Microsoft has described a new side-channel attack called Whisper Leak that lets an attacker who is simply passively listening to encrypted HTTPS traffic determine the topic of a conversation with an LLM-based chatbot with high accuracy. Without decrypting a single packet, the attacker can still tell whether the user is talking about sensitive topics — politics, money laundering, etc. — which creates serious risks for the privacy of personal and corporate communications.
Essence of the attack. Whisper Leak allows an attacker to analyze the size and timing of encrypted packets between the user and the LLM service in streaming-response mode. From these patterns, they can classify whether the prompt belongs to a chosen “target” topic.
Research results. Microsoft trained a binary classifier using three ML models — LightGBM, Bi-LSTM, and BERT. On real traffic from popular LLMs by Mistral, xAI, DeepSeek, OpenAI, the accuracy of detecting a specific topic exceeded 98%.Real-world risk.
If, for example, a government agency or ISP is monitoring traffic to a popular chatbot, it can reliably flag users who ask about certain “undesirable” topics, even without knowing the exact text of their prompts.
Microsoft warns that with enough collected samples and more sophisticated models, the attack could become fully practical, especially when analyzing multiple conversations or long multi-turn sessions from the same user.
LLMs work in streaming mode: instead of sending the answer in one block, they stream it token by token or in chunks as it is generated. That’s convenient for the user but creates a distinct “rhythm” of traffic: sequences of packets of different sizes with specific intervals between them.
Earlier, researchers had already demonstrated attacks that:
reconstruct the length of individual tokens from packet size;
steal inputs (InputSnatch) by using timing differences of cached responses.
Whisper Leak goes one step further: it shows that the sequence of packet sizes and delays is informative enough to classify the topic of the prompt, even when tokens are batched and additionally buffered.
Microsoft built an attack pipeline:
Passively collect traffic between the client and the LLM service.
Extract from it the arrival time and size of each packet.
Train a classifier on this feature set to distinguish “target topic / other”.
For a new session, the attacker just looks at the packet patterns and decides whether the conversation belongs to the sensitive category.
The more conversations are collected, the better the model learns, and the more accurate the monitoring becomes.
The article also mentions separate Cisco research showing that open-weight LLMs from Alibaba, DeepSeek, Google, Meta, Microsoft, Mistral, OpenAI, and Zhipu AI are highly vulnerable to multi-turn attacks, where safety filters are gradually bypassed through a sequence of crafty prompts.
Taken together, this paints a worrying picture:
tokens and topics can be inferred via side channels;
the models themselves can be “talked into” misbehaving via dialog attacks;
therefore basic encryption and simple moderation layers are no longer enough.
Whisper Leak is a reminder that HTTPS ≠ absolute privacy if someone is carefully watching the side effects of your traffic.
For everyday users:
avoid discussing highly sensitive topics with AI chatbots over public or untrusted networks;
when possible, use a VPN to make traffic correlation harder;
if strong anonymity is required, prefer models running in non-streaming mode.
For companies and developers:
choose providers that have already implemented mitigations (Microsoft, OpenAI, Mistral, xAI have added variable-length random text to responses to blur packet signatures).
remember that open-weight models without extra protection layers bring not only jailbreak risks but also side-channel issues;
deploy AI red-teaming, strong system prompts, and additional network and cryptographic defenses.
In the end, Whisper Leak shows that even when the content is encrypted, metadata and traffic behavior can reveal far more than it seems. Without rethinking network and AI security at a deeper level, the era of mass LLM adoption risks becoming a goldmine for surveillance and tracking.
