Significant advancements have recently been made in large language models represented by GPT models. Users frequently have multi-round private conversations with cloud-hosted GPT models for task optimization. Yet, this operational paradigm introduces additional attack surfaces, particularly in custom GPTs and hijacked chat sessions. In this paper, we introduce a straightforward yet potent Conversation Reconstruction Attack. This attack targets the contents of previous conversations between GPT models and benign users, i.e., the benign users' input contents during their interaction with GPT models. The adversary could induce GPT models to leak such contents by querying them with designed malicious prompts. Our comprehensive examination of privacy risks during the interactions with GPT models under this attack reveals GPT-4's considerable resilience. We present two advanced attacks targeting improved reconstruction of past conversations, demonstrating significant privacy leakage across all models under these advanced techniques. Evaluating various defense mechanisms, we find them ineffective against these attacks. Our findings highlight the ease with which privacy can be compromised in interactions with GPT models, urging the community to safeguard against potential abuses of these models' capabilities.

翻译：以GPT模型为代表的大型语言模型近期取得了显著进展。用户经常与云端托管的GPT模型进行多轮私人对话以优化任务。然而，这种操作范式引入了额外的攻击面，特别是在自定义GPT和遭劫持的聊天会话中。本文提出一种简单而有效的对话重构攻击。该攻击针对GPT模型与良性用户之间先前对话的内容，即良性用户在与GPT模型交互过程中的输入内容。攻击者可通过设计恶意提示词查询GPT模型，诱导其泄露此类内容。我们在此攻击下对与GPT模型交互过程中的隐私风险进行全面考察，发现GPT-4具有相当的抗攻击能力。我们进一步提出两种旨在改进历史对话重构效果的高级攻击技术，证明所有模型在这些高级技术下均存在显著的隐私泄露。通过对多种防御机制的评估，我们发现现有防御措施均无法有效抵御这些攻击。我们的研究结果揭示了与GPT模型交互过程中隐私泄露的易发性，敦促学术界警惕这些模型能力可能被滥用的风险。