Security Experts: It’s Easy to Abuse Microsoft Recall to Steal User Data



Microsoft has pushed back on claims that Recall—a feature that remembers everything you do on your PC for faster system-wide searches—poses a privacy risk. But now two security researchers say Recall makes it easy for hackers to steal data from Windows 11 users. Cybersecurity researcher Alexander Hagenah released a demo tool on Tuesday that shows how a piece of malware can easily loot saved data from a user’s Recall function. “The database is unencrypted. It’s all plain text,” Hagenah told Wired in underscoring how insecure Recall records information on a PC. “It’s a Trojan 2.0 really, built in.”

Hagenah’s research (Credit: Alexander Hagenah)

Hagenah released his tool, dubbed TotalRecall, days after another security researcher and former Microsoft employee, Kevin Beaumont, published a blog post documenting alleged flaws in the Recall feature. Microsoft has yet to widely release Recall to consumers; it’s available now in the preview release for Windows 11 version 24H2. This includes offering early access to Recall for Windows PCs running Arm processors, either physically or through a virtual machine. After trying out the feature, Beaumont discovered that it’s easy for a hacker or malware to access files saved by Recall, despite Microsoft’s claim that it uses encryption. Beaumont found that Recall will save information in an easy-to-discover database within the user’s AppData folder. And surprisingly, the database will record the information in plaintext. 

This Tweet is currently unavailable. It might be loading or has been removed.

The database will also tightly compress the saved information, meaning several months’ worth of recorded user history could be exfiltrated from the PC in seconds. The danger arises if a hacker tricks the user into installing malware that accesses the Recall database and secretly pilfers sensitive information like passwords and financial account numbers.

Recommended by Our Editors

“I think [Microsoft is] probably going to set fire to the entire Copilot brand due to how poorly this has been implemented and rolled out,” Beaumont said. “It’s an act of self harm at Microsoft in the name of AI, and by proxy real customer harm.”The findings inspired Hagenah to create TotalRecall. In his own GitHub posting, Hagenah also notes that Recall “stores everything locally in an unencrypted SQLite database, and the screenshots are simply saved in a folder on your PC.”The findings arrive as many security and privacy experts have called out Recall as a creepy spyware threat. Microsoft didn’t immediately respond to a request for comment, but it has previously said it’s still gathering user feedback on Recall to help it develop more controls for the technology and to improve its overall experience. Still, users have spotted Recall running by default for new Windows 11 Copilot+ PCs.

Hands On: Microsoft’s 2024 Surfaces Level Up With Copilot AI, Arm Silicon

Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.

We will be happy to hear your thoughts

Leave a reply

Shoparoon
Logo
Compare items
  • Total (0)
Compare
0
Shopping cart