Sensitive Information DisclosureHigh

Microsoft Recall stores screenshots in plaintext

May 2024  ·  Microsoft Windows Recall

What happened

Recall continuously screenshots user activity and OCRs it into a local database. Researchers found the data stored in an unencrypted SQLite database readable by any process running as the user, and released a tool that extracted the entire Recall history.

Root cause

Snapshots and their OCR text were stored without at-rest encryption or access isolation, so any local attacker in the user context could harvest everything the user had viewed.

Fix / outcome

After backlash Microsoft made Recall opt-in and off by default, required Windows Hello, and added just-in-time decryption. Residual concerns were later reported.

Sources

CSO Online

Learn this attack class

This incident is an example of Sensitive Information Disclosure. Read the guide, then try it hands-on in the Academy.

Read the guide →

← Back to the Incident Database