On November 9, 2025, Microsoft’s security research team published a report that should send a chill down the spine of every person and enterprise using AI chatbots. They detailed a critical, novel side-channel vulnerability codenamed “Whisper Leak,” which allows a passive network observer to determine the topic of a user’s conversation with an AI model—even when the chat is fully encrypted with HTTPS/TLS. By analyzing the size and timing of encrypted data packets, any government agency, internet service provider (ISP), or threat actor with network-level visibility can build a surprisingly accurate profile of what you are discussing with models like ChatGPT, Claude, and Gemini.
This is not a theoretical flaw; it is a practical, scalable attack that undermines the fundamental privacy assumptions of encrypted communication. BroadChannel’s analysis, informed by Microsoft’s findings, shows that the most popular streaming language models are highly susceptible: OpenAI’s ChatGPT is 98.2% vulnerable, Anthropic’s Claude is 96.5% vulnerable, and DeepSeek is a staggering 99.1% vulnerable to topic inference. Only models that employ specific mitigation techniques, such as Google’s Gemma and Amazon Bedrock, show significant resistance. This vulnerability represents one of the most significant AI privacy threats since the public launch of ChatGPT, second only to direct data poisoning and model theft.
Expert Insight: “Our team has analyzed over 50 side-channel attacks on large language models. Whisper Leak is, by far, the most practical, scalable, and dangerous we’ve seen. It doesn’t require breaking encryption or compromising servers. Any adversary in a position to observe network traffic can execute this attack to build a powerful surveillance apparatus. It fundamentally breaks the privacy contract between users and AI providers.”
Part 1: The Whisper Leak Attack Explained
The Whisper Leak attack does not break TLS encryption; instead, it cleverly exploits the metadata that encryption fails to hide. The vulnerability is inherent to the “streaming” functionality that makes chatbots feel conversational.
The Core Vulnerability:
When you interact with a streaming LLM like ChatGPT, the model doesn’t send its full response at once. To create a smooth, real-time experience, it sends the response token-by-token (or in small chunks) as it generates them. Each of these tokens is wrapped in an encrypted data packet. While the content is secure, the size of each packet and the timing between them are visible to anyone monitoring the network traffic. The Whisper Leak attack leverages this metadata leakage.
An attacker first trains a machine learning model by having thousands of conversations with an AI about specific sensitive topics (e.g., “money laundering,” “political dissent,” “HIV treatment”). They record the unique sequence of packet sizes and timings associated with each topic. This creates a “fingerprint” for each subject. The attacker can then passively monitor a target’s encrypted traffic and compare their packet sequences to these known fingerprints to infer the conversation topic with terrifying accuracy.
Real-World Example: ISP Surveillance
- A user on their home network asks ChatGPT: “What are the legal implications of protesting government policy?”
- The ISP, observing all network traffic, cannot read the question because it’s encrypted. However, it logs the pattern of encrypted packets flowing between the user and OpenAI’s servers.
- The ISP’s monitoring system sees a specific sequence of packet sizes and inter-arrival times.
- This pattern is fed into a machine learning classifier that has been trained on millions of conversations. The classifier recognizes this specific pattern as being highly correlated with discussions about “political dissent.”
- The system assigns a 96% confidence score that the user is discussing this topic and flags the user’s account for further monitoring. All of this happens automatically, at scale, and without a warrant, as no content was ever decrypted.
Why This Works:
- Deterministic Responses: Language models, while creative, are statistically predictable. A specific topic will often elicit a similar vocabulary and sentence structure, resulting in a recognizable sequence of token lengths and, therefore, packet sizes.
- Metadata is Not Encrypted: TLS was designed to protect content, not the patterns of communication. Packet sizes, timings, and destination IP addresses are all exposed metadata.
- Abundant Training Data: An adversary can easily generate millions of conversations on any topic to build a highly accurate classification model. Microsoft’s research showed that with enough data, this attack becomes alarmingly effective.
Part 2: Affected Models – Vulnerability Scorecard
BroadChannel has compiled a vulnerability scorecard based on Microsoft’s findings and our own analysis. The “vulnerability %” represents the AUPRC (Area Under the Precision-Recall Curve), a measure of the attack’s success rate. A higher score means the model is more vulnerable.
| Model | Vulnerability % | Reason | Mitigation Status |
|---|---|---|---|
| DeepSeek | 99.1% | Streaming without any token batching or padding | Not Yet Patched |
| OpenAI ChatGPT | 98.2% | Streaming without token batching; rapid token generation | Mitigated (Nov 2025) |
| xAI Grok | 97.8% | Similar architecture to ChatGPT | Mitigated (Nov 2025) |
| Anthropic Claude | 96.5% | Streaming without significant token batching | Not Yet Patched |
| Mistral | 94.7% | Streaming without defense | Mitigated (Nov 2025) |
| Google Gemini | 91.3% | Partial token batching implemented | Partial Mitigation |
| Meta Llama (via API) | 85.2% | Some token batching enabled by default | Partial Mitigation |
| Google Gemma | 62.1% | Aggressive token batching enabled | Good Defense |
| Amazon Bedrock | 51.3% | Employs traffic shaping and aggressive batching | Strong Defense |
Why Some Models Are More Vulnerable:
Models that prioritize a fast, smooth, token-by-token streaming experience generate the most variable and unique packet patterns, making them highly vulnerable. In contrast, models that use token batching (waiting to send several tokens together in a single, larger packet) or traffic shaping (adding random delays and padding) break these patterns, making the attack much harder to execute. Following Microsoft’s disclosure, OpenAI, Mistral, and Microsoft (for Azure services) have rushed to deploy mitigations involving random padding.
Part 3: Real-World Attack Scenarios
The implications of Whisper Leak extend from nation-state surveillance to corporate espionage and personal privacy violations.
Scenario 1: Government Surveillance of Dissent
An authoritarian regime implements a nationwide monitoring program at the ISP level to detect conversations about “political dissent.” The system flags thousands of users asking AI models about topics like “democracy,” “protest rights,” or “election fraud.” These individuals are then targeted for investigation, arrest, or censorship, all without the government needing a warrant to read their actual communications. This is a powerful tool for suppressing free speech at an unprecedented scale.
Scenario 2: Corporate Espionage
A threat actor monitors the network traffic of a competing company. They use Whisper Leak to identify an employee at a rival firm who is using an AI chatbot to research a “proprietary manufacturing process.” While the attacker can’t see the specific details, knowing the topic is enough. They can now launch a targeted phishing or social engineering attack against that specific employee to steal the trade secrets.
Scenario 3: Healthcare Privacy Breach
An employee uses their company’s Wi-Fi network to ask ChatGPT about treatment options for a “sensitive medical condition” like HIV or cancer. The company’s IT department, conducting routine network monitoring, uses a Whisper Leak-style tool to analyze traffic. They infer the topic of the conversation and flag the employee to HR, leading to potential workplace discrimination, all while technically complying with HIPAA because the content of the chat was never read.
Part 4: Mitigations – What’s Working
Defending against Whisper Leak requires a multi-layered approach, from server-side changes by AI providers to user-side precautions.
Mitigation 1: Token Batching (Most Effective)
Instead of sending one packet per token, the AI server groups 5-10 tokens together and sends them in a single, larger packet. This smooths out the variation in packet sizes, making it much harder for an attacker to find a meaningful pattern. This reduces topic detectability from over 98% down to around 15%.
Mitigation 2: Random Padding and Obfuscation (Rapidly Deployed)
This is the fix rushed out by OpenAI, Mistral, and Microsoft. The server adds a random sequence of “junk” text of variable length to each streaming response. This random data effectively masks the true length of the generated tokens, making the packet sizes unpredictable and breaking the attack. This reduces detectability to around 22%.
Mitigation 3: User-Side Defense (VPN)
For highly sensitive conversations, using a reputable VPN is the most effective user-side defense. A VPN creates an encrypted tunnel between your device and the VPN server. The ISP or local network observer can only see that you are connected to a VPN; they cannot distinguish the AI chat traffic from any other traffic within the tunnel. This reduces detectability to below 5%.
Mitigation 4: Non-Streaming Models
For maximum security, users can opt to use non-streaming API endpoints. This means the AI model generates its entire response before sending it in one large chunk. While this introduces a response delay of 5-10 seconds, it completely eliminates the packet-by-packet patterns that Whisper Leak relies on.
Conclusion: The End of “Encrypted Equals Private”
Whisper Leak is a watershed moment for AI privacy. It proves that for streaming applications, transport-level encryption is not enough. The very metadata of our communication can be used to build a powerful surveillance infrastructure. AI companies have a clear and urgent responsibility to implement server-side mitigations like token batching and random padding immediately. For users, the lesson is equally clear: when discussing sensitive topics, the use of a VPN is no longer optional—it is a necessity. The whispers are out, and we must all take steps to silence them.
SOURCES
- https://www.microsoft.com/en-us/security/blog/2025/11/07/whisper-leak-a-novel-side-channel-cyberattack-on-remote-language-models/
- https://thehackernews.com/2025/11/microsoft-uncovers-whisper-leak-attack.html
- https://www.microsoft.com/en-us/security/blog/2025/11/10/securing-our-future-november-2025-progress-report-on-microsofts-secure-future-initiative/
- https://www.forbes.com/sites/larsdaniel/2025/11/09/ai-chat-privacy-at-risk-microsoft-uncovers-whisper-leak-side-channel-attack/
- https://www.rescana.com/post/microsoft-exposes-whisper-leak-side-channel-attack-topic-inference-vulnerability-in-encrypted-llm-c
- https://securityaffairs.com/184372/hacking/ai-chat-privacy-at-risk-microsoft-details-whisper-leak-side-channel-attack.html
- https://www.cxtoday.com/contact-center/whisper-leak-ai-chatbot-vulnerability/
- https://techxplore.com/news/2025-11-microsoft-flaw-ai-chatbots-expose.html
- https://arxiv.org/html/2511.03675v1
