Trail of Bits Audit of WhatsApp's Private Inference Uncovers 8 High-Severity TEE Vulnerabilities, All Patched by Meta
An independent security audit of WhatsApp's Private Inference feature, which uses AMD SEV-SNP and Nvidia TEEs to process encrypted messages with AI, found 28 vulnerabilities including 8 high-severity flaws that could have broken the system's privacy promises. Meta has patched all issues.
Trail of Bits has published the results of a pre-launch security audit of WhatsApp's Private Inference feature, the messaging giant's attempt to marry end-to-end encryption with cloud-based AI message summarization. The audit, conducted before the feature went live, identified 28 vulnerabilities in the trusted execution environment (TEE) architecture that Meta built using AMD's SEV-SNP and Nvidia's confidential GPU platforms. Eight of those findings were rated high-severity — flaws that could have allowed an attacker to bypass the system's core privacy guarantees and potentially access plaintext user messages. Meta has remediated every finding identified in the report.
WhatsApp's Private Inference was designed to resolve a fundamental tension: the app is end-to-end encrypted, meaning Meta's servers cannot read users' messages, but AI-powered features like summarization typically require plaintext access. Meta's solution was to process messages inside TEEs — secure hardware enclaves designed so that even the cloud provider cannot see the data inside. The architecture relies on AMD's Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) and Nvidia's confidential computing GPUs to create a sealed processing environment for AI inference. The stakes are enormous: WhatsApp serves billions of users, and any compromise in this system could expose private conversations.
Among the most critical findings was an issue dubbed TOB-WAPI-13, where configuration files containing environment variables were loaded after the attestation measurement was taken — the cryptographic fingerprint that clients check to verify the enclave is running authentic software. This meant that a malicious insider at Meta could inject an environment variable such as `LD_PRELOAD=/path/to/evil.so`, forcing the system to load arbitrary malicious code at startup while the attestation report still verified as valid. The attacker could use this to log every message processed inside the enclave and exfiltrate it to an external server. Meta fixed the issue by strictly validating environment variables: only safe characters are now permitted, and dangerous variables like `LD_PRELOAD` are explicitly blocked.
Another severe finding, TOB-WAPI-17, involved ACPI tables — hardware configuration data that the operating system reads at boot. The audit found that these tables were not included in the attestation measurement, creating an attack vector for a malicious hypervisor. An attacker controlling the hypervisor could inject fake ACPI tables that define malicious "devices" with read/write access to arbitrary memory locations. When the secure VM booted, it would process these tables and inadvertently grant the fake devices access to protected memory regions containing user messages or encryption keys — all while the attestation report remained valid. Meta addressed this by implementing a custom bootloader that verifies ACPI table signatures as part of the secure boot chain, tying any tampering to the attestation measurement.
The audit also found that the system incorrectly verified AMD's SEV-SNP security patch levels (TOB-WAPI-8): instead of cryptographically validating the claimed patch level against AMD's signed VCEK certificate, it simply trusted the firmware's self-reported value. An attacker who had compromised an older, vulnerable firmware version could lie about its patch level and bypass checks. Researchers have publicly demonstrated attacks that extract encryption keys from outdated SEV-SNP firmware, meaning an attacker could use such techniques against WhatsApp users while the client believed it was connected to a secure, updated system. Meta's fix validates patch levels against the X.509 extensions in AMD's certificate, which cannot be forged, and enforces minimum patch levels from the WhatsApp client source code.
A fourth high-severity issue, TOB-WAPI-7, involved a lack of freshness guarantees in the attestation process. When a client connected to the Private Processing system, the server would generate an attestation report proving its identity, but that report contained no timestamp or client-generated nonce. This made it possible for an attacker who compromised a TEE once — a one-time compromise that is typically much easier to achieve than persistent access — to save the attestation report and TLS keys and replay them indefinitely. Without a freshness mechanism, the client would repeatedly accept a connection to a compromised enclave. The report does not detail Meta's remediation for this specific issue, but industry-standard fixes involve embedding a client-provided nonce in the attestation report.
Trail of Bits emphasizes that the audit's lessons apply broadly to any organization deploying TEEs for confidential computing. The core takeaway is that every piece of data loaded by a TEE — configuration files, ACPI tables, firmware metadata, network timing parameters — must either be included in the measured boot process or be treated as potentially hostile input. The report also highlights the importance of validating attestation data cryptographically rather than trusting self-reported values, and the need for freshness mechanisms to prevent replay attacks. As Meta rolls out Private Inference more broadly, these fixes provide a stronger foundation, but the audit underscores that TEE security is not automatic: it requires meticulous instrumentation of every input and output boundary.