New side channel attack Whisper Leak snoops on encrypted conversations with LLMs

Published: 11 November 2025
Last updated: 11 November 2025
whisper-leak-attack
Image by Cybernews.

A new side channel attack called Whisper Leak can reveal the topics of encrypted conversations between users and large language models (LLMs). What’s more, access to the underlying text isn’t even needed.

Key takeaways:
  • Whisper Leak reveals encrypted LLM chat topics by analyzing packet sizes and timing patterns – no decryption needed.
  • Attack achieves near-perfect accuracy identifying sensitive topics across 28 major LLMs, even with 10,000:1 noise ratio.
  • OpenAI and Microsoft patched the vulnerability, but Anthropic, AWS, Google, and DeepSeek remain unprotected.

According to researchers at Microsoft, this discovery highlights a growing blind spot in AI security where encryption alone no longer guarantees privacy in model interactions.

ADVERTISEMENT

That’s because metadata patterns – network packet sizes and timings – can be exploited to infer sensitive subjects and corporate intent, said Microsoft’s Defender Security Research team.

Metadata as a new attack surface

In other words, encryption is good at protecting content but not context. And if someone is extremely good at analyzing context, metadata becomes a new attack surface.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

For instance, a nation-state actor at the internet service provider layer, someone on the local network, or someone connected to the same WiFi router can observe the encrypted traffic and use it to infer whether the user’s prompt is on a specific topic, the researchers said.

“This especially poses real-world risks to users by oppressive governments where they may be targeting topics such as protesting, banned material, election process, or journalism,” the Microsoft team explains in a blog post.

Whisper Leak exploits a side channel in network communication rather than a flaw in encryption itself – unlike traditional data breaches or model leaks.

What actually happens? LLMs generate responses step by step, by producing one token at a time instead of the entire response at once. Besides, communications with the chatbots are often encrypted with HTTPS (Hypertext Transfer Protocol Secure), ensuring authenticity and security.

ADVERTISEMENT
hacked chatbot, LLM, large language model, AI, artificial intelligence
Image by Cybernews.

However, while Transport Layer Security successfully encrypts the content of communications, it reveals the size of the underlying data chunks being transmitted. For an LLM that streams responses token by token, this information reveals patterns about the tokens being generated.

Combined with timing information between packets, these leaked patterns form the basis of the Whisper Leak attack, as sufficient information is leaked to enable topic classification, Microsoft’s Defender Security Team explained in the technical report.

This, again, means these aren’t usual data breaches. Files aren’t stolen directly: attackers observe what’s going on around the data and look for small clues like timing or lags. They don’t actually need to break encryption or code.

Good at identifying topics

Researchers at Microsoft simulated a real-world scenario in which the adversary could observe encrypted traffic but not decrypt it. They chose “legality of money laundering” as the target topic for the proof-of-concept.

For positive samples, the team utilized a language model to generate 100 semantically similar variants of questions related to this topic. For negative noise samples, it randomly sampled 11,716 unrelated questions from the Quora Questions Pair dataset, covering a wide variety of topics.

OpenAI and Microsoft Azure soon added a random sequence of text of variable length to each response to mitigate the effectiveness of Whisper Leak.

The collected data was trained using LightGBM, Bi-LSTM, and BERT-based models, and evaluated in time-only, packet-size-only, or both modes.

Results are revealing. The research team demonstrated the attack across 28 popular LLMs from major providers, achieving near-perfect classification and high precision even at an extreme class imbalance (a 10,000:1 noise-to-target ratio).

ADVERTISEMENT

For many models, they achieved 100% precision in identifying sensitive topics while recovering 5-20% of target conversations.

“Without strong privacy protections, users may be targeted or hesitate to share information, limiting the chatbot’s usefulness and raising ethical concerns,” Microsoft’s team said.

Has my data been leaked?
Check Now

“Implementing robust anonymization techniques, encryption, and strict data retention policies is essential to trust and safeguarding user privacy in an era where AI-powered interactions are becoming the norm.”

The researchers shared their findings with OpenAI, Mistral, Microsoft, xAI, and other firms. OpenAI and Microsoft Azure soon added a random sequence of text of variable length to each response to mitigate the effectiveness of Whisper Leak.

However, models from providers such as Anthropic, AWS, Google, and DeepSeek haven’t been fixed yet, putting both individual private users and enterprise communications at risk.

Unlock more exclusive Cybernews content on YouTube.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
DuckDuckGo AI hallucinates Trump's death after AI data poisoning campaign
Peppa Pig AI contract sparks fears over child actors signing away their voices
Microsoft increases Xbox prices again: “Never thought I'd see the day video games become an investment”
UK hospital reports itself after 40 staff accessed crocodile attack victim’s records
Microsoft extends Windows 10 update program as users refuse to upgrade
Australia tightens teen social media ban amid Reddit reports of easy bypassing
ADVERTISEMENT