Meta has addressed critical security vulnerabilities in its upcoming WhatsApp AI features, following an independent audit by cybersecurity firm Trail of Bits. The review, which focused on the privacy-preserving “WhatsApp Private Processing” system, uncovered 28 issues—including eight critical flaws—but Meta has successfully resolved most issues before public launch
The WhatsApp Private Processing system enables AI features like chat summarization while using advanced confidential computing technology (hardware-based secure enclaves) to prevent even Meta from accessing user messages during processing. Trail of Bits conducted a 12 engineer-week assessment of the system from February to May 2025.
 |
| High-level WhatsApp Private Processing system design |
"WhatsApp Private Processing handles user data exclusively within hardware-based confidential computing enclaves; we did not find any indication that user data is available to Meta during server-side processing," the security firm confirmed in their public report.
The most serious vulnerabilities discovered included remote attestation issues that could have allowed attackers to impersonate legitimate secure processors, and flaws in the AMD SEV-SNP confidential computing verification that could enable machine-in-the-middle attacks. One critical issue involved environment variable injection that could compromise the entire secure virtual machine system.
The system architecture employs multiple layers of protection: AMD SEV-SNP processors for CPU-level security, NVIDIA H100 GPUs in confidential mode for AI processing, Fastly's OHTTP routing for anonymizing user traffic, and Cloudflare's binary transparency logging for public auditability. This creates what Meta calls "enforceable guarantees" against both external attackers and malicious insiders.
 |
| WhatsApp Private Processing Security Audit Results: Trail of Bits discovered 28 findings across different severity levels, with most critical issues now resolved |
Of the 28 findings, Meta has resolved 16 critical issues, partially addressed 4 others, and left 8 lower-severity items unresolved. The unresolved issues primarily involve informational recommendations rather than exploitable vulnerabilities.
"The use of confidential computing is enforced by the WhatsApp client, which refuses to connect to enclaves that show evidence of tampering," Trail of Bits noted, highlighting the system's fail-safe design.
For users, this audit provides confidence that WhatsApp's upcoming AI features maintain the platform's privacy standards while enabling new functionality through cutting-edge security technology.