Copilot‘s screen-snapping Recall data stored in plain text


Researchers have scorned the safety implications of Microsoft's Recall feature, pointing out that the tech behemoth will set cybersecurity back a decade and empower cybercrooks.

The wave of ridicule washing over Microsoft‘s decision to screenshot everything users do is far from receding. While the tech behemoth tried quashing criticism by claiming that attackers won't be able to remotely access screenshots, researchers think otherwise.

According to Kevin Beaumont, a cybersecurity researcher and former senior threat intelligence analyst at Microsoft, Recall-collected information is stored on an SQLite database. Moreover, anyone with administrator-level access, a default setting for most Windows users, can view the data.

ADVERTISEMENT

“Microsoft told media outlets that a hacker cannot exfiltrate Copilot+ Recall activity remotely. Reality: how do you think hackers will exfiltrate this plain text database of everything the user has ever viewed on their PC? Very easily, I have it automated,” Beaumont shared on X.

Beaumont lamented Microsoft’s claims that attackers would have to have physical access to the device if they wanted to steal Recall data. While Recall-specific malware might not exist yet, given the sensitivity of the data it collects, attackers will be incentivized to roll up their sleeves.

For example, Beaumont claims to have tested the feature with messaging apps like WhatsApp, Signal, and Teams. While these apps allow for encrypted communications and disappearing messages, Recall takes screenshots of conversations, raising severe concerns about privacy.

“Somebody message you with disappearing messages? They're recorded anyway. Write a disappearing message? It's recorded. Delete a message? It's recorded,” Beaumont wrote.

Microsoft introduced Recall with its new batch of AI-driven personal computers, Copilot+. Satya Nadella, Microsoft's CEO, compared the Recall feature to the device's “photographic memory.”

ADVERTISEMENT