Security Audit of WhatsApp's Private Inference Reveals TEE Vulnerabilities and Best Practices

Summary

A security audit of WhatsApp's Private Inference feature—which uses trusted execution environments (TEEs) to process encrypted messages with AI capabilities like summarization—identified 28 vulnerabilities, including 8 high-severity issues that could have compromised user privacy. The system, built on AMD's SEV-SNP and NVIDIA's confidential GPU platforms, aims to enable AI-powered features while maintaining end-to-end encryption, preventing Meta from accessing plaintext messages. Meta has patched all identified vulnerabilities since the pre-launch audit.

The audit revealed critical lessons about TEE security architecture. The most significant finding was that configuration files and system data loaded after attestation measurements could be manipulated by malicious actors—for instance, environment variables could inject malicious code, or ACPI tables could be spoofed to grant unauthorized memory access. These issues highlighted that attestation measurements must cover all critical data paths, and any data loaded after verification must be treated as potentially hostile and rigorously validated.

• Meta's fixes included strict alphanumeric validation of environment variables and ensuring ACPI tables and other hardware configuration data are included in attestation measurements

Editorial Opinion

This audit demonstrates that while TEEs are a powerful privacy-preserving technology, they are not a security panacea—their effectiveness depends entirely on rigorous architectural discipline. The findings underscore that as AI systems become more deeply integrated with encryption and security-critical infrastructure, the burden on developers to implement defense-in-depth increases significantly. The transparency of publicly sharing these findings and fixes sets a positive precedent for the industry and should become the standard for high-stakes AI deployments.