Microsoft CEO Satya Nadella praised the company’s new Recall feature, which stores a history of your computer’s desktop and makes it available to AI for analysis, like “photographic memory” for your PC. Meanwhile, within the cybersecurity community, the notion of a tool that silently takes a screenshot of your desktop every five seconds has been hailed as a hacker’s dream come true and the worst product idea in recent memory.
Now, security researchers have pointed out that even the only remaining security safeguard intended to protect that feature from exploitation can be trivially defeated.
Since Recall was first announced last month, the cybersecurity world has pointed out that if a hacker can install malicious software to gain a foothold on a target machine with the feature enabled, they can quickly gain access to all of the user’s stored history. for the function. Apparently the only barrier to that high-resolution view of a victim’s entire life at the keyboard was that accessing Recall data required administrator privileges on the user’s machine. That meant that malware without that top-level privilege would trigger a permission pop-up, allowing users to prevent access, and that malware would likely also be blocked by default from accessing data on most corporate machines.
Then on Wednesday, James Forshaw, a researcher with Google’s Project Zero vulnerability research team, published a blog post update noting that he had found methods to access Recall data without administrator privileges, essentially removing even the last fig leaf of protection. “No admin required ;-),” the post concluded.
“Damn”, Forshaw added in Mastodon. “I really thought that the security of the Recall database would be at least safe.”
Forshaw’s blog post described two different techniques for bypassing the requirement for administrator privileges, both of which exploit ways to override a basic security feature in Windows known as access control lists that determine which items on a computer require which privileges to access. read and modify. One of Forshaw’s methods exploits an exception to those checklists, temporarily posing as a program on Windows machines called AIXHost.exe that can access even restricted databases. Another is even simpler: Forshaw points out that because recovery data stored on a machine is considered to belong to the user, a hacker with the same privileges as the user could simply rewrite the access control lists on a machine. destination to be granted access to the entire database.
That second, simpler technique, “to be honest, is just mind-blowing,” says Alex Hagenah, a cybersecurity strategist and ethical hacker. Hagenah recently created a proof-of-concept hacking tool called TotalRecall designed to show that someone who gained access to a victim’s machine with Recall could immediately siphon off all of the user’s history recorded by the feature. However, Hagenah’s tool still required hackers to find another way to gain administrator privileges using a technique called “privilege escalation” before his tool would work.
With Forshaw’s technique, “there’s no escalation of privileges, no pop-ups, nothing,” Hagenah says. “It would make sense to implement this in the tool for a bad guy.”
