually want to open directly but hundreds that could harm the system...
Also interesting the just check extensions which is also somewhat unreliable
Isn't using the web site safer rather than apps?
web assembly though
Imagine having a deny list instead of an allow list
Been waiting for this, so u could imagine my excitement when I saw the notification 😊
Sounds to me like Meta just doesn't want to pay out the bounty to Das so now they are trying to talk around it.
Whatsapp not fully openaource. Yes, all the user data harvesting is not open source for sure 😂
Meanwhile, the Pakistani government is launching their own secure comms app. I think the fact that this bug just...continues to be ignored is vile. I also think they can't mark an issue as resolved when it's demonstrably not.
Never used WhatsApp, never will. Slowly but surely moving off of all of Meta's platforms. They're evil, straight up.
I feel there should be a warning each time it is going open a file with a nontrusted program, (something other than notepad or browser or smth)
Insane to me, that WhatsApp uses a blacklist instead of a whitelist.
The funny thing is they just started an ad campaign