Microsoft’s planned Windows Recall feature remains vulnerable to cyberattacks in its latest version, according to a security researcher – even as Google is prepping similar technology for its upcoming Pixel 9 devices.
Windows Recall was delayed over concerns that it would create privacy and security vulnerabilities by recording users’ screen activity and saving it in an easily hackable database. Those issues apparently still remain a few weeks later in preview versions of Recall.
Windows Recall Still Insecure: Researcher
Kevin Beaumont, the security researcher who started the Recall backlash, posted on Mastodon this week that the latest preview version remains vulnerable to the “TotalRecall” exploit developed by researcher Alex Hagenah.
Beaumont wrote that he “got ahold of what I think is the latest Microsoft Recall (Copilot+ Recall? Nobody knows the branding) build and.. well.. Total Recall still works with the smallest of tweaks to export the database, it’s still accessible as a plaintext database with marketing as the security layer.”
Beaumont also said that the Recall bug bounty set by Microsoft appears to be only $1,000 for discovering and reporting a high-severity or critical vulnerability, a number he said is too low given the value of the data. “That probably needs clarifying as nobody is going to sell photographic memory access to Windows devices to MS for that value – it’s way more valuable elsewhere,” he said.
He also noted that “the Recall backlog must be very large as it’s just becoming a truck load of features being dumped on.”
Recall may be starting to show up in previews of upcoming releases, according to some reports, including in the Windows 11 24H2 preview on x64_x86 hardware that will be officially released in the fall (screenshot from X below).
The Cyber Express has reached out to Microsoft for comment and will update this article with any response.
Google Preps ‘Pixel Screenshots’
Google is reportedly prepping a feature similar to Recall for its upcoming Pixel 9 devices. However, Google’s implementation may be more privacy-friendly and less likely to cause an uproar.
According to Android Authority, Pixel Screenshots “will only work on screenshots you take yourself. When you do that, the app will add a bit of extra metadata to it, like app names, web links, etc. After that, it will be processed by a local AI, presumably the new multimodal version of Gemini Nano, which will let you search for specific screenshots just by their contents, as well as ask a bot questions about them.”
