A security researcher has unveiled a new tool capable of extracting sensitive personal data from Microsoft's Windows Recall feature, bypassing the company's recent security upgrades.
According to a report by The Verge, cybersecurity expert Alexander Hagenah developed 'TotalRecall Reloaded' to demonstrate vulnerabilities in the AI-powered feature. The tool functions by exploiting the way the system handles user authentication.
Microsoft recently redesigned Recall to include a secure vault protected by Windows Hello authentication. This architecture was intended to prevent malware from accessing captured data without a face or fingerprint scan.
However, Hagenah claims this security boundary is insufficient. "My research shows that the vault is real, but the trust boundary ends too early," Hagenah said, according to The Verge.
Exploiting the authentication process
The TotalRecall Reloaded tool can run silently in the background and trigger the Recall timeline to force a Windows Hello prompt. Once the user authenticates, the tool can extract every piece of data captured by the feature.
"TotalRecall Reloaded makes that ‘latent malware’ ride along," Hagenah noted in the report.
This specific exploit targets the exact scenario Microsoft's new architecture was designed to prevent. The feature, which takes periodic screenshots of user activity, stores more than just images. It captures text, messages, emails, documents, and browsing history.
Microsoft previously stated that its use of a Virtualization-based Security Enclave would restrict attempts by malware to steal data during user authentication. This update followed a year-long delay for the feature after it was initially labeled a privacy nightmare.
This security vulnerability resurfaces during a period of heightened scrutiny for Microsoft's security practices. In a previous internal memo, CEO Satya Nadella instructed employees that if faced with a tradeoff between security and other priorities, the answer must be security.
