Element Windows lets Python, PHP, EXE scripts execute with no warning

[bruno24pt]

Steps to reproduce

Similar to WhatsApp & Telegram for Windows , I beleive this issue applies on Element as well.

https://www.bleepingcomputer.com/news/security/whatsapp-for-windows-lets-python-php-scripts-execute-with-no-warning/

Element Windows allows sending Python , PHP and EXE attachments that are executed without any warning when the recipient opens them.

Outcome

Several solutions can be considered:

1. Warn the user that this file may be dangerous
2. Mark the file as coming from the internet
3. Prevent the user from opening the file directly
   etc

Operating system

Windows

Application version

No response

How did you install the app?

No response

Homeserver

No response

Will you send logs?

No

[davidegirardi]

I just wrote a simple hello world application in C#, compiled it to a .exe and sent it via Element. The receiving client downloaded the file and it was marked as untrusted.

[weezl]

I just wrote a simple hello world application in C#, compiled it to a .exe and sent it via Element. The receiving client downloaded the file and it was marked as untrusted.

I tested with a downloaded .exe, as well as with a .pyz file I created and sent from a different computer (as described in the bleepingcomputer link in OP)

Once downloaded both files indeed show as untrusted in Properties, but clicking the Open button in Element starts the .exe as well as the .pyz without asking for further confirmation.

Windows 22H2
Element version: 1.11.73
Crypto version: Rust SDK 0.7.1 (431263d), Vodozemac 0.6.0

Considering other apps like Telegram and WhatsApp give a warning before opening such files, I think a similar warning message in Element about potential danger before opening certain file types, or even preventing access alltogether from within Element would be good.

Telegram seems to have added python scripts to their blacklist according to this:
https://www.bleepingcomputer.com/news/security/telegram-fixes-windows-app-zero-day-used-to-launch-python-scripts/

[davidegirardi]

Did you tested this by sending calc.exe or another signed executable? Then of course it runs. It will run even if you download it with Microsoft Edge.

Here's what happens if you send something Windows/Microsoft don't already know about:
nope.webm

[davidegirardi]

I think Element does the right thing from a technical point of view. Would adding some warning text in the veil of "open the file only if you trust the sender" help somehow?

[bestrocker221]

Another option would be not to let the Element application directly open files at all.
Instead offering something like "Open download folder" where the files are downloaded from Element and let the user open them from the file explorer directly.
Similar applications have been doing like this i.e. Keybase

[weezl]

I think Element does the right thing from a technical point of view. Would adding some warning text in the veil of "open the file only if you trust the sender" help somehow?

I agree that technically the "fault" is not with Element.

But the behavior of other apps of giving warnings before opening risky files is sensible when dealing with this.

I like bestrocker221's proposal of simply opening the containing folder instead of the file directly, this completely bypasses the problem, and is what the user will have to do anyway if the file were to be on a blacklist.