Microsoft's Recall feature faces new privacy concerns after fresh exploit

Microsoft's AI-powered Recall feature is once again facing privacy and security concerns, despite a major redesign intended to address earlier backlash. Originally criticized as a "privacy nightmare," Recall captures snapshots of user activity on Windows PCs, storing everything from on-screen text to messages, documents, and browsing history.

2

After delaying the feature for nearly a year, Microsoft introduced stronger protections, including a secure data vault, Windows Hello authentication, and a Virtualization-Based Security (VBS) enclave. The company claimed these measures would prevent malware from accessing Recall data, even if it attempted to exploit user authentication, while simultaneously reassured users that Microsoft isn't going to be accessing the snapshots taken of desktops as they are stored locally.

However, cybersecurity researcher Alexander Hagenah has challenged those claims with a new tool called TotalRecall Reloaded. The tool can reportedly trigger a Windows Hello prompt and, once the user authenticates, extract all stored Recall data. Hagenah argues this shows malware can still "ride along" with legitimate authentication - something Microsoft said its redesign would block.

Microsoft disputes this, stating the behavior aligns with intended system protections and does not represent a security flaw. The company also points to safeguards like timeouts and anti-hammering protections to limit abuse.

Hagenah, however, claims these protections can be bypassed and maintains the issue lies in how decrypted data is handled after authentication. While he praised parts of the redesign, including the VBS enclave, he believes the system still falls short of its security goals. The renewed concerns highlight the risks tied to Recall's extensive data collection and whether its convenience outweighs potential privacy trade-offs.