Security researcher Alexander Hagenah has demonstrated that Windows Recall, despite Microsoft's major security overhaul, remains vulnerable to silent data extraction by same-user malware. His proof-of-concept tool TotalRecall Reloaded shows that plaintext screenshots and extracted text can be accessed without admin rights, kernel exploits, or breaking encryption. Microsoft reviewed the disclosure and closed it, stating the behavior is consistent with intended protections. Hagenah argues the fundamental flaw lies in how decrypted data is handled after leaving the secure enclave, landing in an unprotected process accessible to same-user code. Independent researcher Kevin Beaumont confirmed the issue, noting the Recall database contains undisclosed user activity fields and triggers no AV or EDR alerts. Hagenah published the source code to give defenders a head start before threat actors operationalize the technique.
Sort: