Are conversations with AI chatbots safe?Microsoft uncovers a serious flaw that could expose your personal conversations

Microsoft has warned about a new kind of side-channel attack that can reveal to an attacker what a user is talking about with an AI chatbot like ChatGPT or Gemini. The vulnerability, called “Whisper Leak”, would not give attackers the chance to read the whole text conversation, but they could still infer the topic of conversation by analysing patterns in network traffic.

In a blog post, Microsoft said that the new vulnerability could allow ISPs, governments, or someone on the same Wi-Fi to learn what the user is discussing with the AI chatbot. The tech giant warned that this kind of vulnerability poses “real-world risks to users by oppressive governments where they may be targeting topics such as protesting, banned material, election process, or journalism”. It also noted that this attack may even enable surveillance of discussions about topics like money laundering or political dissent.

How does the attack work?

Microsoft explained that this kind of attack exploits the streaming nature of how AI chatbots generate responses. Notably, large language models (LLMs) — the brains behind chatbots — generate responses to user queries by predicting and producing one token at a time based on the given prompt rather than constructing the whole response at once.

The tech giant explained that even though the traffic to chatbots is encrypted, an attacker who can see the encrypted traffic (but can’t decrypt it) can turn those patterns into signals to ascertain the topic of conversation.

“If a government agency or internet service provider were monitoring traffic to a popular AI chatbot, they could reliably identify users asking questions about specific sensitive topics — whether that’s money laundering, political dissent, or other monitored subjects — even though all the traffic is encrypted,” Microsoft said in its blog post.

The Microsoft researchers simulated a scenario where the attacker could observe the encrypted traffic but not decrypt it. They also trained various machine-learning models to act as an AI-powered eavesdropper. They found that cyberattackers could achieve 100% accuracy in identifying sensitive topics and 5–20% of target conversations.

“Nearly every conversation the cyberattacker flags as suspicious would actually be about the sensitive topic — no false alarms. This level of accuracy means a cyberattacker could operate with high confidence, knowing they’re not wasting resources on false positives,” the company warned.

Microsoft also warned that the cyberthreat could grow worse over time as as attackers collect more training data and utilize more sophisticated models.