Users' Windows 11 Recall database and screenshots may be accessed with another account
Security concerns surrounding one of Microsoft's new AI features have begun to pop up.
Later this month, Microsoft will release the first batch of Copilot + PCs, laptops that are designed with AI in mind and have several unique AI programs installed out of the box. One of these is Recall, which essentially allows users to go back and view their previous activity across any app or browser on their computer. As users have begun to test the Recall feature, some are pointing out how easy it is for personal information to fall into the wrong hands.
In a recent opinion piece, Ars Technica held a magnifying glass over Microsoft’s new Recall feature. While Microsoft has stated that there will be proper encryption on the Copilot + PC devices that come with Recall, this isn’t the case for those who are testing the feature out on other hardware. In a blog post, researcher Kevin Beaumont explained the massive security risk that comes with Recall.
Source: Microsoft
The way Recall works is that it constantly takes screenshots of whatever’s on your screen, storing them in a database that you can search to find exactly what you were doing on a certain date/time. In its current form, this information can be easily accessed by someone using the same computer, even if they’re logged into a different account. This database can also be accessed as the result of a virus infection.
We won’t know just how big of a security risk Recall is until the Copilot + PCs ship later this month. That said, stick with Shacknews for important stories out of the tech industry.
-
Shacknews
replyDonovan Erskine posted a new article, Users' Windows 11 Recall database and screenshots may be accessed with another account
-
So it seems like at least in its current form, Windows Recall is a malicious data miners wet dream.
Beaumont says admin access to the system isn’t required to read another user’s Recall database. Another user with an admin account can easily grab any other user’s Recall database and all the Recall screenshots by clicking through a simple UAC prompt. The SQLite database is stored in plain text, and data in transit isn’t encrypted, either, making it trivially easy to access both the stored database of past activity and to monitor new entries as Recall makes them. Screenshots are stored without a file extension, but they're regular old image files that can easily be opened and viewed in any web browser or image editor.
The other big problem is that because Recall is on by default and you have to manually exclude specific apps or websites from being scraped by it, the SQLite database will keep records of activities that are explicitly meant to be hidden or temporary. That includes viewing pages in Incognito mode in some browsers, emails or messages that you delete from your device, and files that you edit or delete.
https://arstechnica.com/?p=2028683-
-
-
-
-
Announcing it in this form still is a huge mistake. I don’t know what they’re thinking.
I wonder if the devil’s incarnate responsible for Teams made this. It would make total sense. It’s a product that does the opposite of every good convention.-
Yeah, something like this should start with "here's how we're going to keep your data secure. It's a new thing you haven't seen before because we know this is serious" - Instead we got an intern project that OCRs screenshots and sticks it in a SQLite database. And it's enabled by default. GG Microsoft.
-
-
-
-
-
The initial community that will be able to use this will be small once it’s rolled out in supported mode. It requires that new chipset that will only be in new machines. What people are doing today to enable it won’t be supported. And if you turn it on in unsupported mode, that’s on you.
Having seen the beta threads about it, I also expect a lot to change.
-
-
-
Technically the machines belong to the company, not the employee. There is likely already all sorts of shit on there for protection and monitoring.
-
Any org that does that would be stupid, it would be a discovery nightmare. I can’t imagine most places would be ok with enabling this at all.
-
-
-
-
-
-
Hey they used it for Sticky Notes!! If it’s good enough for that, it’s good enough for enterprise.
-
-
-
Consumers: "Hey man, are you gonna fix this? Or, you know uh, I mean, do you got any promising uh, uh, leads? Or-"
MS: "Leads, yeah sure. I'll uh, just check with the boys down at the lab. They uh, got uh, four more principal software engineers working on the case. They've got us working in shifts!" -
"the way an entry level developer would have done it." As a prototype and they fucking shipped it.
-
the way an entry level developer would have done it.
-
I can't really think of a time when I'd ever need this feature.
-
-
lol, what the fuck
-
Plain text, wtf?
-
-
I guarantee you that there is an enterprise customer out there who asked for this. MS does customer councils and events in Redmond all the time. I’ve been at some of them. Features that get the big customers to renew or expand their licensing drives features. Heck, this could be included in a new E7 level that has been rumored for a while.
-
I guarantee you that there is an enterprise customer out there who asked for this. MS does customer councils and events in Redmond all the time. I’ve been at some of them. Features that get the big customers to renew or expand their licensing drives features. Heck, this could be included in a new E7 level that has been rumored for a while.
-
-
lol, so much for the assurances that the data collected by MS Recall would be encrypted.
https://www.wired.com/story/total-recall-windows-recall-ai/
-
