Trail of Bits
Audit Open Original ↗

Meta WhatsApp Private Processing

Type

Security review

Client

Date

2025-08

Domain

AppSec

Effort

12 wks

Section

Technology Product Reviews

Trail of Bits's security review of Meta WhatsApp Private Processing (Aug 2025) identified 28 issues: 8 high, 4 medium, 4 low, and 12 informational.

Findings · 28

  1. 1 ACS key rotation can de-anonymize users Medium
  2. 2 Malicious ACS server can serve invalid signed blinded tokens Medium
  3. 3 OHTTP key rotation can de-anonymize users Medium
  4. 4 Clients can be targeted by geographic region Informational
  5. 5 Sensitive inference-related data can be logged client-side Low
  6. 6 Tracked attributes may pose targeting risk Informational
  7. 7 Remote attestation lacks freshness guarantees High
  8. 8 Reported AMD SEV-SNP TCB version is not checked against VCEK certificate High
  9. 9 Client does not enforce all available AMD SEV-SNP Guest Policy protections Informational
  10. 10 SEV-SNP attestation is not bound to Meta-specific machines High
  11. 11 Use of TLS 1.2 and permissive ciphersuites Informational
  12. 12 The system is vulnerable to SNDL attacks by quantum computers Informational
  13. 13 CVMs can be compromised via environment variable injection High
  14. 14 Insecure rsync usage in configure_cvm.sh Informational
  15. 15 Models are stored and loaded as pickle files throughout LLM servers Informational
  16. 16 LLM inference output size is not masked Low
  17. 17 Malicious hypervisors can inject ACPI SSDTs into CVMs High
  18. 18 Lack of CVM image reproducibility hinders third-party review High
  19. 19 Private artifact digests do not preserve file structure Low
  20. 20 Transparency namespacing not enforced High
  21. 21 Transparency artifacts do not expire Informational
  22. 22 Unnecessary I/O ports can be exposed to malicious hypervisors Medium
  23. 23 Private artifact binary transparency verification may fail silently Low
  24. 24 Unpatched Mbed TLS and OpenSSL versions contain known CVEs Informational
  25. 25 Spectre mitigations are not enabled in the CVM guest Informational
  26. 26 LLM tokenization may leak user data via cache side channels Informational
  27. 27 Binary transparency relies on a centralized honest party Informational
  28. 28 GPU LLMs do not verify NVIDIA GPU attestation High

Findings extracted from the published report PDF. See the full report below for details and remediation.

Related