Microsoft is set to debut the Copilot Plus PC in a little under two weeks. The new device has an interesting new feature, Recall, that screenshots your each and every action on the computer. Those screenshots end up on a timeline you can look through with instantaneous results, thankfully not in a pile on your already cluttered desktop. AI sorts through all the visual information with nifty results.
So constant screenshots on your computer, every day, all day sounds good. What could go wrong? You're using your computer for work purposes only, right? And Microsoft would think ahead and encrpyt whatever data was gleaned via Azure AI, just as a safeguard, right?
Nah, it's all in plain text.
[Recall] stores data in a database in plain text. That could make it trivial for an attacker to use malware to extract the database and its contents.
"Every few seconds, screenshots are taken. These are automatically OCR'd by Azure AI, running on your device, and written into an SQLite database in the user's folder," explains Beaumont in a detailed blog post. "This database file has a record of everything you've ever viewed on your PC in plain text."
Beaumont shared an example of the plain text database on X, scolding Microsoft for telling media outlets that a hacker cannot exfiltrate Recall activity remotely. The database is stored locally on a PC, but it's accessible from the AppData folder if you're an admin on a PC. Two Microsoft engineers demonstrated this at Build recently, and Beaumont claims the database is accessible even if you're not an admin.
Tom Warren, The Verge
Oh and another thing, you can't turn off the recall feature until well into setup. Hmmmm.
Microsoft would do well to work out these rather large gaffs before debuting the device for public consumption. At least change the plain text to wingdings, jeeeez.
