U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Malware can steal data collected by the Windows Recall tool, experts warn

Cybersecurity researchers demonstrated how malware could potentially steal data collected by the new Windows Recall tool. The Recall feature of Microsoft Copilot+ is an AI-powered tool designed to help users search for past activities on their PC. The data collected by the tool is stored and processed locally. After its presentation, it raised security and […]

Windows Recall tool

Cybersecurity researchers demonstrated how malware could potentially steal data collected by the new Windows Recall tool.

The Recall feature of Microsoft Copilot+ is an AI-powered tool designed to help users search for past activities on their PC. The data collected by the tool is stored and processed locally. After its presentation, it raised security and privacy concerns among cybersecurity experts because it scans and saves periodic screenshots of the computer screen, potentially exposing sensitive data, like passwords or financial information.

Microsoft attempted to downplay the risks for the users, the company pointed out that an attacker would need physical access to obtain data collected by the Recall tool.

However, multiple researchers have demonstrated that a malicious code could steal data collected by the Recall feature.

The popular cybersecurity expert Kevin Beaumont explained that an attacker can gain remote access to a device running Recall using a malware.

“When you’re logged into a PC and run software, things are decrypted for you. Encryption at rest only helps if somebody comes to your house and physically steals your laptop — that isn’t what criminal hackers do.” reads a post published by Beaumont. “For example, InfoStealer trojans, which automatically steal usernames and passwords, are a major problem for well over a decade — now these can just be easily modified to support Recall.”

Microsoft pointed out that information captured by their tool is highly encrypted and nobody can access them, but Beaumont said it is false and published a video of two Microsoft engineers accessing the folder containing the images.

The cybersecurity researcher Alex Hagenah has released a PoC tool, named TotalRecall, that can automatically extract and display the snapshots captured by Recall on a laptop and saved into its database.

“The database is unencrypted. It’s all plain text,” Hagenah says.⁩” told Wired.

“Windows Recall stores everything locally in an unencrypted SQLite database, and the screenshots are simply saved in a folder on your PC.” Hagenah explained “Here’s where you can find them:

C:\Users\$USER\AppData\Local\CoreAIPlatform.00\UKP\{GUID}

The images are all stored in the following subfolder

.\ImageStore\

The IT researcher Marc-André Moreau explained that an info-stealing malware can easily steal temporarily visible passwords from Remote Desktop Manager, which are captured by the Recall tool, from a local SQLite database.

While Recall remains as a “preview” feature and, according to Microsoft’s small print, could change before it launches, Beaumont writes in his research that the company “should recall Recall and rework it to be the feature it deserves to be, delivered at a later date.” concludes Wired.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, AI)