Connect with us

Hi, what are you looking for?


Malware & Threats

Researchers Show How Malware Could Steal Windows Recall Data

Cybersecurity researchers are demonstrating how malware could steal data collected by the new Windows Recall feature.

Windows Recall security

Several cybersecurity researchers have demonstrated how malware could steal data collected by Microsoft’s recently introduced Recall feature.

Recall, an on-by-default feature of new Copilot+ PCs, enables Windows users to easily find something they know they have seen before on their PC. 

The Recall feature takes screenshots at regular intervals to capture the user’s activities. All the data is stored and processed locally, which Microsoft was hoping would ease potential privacy concerns. 

However, cybersecurity and privacy experts immediately raised concerns, including due to the screenshots potentially containing highly sensitive information such as passwords and financial data, as well as due to the feature’s intrusiveness.

Microsoft told reporters that a threat actor would need physical access and valid credentials to a machine to obtain the collected data, but researchers have started demonstrating that the claim is false.

Researcher Marc-André Moreau showed how a remote desktop manager password collected by Recall can easily be recovered from a local unencrypted SQLite database, making it easy for information-stealing malware to obtain. 

Another cybersecurity expert, Alexander Hagenah, has made available an open source tool, named TotalRecall, that can easily extract and display data from the Recall database. 

“It’s a bit disappointing to see such a powerful feature not taking security more seriously. I hope Microsoft will address this before the official release,” Hagenah said

Advertisement. Scroll to continue reading.

Researcher Kevin Beaumont has taken a close look at Recall’s security and warned that threat actors could modify infostealers to grab data from the new Windows feature.

Beaumont said the data collected by Recall is efficiently compressed, with several days worth of data needing less than 100 Kb of storage. 

The researcher claims he has conducted tests using an off-the-shelf infostealer malware, which managed to exfiltrate Recall data before it was detected by Microsoft Defender for Endpoint. 

Recall is currently in preview and Microsoft can still make changes to it before it becomes generally available. 

SecurityWeek has reached out to Microsoft for comment and will update this article if the tech giant responds.

Related: Microsoft Quick Assist Tool Abused for Ransomware Delivery

Related: Microsoft Overhauls Cybersecurity Strategy After Scathing CSRB Report

Related: Italy Temporarily Blocks ChatGPT Over Privacy Concerns 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Gabriel Agboruche has been named Executive Director of OT and Cybersecurity at Jacobs.

Data security startup Reco adds Merritt Baer as CISO

Chris Pashley has been named CISO at Advanced Research Projects Agency for Health (ARPA-H).

More People On The Move

Expert Insights