How encrypted AI assistant chats can still leak secrets

Researchers found a side channel in major AI assistants, excluding Google Gemini, that can expose parts of encrypted responses. The attack studies token-length patterns and uses trained LLMs to infer what the assistant likely wrote.

WTF Index TERMINATOR
◄ Terminator 3 Idiocracy 0 ►

The story highlights a serious privacy and surveillance risk where encrypted AI assistant traffic can leak sensitive response content through metadata.

How encrypted AI assistant chats can still leak secrets

Private conversations with AI assistants are not protected by encryption alone if other signals in the traffic reveal enough about what is being sent. Researchers have described a side-channel attack that can infer AI assistant responses by watching the size and order of encrypted tokens as they travel from the service to the user.

The finding matters because people already use these tools for highly sensitive questions and documents, including pregnancy, divorce, drug addiction, and proprietary business material. The research says the issue affects major AI assistants, with the exception of Google Gemini.

What the attack can reveal

The attack does not need to break encryption in the traditional sense. Instead, it relies on observing traffic between an AI assistant and a user from a passive adversary-in-the-middle position. That means the attacker can watch data packets pass by, without changing them.

According to the source, this position could include a malicious actor on the same Wi-Fi or LAN as the user, such as in a coffee shop, or a malicious actor on the Internet who can observe the traffic. The attack can happen without OpenAI or the client knowing.

The researchers reported two key results:

  • The method can infer the specific topic of 55 percent of captured responses, usually with high word accuracy.
  • It can recover responses with perfect word accuracy 29 percent of the time.

Those numbers are significant because the chats remain encrypted. The risk comes from metadata exposed by the way responses are streamed, not from the content being sent in plain text.

Why tokens create a privacy problem

AI assistants do not usually wait until a full answer is complete before showing it to the user. To make the experience feel immediate, they send pieces of the answer as they are generated. These pieces are tokens, which are similar to words encoded in a form that large language models can process.

The tokens are encrypted during delivery. But the size of each token remains useful to an observer because token length is close to the length of the character string it represents. When an attacker records the sequence of token sizes, that sequence becomes a clue about the words and sentence structure behind the encrypted traffic.

The researchers call this exposed pattern the “token-length sequence.” It is the side channel at the center of the attack.

A side channel is an unintended way to learn secrets from a system. The source compares side channels to indirect signals such as power use, timing, sound, light, or electromagnetic radiation. In other settings, attackers have used side channels to recover encrypted keystrokes, encryption keys from CPUs, browser cookies from HTTPS traffic, or secrets from smartcards.

How LLMs make the clues useful

Raw token-length data is not enough by itself to produce a clean transcript. A single sentence can match many possible word combinations, and a paragraph creates far more possibilities. The researchers addressed that problem by building what they call a token inference attack.

Yisroel Mirsky, head of the Offensive AI Research Lab at Ben-Gurion University in Israel, worked with Roy Weiss, Daniel Ayzenshtyen, and Guy Amit on the approach. Their method runs the token-length information through two trained LLMs.

The system uses one LLM to infer the first sentence of an AI response and another to infer inner sentences using the context of previous sentences. That split matters because the first sentence of an AI response tends to be more predictable in style than later sentences.

The researchers trained the models using example chats available on the Internet. Because AI assistants often write in recognizable patterns and reuse certain phrasings, the models can use those patterns to turn token-length sequences into plausible text.

Mirsky compared the task to solving a long version of Wheel of Fortune where no characters have been revealed. The source also likens the broader idea to a known-plaintext attack, because familiarity with likely text patterns helps an attacker interpret encrypted material.

Accuracy is not perfect, but meaning can survive

The attack does not always reconstruct every word exactly. The examples in the source show that inferred text can substitute some words while keeping the sensitive subject clear.

In one ChatGPT example, an encrypted response about legal considerations for couples considering a divorce was inferred with different words in places, but the subject and meaning remained close. In another Microsoft Copilot example, a response about effective teaching methods for students with learning disabilities was inferred as a response about cognitive behavior therapy for children with learning disabilities.

These examples show why the attack is still concerning even when the wording is imperfect. For privacy, learning the topic can be enough to expose sensitive information. A response about divorce, pregnancy, drug addiction, or business secrets may reveal what the user is dealing with even if the attacker does not recover every sentence exactly.

What this says about encrypted AI chats

The core lesson is that encryption can hide message content while still leaving patterns that reveal meaning. In this case, the user experience choice that makes AI assistants feel fast and conversational also creates the signal that the attack uses.

The research describes a gap between encrypted transport and token privacy. AI services may protect the direct contents of a chat, yet streamed token delivery can still expose the length and order of generated pieces. When those patterns are analyzed with LLMs trained on similar chats, the result can be a surprisingly readable reconstruction.

For users, the practical concern is simple: private AI assistant chats may not be private from every observer on the network, even when the service encrypts traffic. For AI providers, the finding points to a need to treat response streaming itself as part of the security design, not merely as a usability feature.