REDMOND / LONDON (IT BOLTWISE) – Microsoft has discovered a new vulnerability in AI models that could reveal sensitive topics in conversations despite encryption. This so-called Whisper Leak attack allows attackers to infer the topics of AI-powered conversations by analyzing network traffic. This poses a significant risk to the privacy of users and companies.
Today’s daily deals at Amazon! ˗ˋˏ$ˎˊ˗
Microsoft has uncovered a new type of side-channel attack that targets remote language models. This so-called whisper leak attack could allow a passive attacker to learn details about the topics of model conversations by observing network traffic, even if they are protected by encryption. These data leaks between humans and AI-powered language models could pose serious risks to user privacy and corporate communications.
Microsoft researchers Jonathan Bar Or and Geoff McDonald, along with the Microsoft Defender Security Research Team, found that attackers capable of observing encrypted traffic, such as a government actor at the ISP level or someone on the local network, could use this cyberattack to detect whether the user prompt is about a specific topic. The attack allows an attacker to observe encrypted TLS traffic between a user and an LLM service, extract packet sizes and timing sequences, and use trained classifiers to determine whether the conversation topic corresponds to a sensitive target category.
The method demonstrated by Microsoft is particularly notable because it works despite the fact that communications with AI chatbots are encrypted through HTTPS, ensuring that the content of the exchange remains secure and cannot be tampered with. Many side-channel attacks have been developed against LLMs in recent years, including the ability to infer the length of individual plaintext tokens from the size of encrypted packets in streaming model responses or exploit timing differences caused by caching LLM inferences to perform input theft.
Whisper Leak builds on these findings to explore the possibility that the sequence of encoded packet sizes and arrival times during a streaming speech model response contains enough information to classify the subject of the original prompt, even in cases where responses are streamed in groupings of tokens. To test this hypothesis, Microsoft trained a proof-of-concept binary classifier capable of distinguishing between a specific topic prompt and the rest (i.e. noise) using three different machine learning models: LightGBM, Bi-LSTM and BERT.
The results show that many models from Mistral, xAI, DeepSeek and OpenAI are able to achieve scores above 98%, allowing an attacker to reliably flag random conversations with the chatbots when it comes to a specific topic. Microsoft emphasizes that Whisper Leak’s effectiveness can be improved as the attacker collects more training samples over time, making it a practical threat. After responsible disclosure, OpenAI, Mistral, Microsoft and xAI have all taken measures to mitigate the risk.
Order an Amazon credit card without an annual fee with a credit limit of 2,000 euros!
Bestseller No. 1 ᵃ⤻ᶻ “KI Gadgets”
Bestseller No. 2 ᵃ⤻ᶻ “KI Gadgets”
Bestseller No. 3 ᵃ⤻ᶻ “KI Gadgets”
Bestseller No. 4 ᵃ⤻ᶻ «KI Gadgets»
Bestseller No. 5 ᵃ⤻ᶻ “KI Gadgets”
Please send any additions and information to the editorial team by email to de-info[at]it-boltwise.de. Since we cannot rule out AI hallucinations, which rarely occur with AI-generated news and content, we ask you to contact us via email and inform us in the event of false statements or misinformation. Please don’t forget to include the article headline in the email: “Whisper Leak: New threat to privacy from AI models”.