{"id":393350,"date":"2026-04-15T12:17:09","date_gmt":"2026-04-15T12:17:09","guid":{"rendered":"https:\/\/www.newsbeep.com\/il\/393350\/"},"modified":"2026-04-15T12:17:09","modified_gmt":"2026-04-15T12:17:09","slug":"microsoft-faces-fresh-windows-recall-security-concerns","status":"publish","type":"post","link":"https:\/\/www.newsbeep.com\/il\/393350\/","title":{"rendered":"Microsoft faces fresh Windows Recall security concerns"},"content":{"rendered":"

When Microsoft tried to launch Recall, an AI-powered Windows feature that screenshots most of what you do on your PC, it was labeled a \u201cdisaster\u201d<\/a> for cybersecurity and a \u201cprivacy nightmare.\u201d After the backlash and a year-long delay<\/a> to redesign and secure Recall, it\u2019s once again facing security and privacy concerns.<\/p>\n

Cybersecurity expert Alexander Hagenah has created TotalRecall Reloaded<\/a>, a tool that extracts and displays data from Recall. It\u2019s an update to the TotalRecall tool that demonstrated all the weaknesses in the original Recall feature before Microsoft redesigned it.<\/p>\n

Microsoft\u2019s redesign focused on creating a secure vault for Recall data, with Windows Hello authentication and a secure environment through a Virtualization-based Security Enclave. Recall requires users to authenticate using a face or fingerprint to gain access to data and to enable snapshots to be recorded. \u201cThis restricts attempts by latent malware trying to \u2019ride along\u2019 with a user authentication to steal data,\u201d said Microsoft in a September 2024 blog post<\/a>.<\/p>\n

\u201cMy research shows that the vault is real, but the trust boundary ends too early,\u201d says Hagenah. \u201cTotalRecall Reloaded makes that \u2018latent malware\u2019 ride along.\u201d The TotalRecall Reloaded tool can silently run in the background and activate the Recall timeline to force a user into authenticating with a Windows Hello prompt. Once the authentication has taken place, TotalRecall Reloaded can then extract everything that Windows Recall has ever captured. \u201cThat is precisely the scenario Microsoft\u2019s architecture is supposed to restrict,\u201d says Hagenah<\/a>.<\/p>\n

Recall stores much more than just screenshots, with the history of text that has appeared on your screen, messages, emails, documents, browsing history, and much more. Microsoft\u2019s changes to Recall security came months after CEO Satya Nadella told employees<\/a> \u201cIf you\u2019re faced with the tradeoff between security and another priority, your answer is clear: Do security.\u201d<\/p>\n

Hagenah responsibly disclosed his latest findings to Microsoft last month, but the company closed the report and said there was no vulnerability. \u201cWe appreciate Alexander Hagenah for identifying and responsibly reporting this issue. After careful investigation, we determined that the access patterns demonstrated are consistent with intended protections and existing controls, and do not represent a bypass of a security boundary or unauthorized access to data,\u201d says David Weston, corporate vice president of Microsoft Security, in a statement to The Verge. \u201cThe authorization period has a timeout and anti-hammering protection that limit the impact of malicious queries.\u201d<\/p>\n

In messages to The Verge, Hagenah disputes Microsoft\u2019s timeout protections. \u201cI can re-poll the data, and what I am doing in my tool [is] to bypass it. And the timeout is patched out,\u201d says Hagenah. \u201cMy biggest issue still is them saying in their official announcement that the enclave prevents \u2018latent malware riding along,\u2019 which it clearly doesn\u2019t.\u201d<\/p>\n

TotalRecall Reloaded can also extract the latest cached Windows Recall screenshot without Windows Hello authentication, or totally wipe the entire capture history. But the type of malware that Hagenah describes could sit in the background on a PC and take screenshots anyway, with or without Windows Recall.<\/p>\n

Microsoft doesn\u2019t think there\u2019s a vulnerability here because this is simply how Windows works. Regular user-mode processes have the ability to inject code into themselves as a normal and often legitimate behavior in Windows, but this flexibility also creates opportunities for abuse.<\/p>\n

A similar infostealer malware could sit and extract 1Password data or your browsing history, if it was undetected by the various other Windows security tools and memory protection efforts. The bigger concern is that Recall stores a lot more sensitive data than just passwords or browsing history, and Microsoft\u2019s original promise that Recall would protest against malware riding along in the background.<\/p>\n

Despite the concerns, Microsoft got a lot right with its Recall redesign. \u201cThe VBS enclave is rock solid,\u201d says Hagenah. \u201cThe authentication model is stateless and race-free (thousands of probes, zero bypasses).\u201d Hagenah just thinks Microsoft could, and should, go a step further to meet its security design goals for Recall. \u201cThe fundamental problem isn\u2019t the crypto, the enclave, the authentication, or the PPL,\u201d he says. \u201cIt\u2019s sending decrypted content to an unprotected process for rendering. The vault door is titanium. The wall next to it is drywall.\u201d<\/p>\n

Follow topics and authors from this story to see more like this in your personalized homepage feed and to receive email updates.Tom WarrenClose\"Tom<\/p>\n

Tom Warren<\/p>\n

Posts from this author will be added to your daily email digest and your homepage feed.<\/p>\n

FollowFollow<\/p>\n

See All by Tom Warren<\/a><\/p>\n

MicrosoftClose<\/p>\n

Microsoft<\/p>\n

Posts from this topic will be added to your daily email digest and your homepage feed.<\/p>\n

FollowFollow<\/p>\n

See All Microsoft<\/a><\/p>\n

ReportClose<\/p>\n

Report<\/p>\n

Posts from this topic will be added to your daily email digest and your homepage feed.<\/p>\n

FollowFollow<\/p>\n

See All Report<\/a><\/p>\n

TechClose<\/p>\n

Tech<\/p>\n

Posts from this topic will be added to your daily email digest and your homepage feed.<\/p>\n

FollowFollow<\/p>\n

See All Tech<\/a><\/p>\n

WindowsClose<\/p>\n

Windows<\/p>\n

Posts from this topic will be added to your daily email digest and your homepage feed.<\/p>\n

FollowFollow<\/p>\n

See All Windows<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"When Microsoft tried to launch Recall, an AI-powered Windows feature that screenshots most of what you do on…\n","protected":false},"author":2,"featured_media":393351,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[85,46,134,4939,920,125,921],"class_list":{"0":"post-393350","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-technology","8":"tag-il","9":"tag-israel","10":"tag-microsoft","11":"tag-report","12":"tag-tech","13":"tag-technology","14":"tag-windows"},"_links":{"self":[{"href":"https:\/\/www.newsbeep.com\/il\/wp-json\/wp\/v2\/posts\/393350","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.newsbeep.com\/il\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.newsbeep.com\/il\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/il\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/il\/wp-json\/wp\/v2\/comments?post=393350"}],"version-history":[{"count":0,"href":"https:\/\/www.newsbeep.com\/il\/wp-json\/wp\/v2\/posts\/393350\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/il\/wp-json\/wp\/v2\/media\/393351"}],"wp:attachment":[{"href":"https:\/\/www.newsbeep.com\/il\/wp-json\/wp\/v2\/media?parent=393350"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.newsbeep.com\/il\/wp-json\/wp\/v2\/categories?post=393350"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.newsbeep.com\/il\/wp-json\/wp\/v2\/tags?post=393350"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}