Microsoft researchers have discovered a new side-channel attack, known as “Whisper Leak,” that can infer the topic of encrypted conversations with AI chatbots. The attack works by observing the size and timing of network packets, even when the conversation is protected by TLS encryption.
This creates a real-world risk, as an attacker on the same Wi-Fi network, at an internet service provider, or a nation-state actor could identify if a user is discussing sensitive topics. Microsoft warned this could be used by oppressive governments to target users discussing protests, banned materials, or journalism.
The vulnerability exists because AI language models stream responses token-by-token. Researchers found that the sequence of encrypted packet sizes and their inter-arrival times creates a unique digital “fingerprint” for a specific topic.
To prove the concept, the team trained a classifier to distinguish between a target topic (“legality of money laundering”) and general background traffic. They used 100 variants of the target question and 11,716 unrelated questions. The AI-powered classifier achieved a success score of over 98 per cent in tests.
Flagged as suspicious
In a more realistic simulation of monitoring 10,000 conversations with only one sensitive topic, the attack achieved 100 per cent precision. This means every conversation the attack flagged as suspicious was, in fact, about the target topic, with no false positives. The model was able to catch between five and 50 per cent of all target conversations.
Microsoft engaged in responsible disclosure with affected vendors. OpenAI, Mistral, Microsoft, and xAI have all deployed protections. OpenAI and Microsoft Azure mitigated the risk by adding an “obfuscation” field containing a random sequence of text to mask the true token length. Mistral added a new parameter “p” that has a similar effect.
While the issue is primarily for AI providers to fix, Microsoft advised concerned users to use VPN services, avoid discussing highly sensitive topics on untrusted networks, and prefer providers who have implemented mitigations.
