Tested: Microsoft Recall can still capture credit cards and passwords, a treasure trove for crooks

exclusive Microsoft Recall, the AI app that takes screenshots of what you do on your PC so you can search for it later, has a filter that’s supposed to prevent it from screenshotting sensitive info like credit card numbers. But a The Register test shows that it still fails in many cases, creating a potential treasure trove for thieves.

Recall was introduced in 2024 as an exclusive app on Copilot+ PCs, which are laptops that come with a dedicated Neural Processing Unit (NPU) to help with AI-related tasks. Initially, researchers found serious security issues with it, and Redmond pulled it in the spring before re-introducing an ostensibly more secure version in fall 2024. These days, a screen encouraging you to enable it is part of the Windows setup experience on many new PCs.

Although Microsoft claims that Recall is safe and private, the software could be a goldmine of personal information if a miscreant manages to break into your system. The app has a “Filter sensitive information” setting enabled by default that’s supposed to exempt personal data such as credit card numbers and passwords from capture. However, according to our tests, that filter frequently fails. And there’s no way it would know to avoid potentially damaging entries in your web history that you’d rather keep private (such as things related to your medical history or personal life). Just as bad, the screenshots Recall takes are available to anyone who has your PIN number, even via remote access.

Sensitive information filtering: good, but not good enough

To find out just how well the sensitive information filter works, I took a Lenovo Yoga Slim 7x Copilot+ PC with Recall enabled and tried entering many types of personal data that no one would want getting into the wrong hands. To give credit where it’s due, the tool correctly identified and excluded a lot of financial data, some passwords, and most instances of Social Security numbers.

When I logged into my bank account, Recall snagged both my bank’s home page and several screens where my balance and a list of deposits appeared. On the bright side, it correctly excluded the screen with my account and ABA routing numbers on it. So an attacker would know which bank I use and how much money I have, both details that could help them, but not my credentials or account number.

Recall did a pretty good job with shopping forms. When I went to the Microsoft site and added a credit card to my account, it took a screenshot with the card number, CVC and date fields blank. And when I created my own fake web page with a credit card entry form (with the letters CC: in front of the number field), the software filtered it out.

However, when I removed text such as “checkout page” and “Enter payment info” from the form, leaving the credit card number, expiration date, and CVC, Recall captured it. Maybe it’s unfair to expect the software to identify a credit card number without words like “credit card” or “pay” near it, but not all shopping forms look the same.

The password blocking was mixed. When I opened up Google Chrome’s password manager, Recall correctly filtered it out. The tool gets extra credit for not screenshotting this sensitive info, even when I took a screenshot of it in the Snipping Tool and displayed that on-screen. It also worked when I created a text file in Notepad with the words username and password in it.

However, when I just listed usernames and passwords in a text file without those identifiers, it captured the screen. Perhaps we shouldn’t expect Recall to know that a text file is full of passwords – and, no, you shouldn’t keep your passwords in a text file – but many people probably have lists of their passwords without the word “password” printed next to them.

There are so many ways that people store and refer to personal data that it’s impossible to imagine Recall or any software catching them all. For example, when I entered a Social Security number in a Word document with the prefix “My SS#:” before it, the tool only captured an image with the first three digits in it. However, when I made the prefix “Soc:,” it captured all the digits.

When I logged into my PayPal account, Recall captured the login screen showing my username, but not my password. It correctly avoided screenshotting the account page, which showed my transactions, but if a bad actor had my username, that’s some of the information they would need to get in.

In another instance, I had a photo of my passport visible on the screen and Recall correctly avoided it. However, when that photo was partially covered by another window, Recall took the screenshot.

A work in progress

When contacted about our findings, Microsoft declined to comment. To be fair, though, Microsoft doesn’t claim that Recall’s sensitive data filter is perfect. In a blog post from November, when it officially started giving Windows Insiders access to the feature, Principal Product Managers Amanda Langowski and Brandon LeBlanc wrote that “we’ll continue to improve this functionality, and if you find sensitive information that should be filtered out, for your context, language, or geography, please let us know through Feedback Hub.”

Users also have the option to block specific apps or websites from being screenshotted. To do so, you have to add them to a blacklist in Windows settings->Privacy & Security->Recall & snapshots. However, you’d have to anticipate in advance what you want to block. And, if you’re really being diligent, you’d block your browser apps, which effectively makes Recall useless.

Redmond also labels Recall as a “preview” app. However, if you’re pushing the app during the Windows OOBE process on new laptops, it’s hard to argue that it’s in beta and therefore immune from criticism.

Just how secure is Recall?

Microsoft has also made a lot of noise about Recall’s security. In June 2024, after security researcher and former Microsoft employee Kevin Beaumont detailed serious problems, including the fact that Recall’s database was stored in plain text, the company pulled the product out of previews for several months and made some changes.

In a September blog post from VP of Enterprise and OS Security David Weston, Microsoft detailed a number of security improvements. Most importantly, the snapshots and database are now encrypted and stored in a Virtualization-based Security Enclave (VBS). It also requires Windows Hello logins for you to view or search Recall snapshots.

“Recall snapshots are available only after you authenticate using Windows Hello credentials,” Weston wrote. “Specifically, Windows Hello Enhanced Sign-in Security biometric credentials protect your privacy and actively authenticate you to query your semantic indices and view associated snapshots.”

However, Weston didn’t note that Windows Hello also supports using a PIN code for access, in addition to faces or fingerprints. So, if you have someone’s PIN code or can guess it, you can access all of their Recall screenshots.

Lack of physical access to the PC with the Recall data is not a blocker either. I installed free TeamViewer remote desktop software on the Copilot+ laptop and was able to view my entire Recall history from a second computer. When it asked for my face, I just gave it my PIN instead.

It’s also possible that the VBS enclave and encryption are not infallible.

“Attackers have prior exploited side‑channel flaws in VBS and Hyper‑V to infer secrets from enclaves unless hyper-threading is disabled or fully patched,” Huntress Security Senior SOC Manager Dray Agha told The Register. “So, administrators must apply all mitigations promptly and patch as Recall will inevitably become vulnerable to attacks over the years, which – as we know from multiple exploited vulnerabilities over the years – many folks simply do not do. Recall is an unnecessary security and privacy risk for not that much usability gain.”

Privacy risks: even worse for vulnerable users

Privacy advocates are also concerned about the consequences of the wrong people gaining access to users’ personal information. In July, the makers of Brave browser announced that it would be blocking Recall by designating every tab as “private,” something which Microsoft’s software respects.

Peter Snyder, principal privacy researcher at Brave Software, told El Reg that the company is concerned about vulnerable users, such as domestic violence victims, being harmed by Recall screenshots. An abusive partner would be able to see that they were visiting websites that offer support, medical help, or a way to escape.

“Many users need to hide certain bits of Web browsing from people who have access to their computer or phone,” Snyder said. “Recall makes it extra-difficult for Brave to provide these kinds of protections because Recall isn’t designed to give software control over what is included in Recall’s snapshots.”

Snyder explained that Brave has a feature called “Off-the-Record,” which helps users hide their browsing behavior, even from someone who has physical access to their PC. It has another feature called “Forgetful Browsing” that clears cookies and other storage from a site as soon as you leave it. Recall’s screenshotting makes both of these features useless.

Whether you’re the type of person who blocks cookies or just someone who doesn’t want your identity stolen, there are lots of reasons to be concerned about Recall.

“I don’t dispute that Microsoft has the best intentions at heart, along with doing as much as they can to ensure the security of this feature,” said Sean Wright, Director of Application Security at Featurespace. “However, there are so many caveats, that I personally don’t see how one would be able to have all these areas covered from a privacy and security concern.” ®

READ MORE HERE