Several cybersecurity researchers have demonstrated how malware could steal data collected by Microsoft’s recently introduced Recall feature.
Recall, an on-by-default feature of new Copilot+ PCs, enables Windows users to easily find something they know they have seen before on their PC.
The Recall feature takes screenshots at regular intervals to capture the user’s activities. All the data is stored and processed locally, which Microsoft was hoping would ease potential privacy concerns.
However, cybersecurity and privacy experts immediately raised concerns, including due to the screenshots potentially containing highly sensitive information such as passwords and financial data, as well as due to the feature’s intrusiveness.
Microsoft told reporters that a threat actor would need physical access and valid credentials to a machine to obtain the collected data, but researchers have started demonstrating that the claim is false.
Researcher Marc-André Moreau showed how a remote desktop manager password collected by Recall can easily be recovered from a local unencrypted SQLite database, making it easy for information-stealing malware to obtain.
Another cybersecurity expert, Alexander Hagenah, has made available an open source tool, named TotalRecall, that can easily extract and display data from the Recall database.
“It’s a bit disappointing to see such a powerful feature not taking security more seriously. I hope Microsoft will address this before the official release,” Hagenah said.
Researcher Kevin Beaumont has taken a close look at Recall’s security and warned that threat actors could modify infostealers to grab data from the new Windows feature.
Beaumont said the data collected by Recall is efficiently compressed, with several days worth of data needing less than 100 Kb of storage.
The researcher claims he has conducted tests using an off-the-shelf infostealer malware, which managed to exfiltrate Recall data before it was detected by Microsoft Defender for Endpoint.
Recall is currently in preview and Microsoft can still make changes to it before it becomes generally available.
SecurityWeek has reached out to Microsoft for comment and will update this article if the tech giant responds.
Related: Microsoft Quick Assist Tool Abused for Ransomware Delivery
Related: Microsoft Overhauls Cybersecurity Strategy After Scathing CSRB Report
Related: Italy Temporarily Blocks ChatGPT Over Privacy Concerns
