This post is also available in:
עברית (Hebrew)
A recent study by Microsoft has identified a significant vulnerability in AI chatbots, including models similar to ChatGPT and Google Gemini, that could reveal the topics of user conversations, even without decrypting the messages themselves. The flaw, dubbed “Whisper Leak”, was detected in nearly all large language models (LLMs) tested by the company.
When users interact with AI assistants, their messages are typically protected by TLS (Transport Layer Security), the same encryption used for online banking. TLS prevents outsiders from reading the content of communications. However, Microsoft’s research shows that certain metadata (information about how the messages are transmitted) remains visible. Whisper Leak exploits this metadata, using the size and timing of data packets to infer what a user is discussing.
In their tests, Microsoft researchers examined 28 different LLMs. They prepared two types of queries: one targeting sensitive subjects, such as money laundering, and another with thousands of ordinary, everyday questions. By recording the patterns of data transmission, the team trained an AI model to distinguish sensitive topics based solely on traffic rhythms.
According to TechXplore, results showed that the AI could identify the conversation topic with over 98% accuracy in most models. In scenarios where sensitive topics appeared only once in 10,000 queries, the system still detected them reliably. The team also evaluated three mitigation strategies, but none fully prevented the leakage.
Importantly, the vulnerability does not compromise encryption itself. Rather, it exploits information that TLS inherently exposes about the structure and timing of data. The researchers emphasized that the risk arises from the way LLM responses are transmitted, not the cryptographic protocols protecting the messages.
Microsoft’s findings highlight a growing concern as AI systems increasingly handle confidential or sensitive information. The study urges LLM providers to address metadata leakage to ensure user privacy, particularly in applications where sensitive topics are frequently discussed. As AI adoption expands in both commercial and security-critical contexts, preventing such indirect leaks will be crucial for maintaining trust in these systems.
The research was published here.
