WhatsApp confirms critical flaw that leaves millions of Windows PC users at risk — take action NOW

The vulnerability was unearthed inside the dedicated WhatsApp application for Windows, which works on Windows 10 and Windows 11. The flaw allows senders to disguise the true nature of their attachment by changing the file extension to something harmless, like JPEG.

When the recipient mistakenly clicks on the attachment, WhatsApp will automatically launch the default application for the true file type — not the disguise. With a single click, WhatsApp users inadvertently launch malware that takes over control of their PC ...and the personal data stored on its drives.

Hackers can use the vulnerability to send a file that looks like a JPEG — only for recipients to mistakenly unleash a complex malware that allows hackers to remotely control their device, delete files, or worse.

"A maliciously crafted mismatch could have caused the recipient to inadvertently execute arbitrary code rather than view the attachment when manually opening the attachment inside WhatsApp," explained WhatsApp parent company Meta in its latest security advisory.

Speaking to The Register about this worrying vulnerability, Security Consult at Black Duck, Adam Brown said: "This is a particularly nasty vulnerability for the everyday user."

"A malicious attachment could be used for data theft, running malware or spreading it, account and identity theft, or anything a nefarious actor chooses," he added. "Everyone should be careful when clicking on attachments, even from people they know, and Windows users of WhatsApp should be especially vigilant."

The technical issue stems from how WhatsApp for Windows processes file attachments.

How can Windows 10 and Windows 11 stay safe from malicious attachments sent via WhatsApp? Fortunately, the treatment plan for this particular flaw is pretty simple — update the app.

Meta has issued a fix for the vulnerability to its desktop app on Windows. You can download the latest version via the Microsoft Store or directly from the WhatsApp website. Do not download software from untrusted websites.

If you use WhatsApp for Windows — update as soon as you can. And if you're already running WhatsApp version 2.2450.6 or later, don't panic — you're already safe.

Only the Windows desktop version is affected. Those who send texts, pictures, and videos via Android, iOS, or macOS are not at risk from this particular vulnerability, experts have reassured millions of users.

However, Dr Martin Kraemer, who serves as Security Awareness Advocate at KnowBe4, advises WhatsApp users to always be extremely cautious with attachments. He explains: "Think of WhatsApp the same way as email. You would not want to open an unexpected email attachment, especially not from someone you do not know."

Dr Kraemer advises WhatsApp users who have updated to the patched version of the chat app to remain vigilant about exactly what they click on. Only open images and files from people you trust — and if you receive a suspicious attachment, delete it immediately, the security expert advises.

Spencer Starkey, an executive vice president at SonicWall, says this attack is part of a worrying trend.

"Cybercriminals are constantly developing new tactics, techniques, and procedures to exploit vulnerabilities and bypass security controls," he explained. A recent SonicWall report revealed that malicious attacks disguised as harmless attachments rose significantly in 2024.

LATEST DEVELOPMENTS

• Have YOUR say! BBC launches 'biggest-ever' survey ahead of licence shake-up
• Best Sky Glass deals
• Nintendo Switch 2 release date and UK price confirmed
• Free channel removed from Virgin Media TV

The firm observed 210,258 never-before-seen malware variants last year, averaging 637 new threats daily.

"Due to the speed at which new attacks are being created, they are more adaptive, and difficult to detect," Starkey warns. With billions of users worldwide, WhatsApp remains an attractive target for cyber criminals.