Affiliate links on Android Authority may earn us a commission. Learn more.
This tiny script extracts passwords from Windows' new Recall feature for everyone to see
- A cybersecurity researcher has published a short Python script that showcases potential privacy lapses in Windows’ upcoming Recall feature.
- The script can scan for sensitive terms in Recall’s database, including passwords.
- The controversial AI feature is set to ship later this month as the first Snapdragon X-powered computers go on sale.
With just 171 lines of code, a Python script has exposed several security and privacy risks plaguing Recall, the controversial AI feature coming to Windows 11. Destined to roll out alongside the first Copilot Plus PCs later this month, Recall captures screenshots every five seconds and arranges them in a visual timeline. Microsoft CEO Satya Nadella likened the feature to “photographic memory” for Windows PCs.
Ahead of Recall’s launch, however, a lone developer has published a Python script that automatically extracts sensitive information from the feature’s database. Cheekily named TotalRecall, the tool “copies the databases and screenshots and then parses the database for potentially interesting artifacts”.
TotalRecall can also automatically scan and fetch certain lucrative terms — such as “password” — from a user’s Recall database. Running the script takes little to no time and does not require brute-forcing through any encryption. According to the script’s author, Alexander Hagenah, the data is all stored in plain text while the computer is in use.
Since Recall’s unveiling last month, security researchers have unanimously panned the feature — at first for only hypothetical privacy implications but more recently for documented security lapses.
Microsoft earlier claimed that Recall data would remain private and only accessible to individual users. However, several loopholes have now come to light that could allow unauthorized access from not just hackers, but also other users sharing a computer.
A pair of Microsoft employees were seen showcasing the exact path to a Recall database in a video uploaded to TikTok late last month.
The TotalRecall script’s release comes after Kevin Beaumont, a former Microsoft employee and cybersecurity researcher, tested Recall ahead of its official launch and raised several privacy-related concerns. In particular, since Recall scrapes text from screenshots automatically, it ends up collecting sensitive data such as exposed password fields, credit card numbers, and chat messages.
Recall stores all scanned text in a simple SQLite database, referencing it whenever users access the timeline or search function. However, critics of the feature argue that this data is virtually unprotected given that most Windows users have administrative privileges. On a shared computer, this means family members and friends can easily access each others’ databases.
Microsoft had also claimed that malicious actors would need physical access to the computer and a signed-in account to compromise Recall data. However, malicious software could evolve to automatically fetch and upload Recall databases while victims actively use their devices, as the TotalRecall script already does in the foreground. This would bypass the need for physical access to the device.
Per Beaumont’s testing, the text-only Recall database amounted to just 90 kilobytes after several days of use. This means that even an alert user would be hard-pressed to detect or stop their data from being leaked over the network. And with sophisticated malware that specifically hunts for passwords or credit card info, hackers could be greatly incentivized to target Copilot Plus PCs en masse.