Microsoft Recall AI App Continues to Raise Security Concerns Despite Updates

Microsoft Recall can still nab credit cards, passwords, info

Our tests have shown there are ways to get around the promised security improvements exclusive Microsoft Recall, the AI app that takes screenshots of what you do on your PC so you can search for it later, has a filter that's supposed to prevent it from screenshotting sensitive info like credit card numbers. But a The Register test shows that it still fails in many cases, creating a potential treasure trove for thieves. Recall was introduced in 2024 as an exclusive app on Copilot+ PCs, which are laptops that come with a dedicated Neural Processing Unit (NPU) to help with AI-related tasks. Initially, researchers found serious security issues with it, and Redmond pulled it in the spring before re-introducing an ostensibly more secure version in fall 2024. These days, a screen encouraging you to enable it is part of the Windows setup experience on many new PCs. Although Microsoft claims that Recall is safe and private, the software could be a goldmine of personal information if a miscreant manages to break into your system. The app has a "Filter sensitive information" setting enabled by default that's supposed to exempt personal data such as credit card numbers and passwords from capture. However, according to our tests, that filter frequently fails. And there's no way it would know to avoid potentially damaging entries in your web history that you'd rather keep private (such as things related to your medical history or personal life). Just as bad, the screenshots Recall takes are available to anyone who has your PIN number, even via remote access. To find out just how well the sensitive information filter works, I took a Lenovo Yoga Slim 7x Copilot+ PC with Recall enabled and tried entering many types of personal data that no one would want getting into the wrong hands. To give credit where it's due, the tool correctly identified and excluded a lot of financial data, some passwords, and most instances of Social Security numbers. When I logged into my bank account, Recall snagged both my bank's home page and several screens where my balance and a list of deposits appeared. On the bright side, it correctly excluded the screen with my account and ABA routing numbers on it. So an attacker would know which bank I use and how much money I have, both details that could help them, but not my credentials or account number. Recall did a pretty good job with shopping forms. When I went to the Microsoft site and added a credit card to my account, it took a screenshot with the card number, CVC and date fields blank. And when I created my own fake web page with a credit card entry form (with the letters CC: in front of the number field), the software filtered it out. However, when I removed text such as "checkout page" and "Enter payment info" from the form, leaving the credit card number, expiration date, and CVC, Recall captured it. Maybe it's unfair to expect the software to identify a credit card number without words like "credit card" or "pay" near it, but not all shopping forms look the same. The password blocking was mixed. When I opened up Google Chrome's password manager, Recall correctly filtered it out. The tool gets extra credit for not screenshotting this sensitive info, even when I took a screenshot of it in the Snipping Tool and displayed that on-screen. It also worked when I created a text file in Notepad with the words username and password in it. However, when I just listed usernames and passwords in a text file without those identifiers, it captured the screen. Perhaps we shouldn't expect Recall to know that a text file is full of passwords - and, no, you shouldn't keep your passwords in a text file - but many people probably have lists of their passwords without the word "password" printed next to them. There are so many ways that people store and refer to personal data that it's impossible to imagine Recall or any software catching them all. For example, when I entered a Social Security number in a Word document with the prefix "My SS#:" before it, the tool only captured an image with the first three digits in it. However, when I made the prefix "Soc:," it captured all the digits. When I logged into my PayPal account, Recall captured the login screen showing my username, but not my password. It correctly avoided screenshotting the account page, which showed my transactions, but if a bad actor had my username, that's some of the information they would need to get in. In another instance, I had a photo of my passport visible on the screen and Recall correctly avoided it. However, when that photo was partially covered by another window, Recall took the screenshot. When contacted about our findings, Microsoft declined to comment. To be fair, though, Microsoft doesn't claim that Recall's sensitive data filter is perfect. In a blog post from November, when it officially started giving Windows Insiders access to the feature, Principal Product Managers Amanda Langowski and Brandon LeBlanc wrote that "we'll continue to improve this functionality, and if you find sensitive information that should be filtered out, for your context, language, or geography, please let us know through Feedback Hub." Users also have the option to block specific apps or websites from being screenshotted. To do so, you have to add them to a blacklist in Windows settings->Privacy & Security->Recall & snapshots. However, you'd have to anticipate in advance what you want to block. And, if you're really being diligent, you'd block your browser apps, which effectively makes Recall useless. Redmond also labels Recall as a "preview" app. However, if you're pushing the app during the Windows OOBE process on new laptops, it's hard to argue that it's in beta and therefore immune from criticism. Microsoft has also made a lot of noise about Recall's security. In June 2024, after security researcher and former Microsoft employee Kevin Beaumont detailed serious problems, including the fact that Recall's database was stored in plain text, the company pulled the product out of previews for several months and made some changes. In a September blog post from VP of Enterprise and OS Security David Weston, Microsoft detailed a number of security improvements. Most importantly, the snapshots and database are now encrypted and stored in a Virtualization-based Security Enclave (VBS). It also requires Windows Hello logins for you to view or search Recall snapshots. "Recall snapshots are available only after you authenticate using Windows Hello credentials," Weston wrote. "Specifically, Windows Hello Enhanced Sign-in Security biometric credentials protect your privacy and actively authenticate you to query your semantic indices and view associated snapshots." However, Weston didn't note that Windows Hello also supports using a PIN code for access, in addition to faces or fingerprints. So, if you have someone's PIN code or can guess it, you can access all of their Recall screenshots. Lack of physical access to the PC with the Recall data is not a blocker either. I installed free TeamViewer remote desktop software on the Copilot+ laptop and was able to view my entire Recall history from a second computer. When it asked for my face, I just gave it my PIN instead. It's also possible that the VBS enclave and encryption are not infallible. "Attackers have prior exploited side‑channel flaws in VBS and Hyper‑V to infer secrets from enclaves unless hyper-threading is disabled or fully patched," Huntress Security Senior SOC Manager Dray Agha told The Register. "So, administrators must apply all mitigations promptly and patch as Recall will inevitably become vulnerable to attacks over the years, which - as we know from multiple exploited vulnerabilities over the years - many folks simply do not do. Recall is an unnecessary security and privacy risk for not that much usability gain." Privacy advocates are also concerned about the consequences of the wrong people gaining access to users' personal information. In July, the makers of Brave browser announced that it would be blocking Recall by designating every tab as "private," something which Microsoft's software respects. Peter Snyder, principal privacy researcher at Brave Software, told El Reg that the company is concerned about vulnerable users, such as domestic violence victims, being harmed by Recall screenshots. An abusive partner would be able to see that they were visiting websites that offer support, medical help, or a way to escape. "Many users need to hide certain bits of Web browsing from people who have access to their computer or phone," Snyder said. "Recall makes it extra-difficult for Brave to provide these kinds of protections because Recall isn't designed to give software control over what is included in Recall's snapshots." Snyder explained that Brave has a feature called "Off-the-Record," which helps users hide their browsing behavior, even from someone who has physical access to their PC. It has another feature called "Forgetful Browsing" that clears cookies and other storage from a site as soon as you leave it. Recall's screenshotting makes both of these features useless. Whether you're the type of person who blocks cookies or just someone who doesn't want your identity stolen, there are lots of reasons to be concerned about Recall. "I don't dispute that Microsoft has the best intentions at heart, along with doing as much as they can to ensure the security of this feature," said Sean Wright, Director of Application Security at Featurespace. "However, there are so many caveats, that I personally don't see how one would be able to have all these areas covered from a privacy and security concern." ®

Microsoft's Windows Recall is reportedly still capturing passwords and Social Security numbers even after its relaunch

New report finds security loopholes still exist in this controversial Windows 11 feature The controversial Microsoft Windows Recall AI app may still be in need of security work according to testing from the UK technology site, The Register. The app, which takes screenshots of everything you do on your PC so you can find it later, supposedly has preventions to stop it from grabbing sensitive information like credit card numbers and passwords. However, the Register's team recently tested Recall and discovered that the filter actually fails "in many cases." Recall has had a bumpy launch since it was announced as a new app for Copilot+ PCs in the summer of 2024. It was almost immediately pulled back due to security concerns, like capturing sensitive information. The app stuttered into release and recall repeatedly, and was even caught capturing credit card numbers in December of 2024. It only recently returned to Windows Insiders in April of this year. With Recall still in preview mode, Microsoft claims it's safe and private with a filter called "Filter sensitive information" which is enabled by default and is supposed to prevent sensitive data from being captured. The Register's Avram Piltch used a Lenovo Yoga Slim 7x Copilot Plus PC with Recall enabled and entered in several types of personal information. He does credit the filter with excluding financial data, "some" passwords, and "most instances" of Social Security numbers. However, he found that Recall snapped screenshots of his bank's home page and a number of screens showing his balance and deposits. Though it did exclude his account and routing numbers. From there, Piltch performed a number of tests excluding certain language from forms or pages or storing information in different spots on his computer and much to his surprise, Recall captured that information. In one example, he wrote in a Word Doc "My SS#" and it was filtered out but when he changed it to Soc. # it did get captured. And in one case, a document with passwords was totally captured, especially dangerous since many people might still keep their passwords in unsecure documents on their PCs (something we highly discourage given that several of the best password managers are completely free) even if they're not explicitly labeled "My passwords." To be fair to Microsoft, the app is still in preview mode and has been since October of 2024. A blog post from November did state that Microsoft teams are working to improve the functionality of the security filter. Though, the app is being pushed during the Windows onboarding process, so perhaps that preview mode shouldn't be given as much slack. You do have the option to block specific apps or websites from being captured. You have to go to Settings - Privacy & Security - Recall & snapshots. From there you can blacklist things. You could block your browser, though that might make Recall less useful especially if you work outside of Microsoft's office ecosystem. If you're worried about Windows Recall potentially capturing your sensitive personal and financial data, there's an easy way to avoid this feature entirely: don't get a Copilot+ PC. Windows Recall is designed to work specifically with laptops that use Qualcomm's Snapdragon processors, so by going with one of the best laptops powered by an Intel or AMD chip for your next upgrade, you won't have to worry about the potential security implications of this controversial feature at all. Then again, Microsoft may decide to shelve Windows Recall for good at some point, especially given its lukewarm initial reception and the security and privacy issues it has faced already.

New report alleges Microsoft Recall is still screenshotting credit card numbers and passwords

Recall's security issues might not have been completely eliminated. Microsoft Recall's security woes have come back to the fore after a test caught the AI screenshotting tool capturing sensitive data (again). Ahead of its public beta release in April, Microsoft made a slew of security updates to Recall, including adding a filter that's supposed to block Recall from recording passwords, credit card info, social security numbers, and similar sensitive data. It looks like more fine-tuning is still needed. The Register's Avram Piltch conducted an in-depth security test on Recall that revealed the AI doesn't always filter out sensitive data. The filter was usually successful when keywords like "password" or "pay" were on screen, but whenever they weren't, Recall often misfired and took a screenshot. For instance, it screenshotted a text document with a list of usernames and passwords that weren't labeled. It makes sense that Microsoft's AI might rely on searching for visual hints like the word "password" to recognize when sensitive info is on screen. However, that's clearly a hit-or-miss strategy. If those keywords aren't displayed the way the AI expects or they're completely missing, there's a decent chance the filter won't work. That means you really never know if Recall is going to correctly filter out your sensitive data or not. As Piltch pointed out, "There are so many ways that people store and refer to personal data that it's impossible to imagine Recall or any software catching them all." Passwords and credit card numbers aren't the only sensitive info at risk with Recall, either. Piltch's test also caught the AI screenshotting a bank account page that showed balance and transaction info. Even without the corresponding account login info, that data could still be useful to a hacker. That brings up the next issue Piltch's test unearthed: it's possible to remotely access Recall screenshots. You can only activate Recall after setting up Windows Hello Enhanced Sign-On, which is supposed to require a fingerprint or facial ID. Piltch was also able to sign into Windows Hello with just a PIN, though, then use that PIN to remotely access all of the Recall screenshots on his Copilot+ PC. For those who have been following along with the Recall rollercoaster, none of this will come as a surprise. The feature has faced wave after wave of criticism for the security and privacy issues it raises and no amount of security updates seem to be able to fix that. Despite still being a WIP "preview feature," Copilot is clearly a major initiative from the AI-obsessed Microsoft, and as Piltch points out, Recall is already being advertised during the setup process in Windows 11. For right now, it looks like your safest and smartest move is still to keep Recall completely turned off.