Cybersecurity researchers have uncovered vulnerabilities in Microsoft’s Recall feature, intended to aid users in locating past activities on Windows PCs. Despite Microsoft’s assertions that physical access and valid credentials are necessary to access collected data, experts have demonstrated how malware can exploit Recall’s data storage mechanisms. This revelation raises concerns over potential privacy breaches, particularly given the sensitive nature of the information Recall captures, such as passwords and financial data.
One researcher, Marc-André Moreau, showcased how a remote desktop manager password collected by Recall could be easily retrieved from an unencrypted SQLite database, providing a pathway for information-stealing malware. Another expert, Alexander Hagenah, developed an open-source tool called TotalRecall, which can extract and display data from Recall’s database, further highlighting the feature’s vulnerability. Hagenah expressed disappointment in the lack of security measures surrounding such a powerful feature and called for Microsoft to address these concerns before Recall’s official release.
Kevin Beaumont delved into Recall’s security infrastructure, warning of potential modifications by threat actors to steal data from the Windows feature. Despite Recall’s efficient compression of collected data, Beaumont’s tests using off-the-shelf infostealer malware demonstrated its susceptibility to exfiltrating Recall data undetected by Microsoft Defender for Endpoint. With Recall still in preview, Microsoft has the opportunity to enhance its security measures before the feature is widely available, addressing the concerns raised by cybersecurity researchers.
